Security

Critical security rules for preventing vulnerabilities

10
Security Rules

Run All Security Rules

pathfinder scan --ruleset cpf/docker-compose/security

Rules

Using Host IPC Mode

MEDIUM

Service uses host IPC namespace. Container shares inter-process communication with host.

docker-composecomposeipchost-ipcsecurityisolationnamespaceshared-memoryinformation-disclosure
CWE-250
Updated 2026-01-17

Missing no-new-privileges Security Option

MEDIUM

Service does not have 'no-new-privileges:true' in security_opt. This allows

docker-composecomposeno-new-privilegessecuritysetuidprivilege-escalationhardeningcapabilities
CWE-732
Updated 2026-01-17

SELinux Separation Disabled

MEDIUM

Service has 'label:disable' in security_opt, which disables SELinux mandatory

docker-composecomposeselinuxsecuritymacmandatory-access-controlisolationhardeningrhel
CWE-732
Updated 2026-01-17

Container Filesystem is Writable

LOW

Service has writable root filesystem. Consider making it read-only for better security.

docker-composecomposefilesystemread-onlysecurityimmutabilitymalware-preventionhardeningbest-practice
CWE-732
Updated 2026-01-17

Dangerous Capability Added

HIGH

Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation.

docker-composecomposecapabilitiescap-addsecurityprivilege-escalationcontainer-escapelinuxkernel
CWE-250
Updated 2026-01-17

Docker Socket Exposed to Container

CRITICAL

Service mounts Docker socket. The owner of this socket is root. Giving container access to it is equivalent to giving unrestricted root access to host.

docker-composecomposedocker-socketvolumesecurityprivilege-escalationcontainer-escapedaemoncriticalhost-access
CWE-250
Updated 2026-01-17

Using Host Network Mode

HIGH

Service uses host network mode. Container shares host network stack, bypassing network isolation.

docker-composecomposenetworkhost-networksecurityisolationnetworkingnamespaceprivilege-escalation
CWE-250
Updated 2026-01-17

Using Host PID Mode

HIGH

Service uses host PID namespace. Container can see and potentially signal host processes.

docker-composecomposepidhost-pidsecurityisolationnamespaceprocessinformation-disclosure
CWE-250
Updated 2026-01-17

Service Running in Privileged Mode

CRITICAL

Service is running in privileged mode. This grants container equivalent of root capabilities on the host machine. Can lead to container escapes and privilege escalation.

docker-composecomposeserviceprivilegedsecurityprivilege-escalationcontainer-escapecapabilitiescriticalhost-access
CWE-250
Updated 2026-01-17

Seccomp Confinement Disabled

HIGH

Service disables seccomp profile. Container can use all system calls, increasing attack surface.

docker-composecomposeseccompsecuritysyscallkernelconfinementisolationattack-surface
CWE-284
Updated 2026-01-17
Back to Docker Compose CategoriesAll Languages →