# COMPOSE-SEC-006: Container Filesystem is Writable

> **Severity:** LOW | **CWE:** CWE-732

- **Language:** Docker Compose
- **Category:** Security
- **URL:** https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-006
- **Detection:** `pathfinder scan --ruleset docker-compose/COMPOSE-SEC-006 --project .`

## Description

This rule detects services without `read_only: true` filesystem setting.
While containers have writable filesystems by default for compatibility,
making the root filesystem read-only significantly improves security by
preventing attackers from modifying binaries, installing malware, or
persisting backdoors within the container.

SECURITY BENEFITS OF READ-ONLY FILESYSTEMS:

1. **Prevents Malware Installation**:
   Attackers cannot write persistent backdoors or rootkits to the filesystem.

2. **Blocks Binary Modification**:
   Cannot replace legitimate binaries with trojanized versions.

3. **Immutable Infrastructure**:
   Enforces that containers are disposable and stateless.

4. **Reduces Attack Persistence**:
   Malware must remain in memory only, lost on container restart.

## Vulnerable Code

```python
services:
  web:
    image: nginx
    # Writable filesystem (default) - can be modified by attackers
```

## Secure Code

```python
services:
  web:
    image: nginx
    read_only: true
    tmpfs:
      - /tmp
      - /var/run
      - /var/cache/nginx
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import compose_rule
from rules.container_matchers import service_missing


@compose_rule(
    id="COMPOSE-SEC-006",
    name="Container Filesystem is Writable",
    severity="LOW",
    cwe="CWE-732",
    category="security",
    tags="docker-compose,compose,filesystem,read-only,security,immutability,malware-prevention,hardening,best-practice",
    message="Service has writable root filesystem. Consider making it read-only for better security."
)
def writable_filesystem():
    """
    Detects services without read_only: true.

    Read-only filesystems prevent attackers from modifying binaries,
    installing malware, or persisting backdoors.
    """
    return service_missing(key="read_only")
```

## How to Fix

- Review your Dockerfile to address the container filesystem is writable issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag container filesystem is writable?**

Service has writable root filesystem. Consider making it read-only for better security.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [CWE-732: Incorrect Permission Assignment](https://cwe.mitre.org/data/definitions/732.html)
- [Docker Security Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
- [Immutable Infrastructure Principles](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)

---

Source: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-006
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis