# COMPOSE-SEC-003: Seccomp Confinement Disabled

> **Severity:** HIGH | **CWE:** CWE-284

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-003
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-003 --project .`

## Description

This rule detects services with seccomp (secure computing mode) disabled via
`security_opt: seccomp:unconfined`. Seccomp is a Linux kernel feature that
restricts which system calls a process can make. Disabling it allows containers
to use ALL system calls, significantly increasing the attack surface.

## Vulnerable Code

```python
version: '3.8'
services:
  app:
    image: myapp
    security_opt:
      - seccomp:unconfined  # DANGEROUS - Allows all syscalls
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_has


@compose_rule(
    id="COMPOSE-SEC-003",
    name="Seccomp Confinement Disabled",
    severity="HIGH",
    cwe="CWE-284",
    category="security",
    tags="docker-compose,compose,seccomp,security,syscall,kernel,confinement,isolation,attack-surface",
    message="Service disables seccomp profile. Container can use all system calls, increasing attack surface."
)
def seccomp_disabled():
    """
    Detects services with seccomp disabled.

    Seccomp limits which system calls a container can make. Disabling
    it removes an important security layer and allows dangerous operations
    like kernel module loading and process injection.
    """
    return service_has(
        key="security_opt",
        contains="seccomp:unconfined"
    )
```

## How to Fix

- Review your Dockerfile to address the seccomp confinement disabled issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag seccomp confinement disabled?**

Service disables seccomp profile. Container can use all system calls, increasing attack surface.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html)
- [Docker Seccomp Security Profiles](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
- [Linux Seccomp BPF Documentation](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-003
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis