CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
  • Join Community
Start Here
  • What is CodeAnt?
Setup
  • Github
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
      • Argo
      • Docker-compose
        • Security
      • Github-actions
      • Gitlab
      • Kubernetes
      • Openapi
      • Semgrep
      • Semgrep
Resources
  • Open Source
  • Blogs
Docker-compose

Security

seccomp-confinement-disabled

Service ‘$SERVICE’ is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove ‘seccomp:unconfined’ to prevent this.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

writable-filesystem-service

Service ‘$SERVICE’ is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add ‘read_only: true’ to this service to prevent this.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration

selinux-separation-disabled

Service ‘$SERVICE’ is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove ‘label:disable’ to prevent this.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-284: Improper Access Control
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

privileged-service

Service ‘$SERVICE’ is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the ‘privileged’ key to disable this capability.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-250: Execution with Unnecessary Privileges
OWASP:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration

no-new-privileges

Service ‘$SERVICE’ allows for privilege escalation via setuid or setgid binaries. Add ‘no-new-privileges:true’ in ‘security_opt’ to prevent this.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-732: Incorrect Permission Assignment for Critical Resource
OWASP:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration

exposing-docker-socket-volume

Exposing host’s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove ‘docker.sock’ from volumes to prevent this.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-250: Execution with Unnecessary Privileges
OWASP:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
SecuritySecurity
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.