# COMPOSE-SEC-002: Docker Socket Exposed to Container

> **Severity:** CRITICAL | **CWE:** CWE-250

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-002
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-002 --project .`

## Description

This rule detects docker-compose services that mount the Docker socket
(/var/run/docker.sock or /run/docker.sock) as a volume. The Docker socket is
owned by root and provides complete control over the Docker daemon. Giving a
container access to it is equivalent to giving unrestricted root access to the
host system.

This is identical to DOCKER-SEC-006 but for docker-compose configurations.

## Vulnerable Code

```python
version: '3.8'
services:
  # CRITICAL SECURITY ISSUE
  portainer:
    image: portainer/portainer-ce
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # DANGEROUS!
    ports:
      - "9000:9000"
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_has


@compose_rule(
    id="COMPOSE-SEC-002",
    name="Docker Socket Exposed to Container",
    severity="CRITICAL",
    cwe="CWE-250",
    category="security",
    tags="docker-compose,compose,docker-socket,volume,security,privilege-escalation,container-escape,daemon,critical,host-access",
    message="Service mounts Docker socket. The owner of this socket is root. Giving container access to it is equivalent to giving unrestricted root access to host."
)
def docker_socket_exposed():
    """
    Detects Docker socket mounted as volume.

    Mounting /var/run/docker.sock gives the container full control over
    the Docker daemon, allowing container escape, privilege escalation,
    and complete host compromise.
    """
    return service_has(
        key="volumes",
        contains_any=[
            "/var/run/docker.sock",
            "/run/docker.sock",
            "docker.sock"
        ]
    )
```

## How to Fix

- Never mount the Docker socket into application containers
- Use the Docker API over TLS with client certificates if remote access is needed
- Consider rootless Docker or Podman to reduce socket exposure risk

## FAQ

**Q: Why is mounting docker.sock dangerous?**

The Docker socket gives unrestricted access to the Docker daemon. A container with the socket mounted can create privileged containers, access host filesystems, and effectively gain root on the host.

**Q: What if I need Docker-in-Docker for CI/CD?**

Use Docker-in-Docker (dind) with TLS enabled, or use Kaniko/Buildah for building images without requiring Docker socket access.

## References

- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
- [Docker Socket Security Advisory](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
- [CIS Docker Benchmark: Section 5.31](https://www.cisecurity.org/benchmark/docker)
- [OWASP Docker Security Cheat Sheet](https://owasp.org/www-project-top-ten/)
- [Tecnativa Docker Socket Proxy documentation](https://github.com/Tecnativa/docker-socket-proxy)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-002
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis