configsentry 0.0.11 → 0.0.13

package/README.md

@@ -7,6 +7,9 @@ Developer-first guardrails for **docker-compose.yml** (security + ops footguns).
 ## What it does
 ConfigSentry reads a Compose file and flags common **high-impact** mistakes:
 - privileged containers (`privileged: true`)
+- dangerous capabilities (`cap_add: [ALL]`)
+- host namespaces (`network_mode: host`, `pid: host`, `ipc: host`)
+- unconfined security profiles (`security_opt: ["seccomp=unconfined"]` / `apparmor:unconfined`)
 - Docker socket mounts (`/var/run/docker.sock`)
 - sensitive ports exposed publicly (e.g. `5432:5432` instead of `127.0.0.1:5432:5432`)
 - missing `restart:` policy
@@ -96,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: alfredMorgenstern/configsentry@v0.0.9
+      - uses: alfredMorgenstern/configsentry@v0.0.13
         with:
           target: .
           # optional: baseline: .configsentry-baseline.json

package/dist/rules.js

@@ -48,6 +48,68 @@ export function runRules(compose, targetPath) {
                 suggestion: 'Remove privileged: true unless absolutely required; prefer adding only the needed capabilities.'
             });
         }
+        // Rule: cap_add: [ALL]
+        const capAdd = Array.isArray(svc?.cap_add) ? svc.cap_add : [];
+        if (capAdd.some((c) => String(c).toUpperCase() === 'ALL')) {
+            findings.push({
+                id: 'compose.cap-add-all',
+                title: 'Dangerous Linux capabilities (cap_add: ALL)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses cap_add: [ALL], which is effectively privileged in many cases.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.cap_add`,
+                suggestion: 'Remove cap_add: ALL. Add only the specific capabilities required (e.g. NET_BIND_SERVICE) or redesign to avoid it.'
+            });
+        }
+        // Rule: host namespaces (network/pid/ipc)
+        if (svc?.network_mode === 'host') {
+            findings.push({
+                id: 'compose.network-host',
+                title: 'Host network namespace (network_mode: host)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses network_mode: host, bypassing Docker network isolation.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.network_mode`,
+                suggestion: 'Avoid host networking. Prefer explicit port mappings or internal networks.'
+            });
+        }
+        if (svc?.pid === 'host') {
+            findings.push({
+                id: 'compose.pid-host',
+                title: 'Host PID namespace (pid: host)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses pid: host, exposing host process namespace to the container.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.pid`,
+                suggestion: 'Avoid pid: host unless you are building low-level host tooling and understand the security implications.'
+            });
+        }
+        if (svc?.ipc === 'host') {
+            findings.push({
+                id: 'compose.ipc-host',
+                title: 'Host IPC namespace (ipc: host)',
+                severity: 'high',
+                message: `Service '${serviceName}' uses ipc: host, exposing host IPC namespace to the container.`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.ipc`,
+                suggestion: 'Avoid ipc: host. Prefer explicit shared volumes or redesign if IPC sharing is required.'
+            });
+        }
+        // Rule: unconfined security profiles
+        const securityOpt = Array.isArray(svc?.security_opt) ? svc.security_opt : [];
+        const sec = securityOpt.map((x) => String(x).toLowerCase());
+        const hasUnconfined = sec.some((x) => x.includes('seccomp') && x.includes('unconfined')) || sec.some((x) => x.includes('apparmor') && x.includes('unconfined')) || sec.some((x) => x.includes('label:disable'));
+        if (hasUnconfined) {
+            findings.push({
+                id: 'compose.security-unconfined',
+                title: 'Security profile disabled (unconfined)',
+                severity: 'high',
+                message: `Service '${serviceName}' disables container security profiles via security_opt (${securityOpt.join(', ')}).`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.security_opt`,
+                suggestion: 'Avoid unconfined security profiles. Remove the option or use a minimal custom seccomp/apparmor profile.'
+            });
+        }
         // Rule: docker socket mount
         const volumes = Array.isArray(svc?.volumes) ? svc.volumes : [];
         for (const v of volumes) {
@@ -75,6 +137,35 @@ export function runRules(compose, targetPath) {
                     suggestion: 'Avoid mounting /. Mount only specific directories required by the app.'
                 });
             }
+            if (v.startsWith('/dev:/dev') || v.startsWith('/dev/:/dev')) {
+                findings.push({
+                    id: 'compose.host-dev-mount',
+                    title: 'Host /dev mounted into container',
+                    severity: 'high',
+                    message: `Service '${serviceName}' mounts host /dev into the container ('${v}'), which can enable device access and privilege escalation.`,
+                    service: serviceName,
+                    path: `${targetPath}#services.${serviceName}.volumes`,
+                    suggestion: 'Avoid mounting /dev. If hardware access is required, map only the specific device(s) needed via devices:.'
+                });
+            }
+        }
+        // Rule: dangerous device mappings
+        const devices = Array.isArray(svc?.devices) ? svc.devices : [];
+        for (const d of devices) {
+            if (typeof d !== 'string')
+                continue;
+            const lower = d.toLowerCase();
+            if (lower.includes('/dev/mem') || lower.includes('/dev/kmem') || lower.includes('/dev/kmsg')) {
+                findings.push({
+                    id: 'compose.dangerous-device',
+                    title: 'Dangerous device mapped into container',
+                    severity: 'high',
+                    message: `Service '${serviceName}' maps a sensitive device into the container ('${d}').`,
+                    service: serviceName,
+                    path: `${targetPath}#services.${serviceName}.devices`,
+                    suggestion: 'Avoid mapping kernel/memory/log devices into containers. If absolutely required, isolate the host and restrict container privileges.'
+                });
+            }
         }
         // Rule: restart policy
         if (svc?.restart == null) {

package/dist/rules.test.js

@@ -16,3 +16,38 @@ test('detects docker socket mount', () => {
     const findings = runRules(compose, 'docker-compose.yml');
     assert.ok(findings.some((f) => f.id === 'compose.docker-socket' && f.service === 'runner'));
 });
+test('detects cap_add: ALL', () => {
+    const compose = { services: { app: { cap_add: ['ALL'] } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.cap-add-all' && f.service === 'app'));
+});
+test('detects network_mode: host', () => {
+    const compose = { services: { app: { network_mode: 'host' } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.network-host' && f.service === 'app'));
+});
+test('detects pid: host', () => {
+    const compose = { services: { app: { pid: 'host' } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.pid-host' && f.service === 'app'));
+});
+test('detects ipc: host', () => {
+    const compose = { services: { app: { ipc: 'host' } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.ipc-host' && f.service === 'app'));
+});
+test('detects unconfined security_opt', () => {
+    const compose = { services: { app: { security_opt: ['seccomp=unconfined'] } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
+});
+test('detects host /dev mount', () => {
+    const compose = { services: { app: { volumes: ['/dev:/dev'] } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.host-dev-mount' && f.service === 'app'));
+});
+test('detects dangerous device mapping', () => {
+    const compose = { services: { app: { devices: ['/dev/kmsg:/dev/kmsg'] } } };
+    const findings = runRules(compose, 'docker-compose.yml');
+    assert.ok(findings.some((f) => f.id === 'compose.dangerous-device' && f.service === 'app'));
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "configsentry",
-  "version": "0.0.11",
+  "version": "0.0.13",
   "description": "Developer-first guardrails for docker-compose.yml (security + ops footguns).",
   "type": "module",
   "license": "MIT",

package/src/rules.test.ts

@@ -19,3 +19,45 @@ test('detects docker socket mount', () => {
   const findings = runRules(compose, 'docker-compose.yml');
   assert.ok(findings.some((f) => f.id === 'compose.docker-socket' && f.service === 'runner'));
 });
+
+test('detects cap_add: ALL', () => {
+  const compose = { services: { app: { cap_add: ['ALL'] } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.cap-add-all' && f.service === 'app'));
+});
+
+test('detects network_mode: host', () => {
+  const compose = { services: { app: { network_mode: 'host' } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.network-host' && f.service === 'app'));
+});
+
+test('detects pid: host', () => {
+  const compose = { services: { app: { pid: 'host' } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.pid-host' && f.service === 'app'));
+});
+
+test('detects ipc: host', () => {
+  const compose = { services: { app: { ipc: 'host' } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.ipc-host' && f.service === 'app'));
+});
+
+test('detects unconfined security_opt', () => {
+  const compose = { services: { app: { security_opt: ['seccomp=unconfined'] } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
+});
+
+test('detects host /dev mount', () => {
+  const compose = { services: { app: { volumes: ['/dev:/dev'] } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.host-dev-mount' && f.service === 'app'));
+});
+
+test('detects dangerous device mapping', () => {
+  const compose = { services: { app: { devices: ['/dev/kmsg:/dev/kmsg'] } } };
+  const findings = runRules(compose, 'docker-compose.yml');
+  assert.ok(findings.some((f) => f.id === 'compose.dangerous-device' && f.service === 'app'));
+});

package/src/rules.ts

@@ -50,6 +50,71 @@ export function runRules(compose: any, targetPath: string): Finding[] {
       });
     }
 
+    // Rule: cap_add: [ALL]
+    const capAdd: any[] = Array.isArray(svc?.cap_add) ? svc.cap_add : [];
+    if (capAdd.some((c) => String(c).toUpperCase() === 'ALL')) {
+      findings.push({
+        id: 'compose.cap-add-all',
+        title: 'Dangerous Linux capabilities (cap_add: ALL)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses cap_add: [ALL], which is effectively privileged in many cases.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.cap_add`,
+        suggestion: 'Remove cap_add: ALL. Add only the specific capabilities required (e.g. NET_BIND_SERVICE) or redesign to avoid it.'
+      });
+    }
+
+    // Rule: host namespaces (network/pid/ipc)
+    if (svc?.network_mode === 'host') {
+      findings.push({
+        id: 'compose.network-host',
+        title: 'Host network namespace (network_mode: host)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses network_mode: host, bypassing Docker network isolation.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.network_mode`,
+        suggestion: 'Avoid host networking. Prefer explicit port mappings or internal networks.'
+      });
+    }
+    if (svc?.pid === 'host') {
+      findings.push({
+        id: 'compose.pid-host',
+        title: 'Host PID namespace (pid: host)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses pid: host, exposing host process namespace to the container.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.pid`,
+        suggestion: 'Avoid pid: host unless you are building low-level host tooling and understand the security implications.'
+      });
+    }
+    if (svc?.ipc === 'host') {
+      findings.push({
+        id: 'compose.ipc-host',
+        title: 'Host IPC namespace (ipc: host)',
+        severity: 'high',
+        message: `Service '${serviceName}' uses ipc: host, exposing host IPC namespace to the container.`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.ipc`,
+        suggestion: 'Avoid ipc: host. Prefer explicit shared volumes or redesign if IPC sharing is required.'
+      });
+    }
+
+    // Rule: unconfined security profiles
+    const securityOpt: any[] = Array.isArray(svc?.security_opt) ? svc.security_opt : [];
+    const sec = securityOpt.map((x) => String(x).toLowerCase());
+    const hasUnconfined = sec.some((x) => x.includes('seccomp') && x.includes('unconfined')) || sec.some((x) => x.includes('apparmor') && x.includes('unconfined')) || sec.some((x) => x.includes('label:disable'));
+    if (hasUnconfined) {
+      findings.push({
+        id: 'compose.security-unconfined',
+        title: 'Security profile disabled (unconfined)',
+        severity: 'high',
+        message: `Service '${serviceName}' disables container security profiles via security_opt (${securityOpt.join(', ')}).`,
+        service: serviceName,
+        path: `${targetPath}#services.${serviceName}.security_opt`,
+        suggestion: 'Avoid unconfined security profiles. Remove the option or use a minimal custom seccomp/apparmor profile.'
+      });
+    }
+
     // Rule: docker socket mount
     const volumes: any[] = Array.isArray(svc?.volumes) ? svc.volumes : [];
     for (const v of volumes) {
@@ -76,6 +141,35 @@ export function runRules(compose: any, targetPath: string): Finding[] {
           suggestion: 'Avoid mounting /. Mount only specific directories required by the app.'
         });
       }
+      if (v.startsWith('/dev:/dev') || v.startsWith('/dev/:/dev')) {
+        findings.push({
+          id: 'compose.host-dev-mount',
+          title: 'Host /dev mounted into container',
+          severity: 'high',
+          message: `Service '${serviceName}' mounts host /dev into the container ('${v}'), which can enable device access and privilege escalation.`,
+          service: serviceName,
+          path: `${targetPath}#services.${serviceName}.volumes`,
+          suggestion: 'Avoid mounting /dev. If hardware access is required, map only the specific device(s) needed via devices:.'
+        });
+      }
+    }
+
+    // Rule: dangerous device mappings
+    const devices: any[] = Array.isArray(svc?.devices) ? svc.devices : [];
+    for (const d of devices) {
+      if (typeof d !== 'string') continue;
+      const lower = d.toLowerCase();
+      if (lower.includes('/dev/mem') || lower.includes('/dev/kmem') || lower.includes('/dev/kmsg')) {
+        findings.push({
+          id: 'compose.dangerous-device',
+          title: 'Dangerous device mapped into container',
+          severity: 'high',
+          message: `Service '${serviceName}' maps a sensitive device into the container ('${d}').`,
+          service: serviceName,
+          path: `${targetPath}#services.${serviceName}.devices`,
+          suggestion: 'Avoid mapping kernel/memory/log devices into containers. If absolutely required, isolate the host and restrict container privileges.'
+        });
+      }
     }
 
     // Rule: restart policy