CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
        • Argo
        • Docker-compose
          • Security
        • Github-actions
        • Gitlab
        • Kubernetes
        • Openapi
        • Semgrep
        • Semgrep
    Docker-compose

    Security

    Service ‘$SERVICE’ is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove ‘seccomp:unconfined’ to prevent this.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    Service ‘$SERVICE’ is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add ‘read_only: true’ to this service to prevent this.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration
    - A06:2017 - Security Misconfiguration

    Service ‘$SERVICE’ is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove ‘label:disable’ to prevent this.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-284: Improper Access Control
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    Service ‘$SERVICE’ is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the ‘privileged’ key to disable this capability.
    Likelihood: HIGH
    Confidence: HIGH
    CWE:
    - CWE-250: Execution with Unnecessary Privileges
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration

    Service ‘$SERVICE’ allows for privilege escalation via setuid or setgid binaries. Add ‘no-new-privileges:true’ in ‘security_opt’ to prevent this.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-732: Incorrect Permission Assignment for Critical Resource
    OWASP:
    - A05:2021 - Security Misconfiguration
    - A06:2017 - Security Misconfiguration

    Exposing host’s Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove ‘docker.sock’ from volumes to prevent this.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-250: Execution with Unnecessary Privileges
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration

    SecuritySecurity
    twitterlinkedin
    Powered by Mintlify