NVIDIA_DRIVER_CAPABILITIES=all exposes more driver surface than most workloads need; prefer a minimal capability set.
Description
DetectsENV NVIDIA_DRIVER_CAPABILITIES=all in Dockerfiles. The all capability set mounts every
NVIDIA driver library and binary into the container, but most ML and CUDA workloads only need
compute,utility (NVIDIA’s documented default). A smaller set follows the principle of least
privilege and avoids potential compatibility issues.
Why this matters
- Least privilege —
allexposes driver capabilities (graphics,video,display,compat32) that most inference and training workloads never use - Compatibility — mounting unnecessary driver components can surface driver/library version conflicts in environments where the host driver differs from what the image expects
- Clarity — explicitly listing needed capabilities documents the workload’s actual requirements
What is flagged
Examples
Violation
No violation
Auto-fix behavior
The rule offers aFixSuggestion (applied with --fix --fix-unsafe): replaces all with
compute,utility. This is safe for most ML/CUDA workloads but may break workloads that genuinely
need graphics, video, or display capabilities — review before accepting.
For multi-key ENV instructions, only the NVIDIA_DRIVER_CAPABILITIES value is replaced; other
keys are preserved.