Rule Information
Tags
docker-composecomposenetworkhost-networksecurityisolationnetworkingnamespaceprivilege-escalation
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker-compose/COMPOSE-SEC-007 --project .1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Rule
Understanding the vulnerability and how it is detected
This rule detects services using `network_mode: host`, which disables network isolation and makes the container share the host's network stack. This bypasses Docker's network isolation, exposes all host network interfaces to the container, and allows the container to bind to any host port.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Service Exposure
All container services exposed on host IP
2
Network Sniffing
Container can capture all host network traffic
3
Localhost Access
Can access services on host's 127.0.0.1
4
No Firewall Protection
Bypasses Docker's iptables rules
How to Fix
Recommended remediation steps
- 1Review your Dockerfile to address the using host network mode issue
- 2Follow Docker official best practices for image building
- 3Use docker build --check to validate Dockerfile syntax and best practices
References
External resources and documentation
Similar Rules
Explore related security rules for Docker Compose
LOW
Container Filesystem is Writable
Service has writable root filesystem. Consider making it read-only for better security.
MEDIUM
Using Host IPC Mode
Service uses host IPC namespace. Container shares inter-process communication with host.
MEDIUM
Missing no-new-privileges Security Option
Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.
Frequently Asked Questions
Common questions about Using Host Network Mode
Service uses host network mode. Container shares host network stack, bypassing network isolation.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.
New feature
Get these findings posted directly on your GitHub pull requests
The Using Host Network Mode rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.