Docker Compose
DockerCompose Queries List¶
This page contains all queries from DockerCompose.
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Volume Mounted In Multiple Containers baa452f0-1f21-4a25-ace5-844e7a5f410d |
High | Build Process | Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' | Documentation |
Volume Has Sensitive Host Directory 1c1325ff-831d-43a1-973e-839ae57dfcc0 |
High | Build Process | Container has sensitive host directory mounted as a volume | Documentation |
Docker Socket Mounted In Container d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b |
High | Build Process | Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. | Documentation |
No New Privileges Not Set 27fcc7d6-c49b-46e0-98f1-6c082a6a2750 |
High | Resource Management | Ensuring the process does not gain any new privileges lessens the risk associated with many operations. | Documentation |
Privileged Containers Enabled ae5b6871-7f45-42e0-bb4c-ab300c4d2026 |
High | Resource Management | Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. | Documentation |
Healthcheck Not Set 698ed579-b239-4f8f-a388-baa4bcb13ef8 |
Medium | Availability | Check containers periodically to see if they are running properly. | Documentation |
Restart Policy On Failure Not Set To 5 2fc99041-ddad-49d5-853f-e35e70a48391 |
Medium | Build Process | Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS. | Documentation |
Cgroup Not Default 4d9f44c6-2f4a-4317-9bb5-267adbea0232 |
Medium | Build Process | Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. | Documentation |
Container Traffic Not Bound To Host Interface 451d79dc-0588-476a-ad03-3c7f0320abb3 |
Medium | Networking and Firewall | Incoming container traffic should be bound to a specific host interface | Documentation |
Privileged Ports Mapped In Container bc2908f3-f73c-40a9-8793-c1b7d5544f79 |
Medium | Networking and Firewall | Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. | Documentation |
Shared Host Network Namespace 071a71ff-f868-47a4-ac0b-3c59e4ab5443 |
Medium | Networking and Firewall | Container should not share the host network namespace | Documentation |
Networks Not Set ce14a68b-1668-41a0-ab7d-facd9f784742 |
Medium | Networking and Firewall | Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. | Documentation |
Shared Host User Namespace 8af7162d-6c98-482f-868e-0d33fb675ca8 |
Medium | Resource Management | The host's user namespace should not be shared. | Documentation |
Memory Not Limited bb9ac4f7-e13b-423d-a010-c74a1bfbe492 |
Medium | Resource Management | Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory | Documentation |
Security Opt Not Set 610e266e-6c12-4bca-9925-1ed0cd29742b |
Medium | Resource Management | Attribute 'security_opt' should be defined. | Documentation |
Host Namespace is Shared 4f31dd9f-2cc3-4751-9b53-67e4af83dac0 |
Medium | Resource Management | The hosts process namespace should not be shared by containers | Documentation |
Shared Host IPC Namespace baa3890f-bed7-46f5-ab8f-1da8fc91c729 |
Medium | Resource Management | The host IPC namespace should not be shared. | Documentation |
Pids Limit Not Set 221e0658-cb2a-44e3-b08a-db96a341d6fa |
Medium | Resource Management | 'pids_limit' should be set and different than -1 | Documentation |
Default Seccomp Profile Disabled 404fde2c-bc4b-4371-9747-7054132ac953 |
Medium | Resource Management | Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. | Documentation |
Container Capabilities Unrestricted ce76b7d0-9e77-464d-b86f-c5c48e03e22d |
Low | Resource Management | Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. | Documentation |
Cpus Not Limited 6b610c50-99fb-4ef0-a5f3-e312fd945bc3 |
Low | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |