Skip to content

Docker Compose

DockerCompose Queries List

This page contains all queries from DockerCompose.

Query Severity Category Description Help
Docker Socket Mounted In Container
High Build Process Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. Documentation
Volume Has Sensitive Host Directory
High Build Process Container has sensitive host directory mounted as a volume Documentation
Volume Mounted In Multiple Containers
High Build Process Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' Documentation
No New Privileges Not Set
High Resource Management Ensuring the process does not gain any new privileges lessens the risk associated with many operations. Documentation
Privileged Containers Enabled
High Resource Management Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. Documentation
Healthcheck Not Set
Medium Availability Check containers periodically to see if they are running properly. Documentation
Cgroup Not Default
Medium Build Process Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. Documentation
Restart Policy On Failure Not Set To 5
Medium Build Process Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used, and 5 retries is the recommended by CIS. Documentation
Privileged Ports Mapped In Container
Medium Networking and Firewall Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. Documentation
Container Traffic Not Bound To Host Interface
Medium Networking and Firewall Incoming container traffic should be bound to a specific host interface Documentation
Networks Not Set
Medium Networking and Firewall Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. Documentation
Default Seccomp Profile Disabled
Medium Resource Management Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. Documentation
Shared Host Network Namespace
Medium Resource Management Container should not share the host network namespace Documentation
Shared Host User Namespace
Medium Resource Management The host's user namespace should not be shared. Documentation
Shared Host IPC Namespace
Medium Resource Management Container should not share the host IPC namespace Documentation
Host Namespace is Shared
Medium Resource Management The hosts process namespace should not be shared by containers Documentation
Security Opt Not Set
Medium Resource Management Attribute 'security_opt' should be defined. Documentation
Pids Limit Not Set
Medium Resource Management 'pids_limit' should be set and different than -1 Documentation
Memory Not Limited
Medium Resource Management Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory Documentation
Cpus Not Limited
Low Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
Container Capabilities Unrestricted
Low Resource Management Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. Documentation