Skip to content

Docker Compose

DockerCompose Queries List

This page contains all queries from DockerCompose.

Query Severity Category Description Help
Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d
High Build Process Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' Documentation
Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0
High Build Process Container has sensitive host directory mounted as a volume Documentation
Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b
High Build Process Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. Documentation
No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750
High Resource Management Ensuring the process does not gain any new privileges lessens the risk associated with many operations. Documentation
Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026
High Resource Management Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. Documentation
Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8
Medium Availability Check containers periodically to see if they are running properly. Documentation
Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391
Medium Build Process Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS. Documentation
Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232
Medium Build Process Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. Documentation
Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3
Medium Networking and Firewall Incoming container traffic should be bound to a specific host interface Documentation
Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79
Medium Networking and Firewall Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. Documentation
Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443
Medium Networking and Firewall Container should not share the host network namespace Documentation
Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742
Medium Networking and Firewall Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. Documentation
Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8
Medium Resource Management The host's user namespace should not be shared. Documentation
Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492
Medium Resource Management Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory Documentation
Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b
Medium Resource Management Attribute 'security_opt' should be defined. Documentation
Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0
Medium Resource Management The hosts process namespace should not be shared by containers Documentation
Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729
Medium Resource Management The host IPC namespace should not be shared. Documentation
Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa
Medium Resource Management 'pids_limit' should be set and different than -1 Documentation
Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953
Medium Resource Management Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. Documentation
Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d
Low Resource Management Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. Documentation
Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3
Low Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation