Container Security
Security rules for Docker Compose services
Run All Container Security Rules
pathfinder scan --ruleset cpf/docker-compose/securityRules
Privileged Container Service
criticalDetects services running with privileged mode which disables container isolation
Docker Socket Exposed to Container
criticalService mounts Docker socket providing unrestricted root access to host
Host Network Mode
highService uses host network mode bypassing Docker network isolation
Seccomp Confinement Disabled
highService disables seccomp which restricts system calls, significantly increasing attack surface
Container Filesystem is Writable
lowService without read-only filesystem allows attackers to modify binaries and persist backdoors
Dangerous Capability Added
highService adds dangerous capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE) that can enable container escape
Using Host PID Mode
highService uses host PID namespace allowing it to see and interact with all host processes
Using Host IPC Mode
mediumService uses host IPC namespace allowing it to access shared memory and semaphores of host system
Missing no-new-privileges Security Option
mediumService missing no-new-privileges option allows privilege escalation through setuid/setgid binaries
SELinux Separation Disabled
mediumService explicitly disables SELinux which provides mandatory access control limiting container compromise impact