Skip to content

Docker Compose

DockerCompose Queries List

This page contains all queries from DockerCompose.

Query Severity Category Description Help
Docker Socket Mounted In Container
High Build Process Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more) Documentation
Volume Has Sensitive Host Directory
High Build Process Container has sensitive host directory mounted as a volume (read more) Documentation
Volume Mounted In Multiple Containers
High Build Process Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more) Documentation
No New Privileges Not Set
High Resource Management Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more) Documentation
Privileged Containers Enabled
High Resource Management Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more) Documentation
Healthcheck Not Set
Medium Availability Check containers periodically to see if they are running properly. (read more) Documentation
Restart Policy On Failure Not Set To 5
Medium Build Process Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more) Documentation
Cgroup Not Default
Medium Build Process Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more) Documentation
Container Traffic Not Bound To Host Interface
Medium Networking and Firewall Incoming container traffic should be bound to a specific host interface (read more) Documentation
Privileged Ports Mapped In Container
Medium Networking and Firewall Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more) Documentation
Networks Not Set
Medium Networking and Firewall Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more) Documentation
Host Namespace is Shared
Medium Resource Management The hosts process namespace should not be shared by containers (read more) Documentation
Shared Host User Namespace
Medium Resource Management The host's user namespace should not be shared. (read more) Documentation
Memory Not Limited
Medium Resource Management Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more) Documentation
Pids Limit Not Set
Medium Resource Management 'pids_limit' should be set and different than -1 (read more) Documentation
Default Seccomp Profile Disabled
Medium Resource Management Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more) Documentation
Shared Host Network Namespace
Medium Resource Management Container should not share the host network namespace (read more) Documentation
Security Opt Not Set
Medium Resource Management Attribute 'security_opt' should be defined. (read more) Documentation
Shared Host IPC Namespace
Medium Resource Management Container should not share the host IPC namespace (read more) Documentation
Container Capabilities Unrestricted
Low Resource Management Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more) Documentation
Cpus Not Limited
Low Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more) Documentation