configsentry 0.0.10 → 0.0.12

package/README.md

@@ -1,10 +1,15 @@
 # ConfigSentry (MVP)
 
+[![npm version](https://img.shields.io/npm/v/configsentry.svg)](https://www.npmjs.com/package/configsentry)
+
 Developer-first guardrails for **docker-compose.yml** (security + ops footguns).
 
 ## What it does
 ConfigSentry reads a Compose file and flags common **high-impact** mistakes:
 - privileged containers (`privileged: true`)
+- dangerous capabilities (`cap_add: [ALL]`)
+- host namespaces (`network_mode: host`, `pid: host`, `ipc: host`)
+- unconfined security profiles (`security_opt: ["seccomp=unconfined"]` / `apparmor:unconfined`)
 - Docker socket mounts (`/var/run/docker.sock`)
 - sensitive ports exposed publicly (e.g. `5432:5432` instead of `127.0.0.1:5432:5432`)
 - missing `restart:` policy
@@ -15,7 +20,7 @@ Designed to be **CI-friendly** (non-zero exit code when findings exist).
 
 ## Quickstart
 
-### Run via npx (after npm publish)
+### Run via npx
 
 ```bash
 npx configsentry ./docker-compose.yml
@@ -94,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: alfredMorgenstern/configsentry@v0.0.9
+      - uses: alfredMorgenstern/configsentry@v0.0.13
         with:
           target: .
           # optional: baseline: .configsentry-baseline.json

package/dist/rules.js

@@ -48,6 +48,68 @@ export function runRules(compose, targetPath) {
                 suggestion: 'Remove privileged: true unless absolutely required; prefer adding only the needed capabilities.'
             });
         }
+        // Rule: cap_add: [ALL]
+        const capAdd = Array.isArray(svc?.cap_add) ? svc.cap_add : [];
+        if (capAdd.some((c) => String(c).toUpperCase() === 'ALL')) {
+            findings.push({
+                id: 'compose.cap-add-all',
+                title: 'Dangerous Linux capabilities (cap_add: ALL)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses cap_add: [ALL], which is effectively privileged in many cases.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.cap_add`,
+                suggestion: 'Remove cap_add: ALL. Add only the specific capabilities required (e.g. NET_BIND_SERVICE) or redesign to avoid it.'
+            });
+        }
+        // Rule: host namespaces (network/pid/ipc)
+        if (svc?.network_mode === 'host') {
+            findings.push({
+                id: 'compose.network-host',
+                title: 'Host network namespace (network_mode: host)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses network_mode: host, bypassing Docker network isolation.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.network_mode`,
+                suggestion: 'Avoid host networking. Prefer explicit port mappings or internal networks.'
+            });
+        }
+        if (svc?.pid === 'host') {
+            findings.push({
+                id: 'compose.pid-host',
+                title: 'Host PID namespace (pid: host)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses pid: host, exposing host process namespace to the container.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.pid`,
+                suggestion: 'Avoid pid: host unless you are building low-level host tooling and understand the security implications.'
+            });
+        }
+        if (svc?.ipc === 'host') {
+            findings.push({
+                id: 'compose.ipc-host',
+                title: 'Host IPC namespace (ipc: host)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses ipc: host, exposing host IPC namespace to the container.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.ipc`,
+                suggestion: 'Avoid ipc: host. Prefer explicit shared volumes or redesign if IPC sharing is required.'
+            });
+        }
+        // Rule: unconfined security profiles
+        const securityOpt = Array.isArray(svc?.security_opt) ? svc.security_opt : [];
+        const sec = securityOpt.map((x) => String(x).toLowerCase());
+        const hasUnconfined = sec.some((x) => x.includes('seccomp') && x.includes('unconfined')) || sec.some((x) => x.includes('apparmor') && x.includes('unconfined')) || sec.some((x) => x.includes('label:disable'));
+        if (hasUnconfined) {
+            findings.push({
+                id: 'compose.security-unconfined',
+                title: 'Security profile disabled (unconfined)',
+                severity: 'high',
+                message: `Service '${serviceName}' disables container security profiles via security_opt (${securityOpt.join(', ')}).`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.security_opt`,
+                suggestion: 'Avoid unconfined security profiles. Remove the option or use a minimal custom seccomp/apparmor profile.'
+            });
+        }
         // Rule: docker socket mount
         const volumes = Array.isArray(svc?.volumes) ? svc.volumes : [];
         for (const v of volumes) {

package/dist/rules.test.js

@@ -16,3 +16,28 @@ test('detects docker socket mount', () => {
     const findings = runRules(compose, 'docker-compose.yml');
     assert.ok(findings.some((f) => f.id === 'compose.docker-socket' && f.service === 'runner'));
 });
+test('detects cap_add: ALL', () => {
+    const compose = { services: { app: { cap_add: ['ALL'] } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.cap-add-all' && f.service === 'app'));
+});
+test('detects network_mode: host', () => {
+    const compose = { services: { app: { network_mode: 'host' } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.network-host' && f.service === 'app'));
+});
+test('detects pid: host', () => {
+    const compose = { services: { app: { pid: 'host' } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.pid-host' && f.service === 'app'));
+});
+test('detects ipc: host', () => {
+    const compose = { services: { app: { ipc: 'host' } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.ipc-host' && f.service === 'app'));
+});
+test('detects unconfined security_opt', () => {
+    const compose = { services: { app: { security_opt: ['seccomp=unconfined'] } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "configsentry",
-  "version": "0.0.10",
+  "version": "0.0.12",
   "description": "Developer-first guardrails for docker-compose.yml (security + ops footguns).",
   "type": "module",
   "license": "MIT",

package/src/rules.test.ts

@@ -19,3 +19,33 @@ test('detects docker socket mount', () => {
   const findings = runRules(compose, 'docker-compose.yml');
   assert.ok(findings.some((f) => f.id === 'compose.docker-socket' && f.service === 'runner'));
 });
+
+test('detects cap_add: ALL', () => {
+  const compose = { services: { app: { cap_add: ['ALL'] } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.cap-add-all' && f.service === 'app'));
+});
+
+test('detects network_mode: host', () => {
+  const compose = { services: { app: { network_mode: 'host' } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.network-host' && f.service === 'app'));
+});
+
+test('detects pid: host', () => {
+  const compose = { services: { app: { pid: 'host' } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.pid-host' && f.service === 'app'));
+});
+
+test('detects ipc: host', () => {
+  const compose = { services: { app: { ipc: 'host' } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.ipc-host' && f.service === 'app'));
+});
+
+test('detects unconfined security_opt', () => {
+  const compose = { services: { app: { security_opt: ['seccomp=unconfined'] } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
+});

package/src/rules.ts

@@ -50,6 +50,71 @@ export function runRules(compose: any, targetPath: string): Finding[] {
       });
     }
 
+    // Rule: cap_add: [ALL]
+    const capAdd: any[] = Array.isArray(svc?.cap_add) ? svc.cap_add : [];
+    if (capAdd.some((c) => String(c).toUpperCase() === 'ALL')) {
+      findings.push({
+        id: 'compose.cap-add-all',
+        title: 'Dangerous Linux capabilities (cap_add: ALL)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses cap_add: [ALL], which is effectively privileged in many cases.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.cap_add`,
+        suggestion: 'Remove cap_add: ALL. Add only the specific capabilities required (e.g. NET_BIND_SERVICE) or redesign to avoid it.'
+      });
+    }
+
+    // Rule: host namespaces (network/pid/ipc)
+    if (svc?.network_mode === 'host') {
+      findings.push({
+        id: 'compose.network-host',
+        title: 'Host network namespace (network_mode: host)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses network_mode: host, bypassing Docker network isolation.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.network_mode`,
+        suggestion: 'Avoid host networking. Prefer explicit port mappings or internal networks.'
+      });
+    }
+    if (svc?.pid === 'host') {
+      findings.push({
+        id: 'compose.pid-host',
+        title: 'Host PID namespace (pid: host)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses pid: host, exposing host process namespace to the container.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.pid`,
+        suggestion: 'Avoid pid: host unless you are building low-level host tooling and understand the security implications.'
+      });
+    }
+    if (svc?.ipc === 'host') {
+      findings.push({
+        id: 'compose.ipc-host',
+        title: 'Host IPC namespace (ipc: host)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses ipc: host, exposing host IPC namespace to the container.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.ipc`,
+        suggestion: 'Avoid ipc: host. Prefer explicit shared volumes or redesign if IPC sharing is required.'
+      });
+    }
+
+    // Rule: unconfined security profiles
+    const securityOpt: any[] = Array.isArray(svc?.security_opt) ? svc.security_opt : [];
+    const sec = securityOpt.map((x) => String(x).toLowerCase());
+    const hasUnconfined = sec.some((x) => x.includes('seccomp') && x.includes('unconfined')) || sec.some((x) => x.includes('apparmor') && x.includes('unconfined')) || sec.some((x) => x.includes('label:disable'));
+    if (hasUnconfined) {
+      findings.push({
+        id: 'compose.security-unconfined',
+        title: 'Security profile disabled (unconfined)',
+        severity: 'high',
+        message: `Service '${serviceName}' disables container security profiles via security_opt (${securityOpt.join(', ')}).`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.security_opt`,
+        suggestion: 'Avoid unconfined security profiles. Remove the option or use a minimal custom seccomp/apparmor profile.'
+      });
+    }
+
     // Rule: docker socket mount
     const volumes: any[] = Array.isArray(svc?.volumes) ? svc.volumes : [];
     for (const v of volumes) {