Skip to main content
NVIDIA_DRIVER_CAPABILITIES=all exposes more driver surface than most workloads need; prefer a minimal capability set.

Description

Detects ENV NVIDIA_DRIVER_CAPABILITIES=all in Dockerfiles. The all capability set mounts every NVIDIA driver library and binary into the container, but most ML and CUDA workloads only need compute,utility (NVIDIA’s documented default). A smaller set follows the principle of least privilege and avoids potential compatibility issues.

Why this matters

  • Least privilegeall exposes driver capabilities (graphics, video, display, compat32) that most inference and training workloads never use
  • Compatibility — mounting unnecessary driver components can surface driver/library version conflicts in environments where the host driver differs from what the image expects
  • Clarity — explicitly listing needed capabilities documents the workload’s actual requirements

What is flagged

Examples

Violation

No violation

Auto-fix behavior

The rule offers a FixSuggestion (applied with --fix --fix-unsafe): replaces all with compute,utility. This is safe for most ML/CUDA workloads but may break workloads that genuinely need graphics, video, or display capabilities — review before accepting. For multi-key ENV instructions, only the NVIDIA_DRIVER_CAPABILITIES value is replaced; other keys are preserved.

Configuration

This rule has no rule-specific options.

References