Add GenericContainer security options API (#1226)

cristianrgreco · web-flow · commit f349b9cab2ad · 2026-02-17T14:59:20.000Z
diff --git a/docs/features/containers.md b/docs/features/containers.md
@@ -245,6 +245,16 @@ const container = await new GenericContainer("alpine")
   .start();
 ```
 
+### With security options
+
+See [Security options](https://docs.docker.com/engine/reference/run/#security-configuration).
+
+```js
+const container = await new GenericContainer("alpine")
+  .withSecurityOpt("no-new-privileges")
+  .start();
+```
+
 ### With added capabilities
 
 See [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html).
diff --git a/packages/testcontainers/src/generic-container/generic-container.test.ts b/packages/testcontainers/src/generic-container/generic-container.test.ts
@@ -271,6 +271,16 @@ describe("GenericContainer", { timeout: 180_000 }, () => {
     });
   }
 
+  it("should set security options", async () => {
+    await using container = await new GenericContainer("cristianrgreco/testcontainer:1.1.14")
+      .withSecurityOpt("no-new-privileges")
+      .withExposedPorts(8080)
+      .start();
+
+    const { output } = await container.exec(["sh", "-c", "awk '/^NoNewPrivs:/ { print $2 }' /proc/1/status"]);
+    expect(output.trim()).toBe("1");
+  });
+
   it("should add capabilities", async () => {
     await using container = await new GenericContainer("cristianrgreco/testcontainer:1.1.14")
       .withAddedCapabilities("IPC_LOCK")
diff --git a/packages/testcontainers/src/generic-container/generic-container.ts b/packages/testcontainers/src/generic-container/generic-container.ts
@@ -328,6 +328,11 @@ export class GenericContainer implements TestContainer {
     return this;
   }
 
+  public withSecurityOpt(...securityOptions: string[]): this {
+    this.hostConfig.SecurityOpt = [...(this.hostConfig.SecurityOpt ?? []), ...securityOptions];
+    return this;
+  }
+
   public withAddedCapabilities(...capabilities: string[]): this {
     this.hostConfig.CapAdd = [...(this.hostConfig.CapAdd ?? []), ...capabilities];
     return this;
diff --git a/packages/testcontainers/src/test-container.ts b/packages/testcontainers/src/test-container.ts
@@ -27,6 +27,7 @@ export interface TestContainer {
   withEntrypoint(entrypoint: string[]): this;
   withTmpFs(tmpFs: TmpFs): this;
   withUlimits(ulimits: Ulimits): this;
+  withSecurityOpt(...securityOptions: string[]): this;
   withAddedCapabilities(...capabilities: string[]): this;
   withDroppedCapabilities(...capabilities: string[]): this;
   withExposedPorts(...ports: PortWithOptionalBinding[]): this;
