configsentry 0.0.12 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/rules.js +29 -0
  2. package/dist/rules.test.js +10 -0
  3. package/package.json +1 -1
  4. package/src/rules.test.ts +12 -0
  5. package/src/rules.ts +29 -0
package/dist/rules.js CHANGED
@@ -137,6 +137,35 @@ export function runRules(compose, targetPath) {
137
137
  suggestion: 'Avoid mounting /. Mount only specific directories required by the app.'
138
138
  });
139
139
  }
140
+ if (v.startsWith('/dev:/dev') || v.startsWith('/dev/:/dev')) {
141
+ findings.push({
142
+ id: 'compose.host-dev-mount',
143
+ title: 'Host /dev mounted into container',
144
+ severity: 'high',
145
+ message: `Service '${serviceName}' mounts host /dev into the container ('${v}'), which can enable device access and privilege escalation.`,
146
+ service: serviceName,
147
+ path: `${targetPath}#services.${serviceName}.volumes`,
148
+ suggestion: 'Avoid mounting /dev. If hardware access is required, map only the specific device(s) needed via devices:.'
149
+ });
150
+ }
151
+ }
152
+ // Rule: dangerous device mappings
153
+ const devices = Array.isArray(svc?.devices) ? svc.devices : [];
154
+ for (const d of devices) {
155
+ if (typeof d !== 'string')
156
+ continue;
157
+ const lower = d.toLowerCase();
158
+ if (lower.includes('/dev/mem') || lower.includes('/dev/kmem') || lower.includes('/dev/kmsg')) {
159
+ findings.push({
160
+ id: 'compose.dangerous-device',
161
+ title: 'Dangerous device mapped into container',
162
+ severity: 'high',
163
+ message: `Service '${serviceName}' maps a sensitive device into the container ('${d}').`,
164
+ service: serviceName,
165
+ path: `${targetPath}#services.${serviceName}.devices`,
166
+ suggestion: 'Avoid mapping kernel/memory/log devices into containers. If absolutely required, isolate the host and restrict container privileges.'
167
+ });
168
+ }
140
169
  }
141
170
  // Rule: restart policy
142
171
  if (svc?.restart == null) {
package/dist/rules.test.js CHANGED
@@ -41,3 +41,13 @@ test('detects unconfined security_opt', () => {
41
41
  const findings = runRules(compose, 'docker-compose.yml');
42
42
  assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
43
43
  });
44
+ test('detects host /dev mount', () => {
45
+ const compose = { services: { app: { volumes: ['/dev:/dev'] } } };
46
+ const findings = runRules(compose, 'docker-compose.yml');
47
+ assert.ok(findings.some((f) => f.id === 'compose.host-dev-mount' && f.service === 'app'));
48
+ });
49
+ test('detects dangerous device mapping', () => {
50
+ const compose = { services: { app: { devices: ['/dev/kmsg:/dev/kmsg'] } } };
51
+ const findings = runRules(compose, 'docker-compose.yml');
52
+ assert.ok(findings.some((f) => f.id === 'compose.dangerous-device' && f.service === 'app'));
53
+ });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "configsentry",
3
- "version": "0.0.12",
3
+ "version": "0.0.13",
4
4
  "description": "Developer-first guardrails for docker-compose.yml (security + ops footguns).",
5
5
  "type": "module",
6
6
  "license": "MIT",
package/src/rules.test.ts CHANGED
@@ -49,3 +49,15 @@ test('detects unconfined security_opt', () => {
49
49
  const findings = runRules(compose, 'docker-compose.yml');
50
50
  assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
51
51
  });
52
+
53
+ test('detects host /dev mount', () => {
54
+ const compose = { services: { app: { volumes: ['/dev:/dev'] } } };
55
+ const findings = runRules(compose, 'docker-compose.yml');
56
+ assert.ok(findings.some((f) => f.id === 'compose.host-dev-mount' && f.service === 'app'));
57
+ });
58
+
59
+ test('detects dangerous device mapping', () => {
60
+ const compose = { services: { app: { devices: ['/dev/kmsg:/dev/kmsg'] } } };
61
+ const findings = runRules(compose, 'docker-compose.yml');
62
+ assert.ok(findings.some((f) => f.id === 'compose.dangerous-device' && f.service === 'app'));
63
+ });
package/src/rules.ts CHANGED
@@ -141,6 +141,35 @@ export function runRules(compose: any, targetPath: string): Finding[] {
141
141
  suggestion: 'Avoid mounting /. Mount only specific directories required by the app.'
142
142
  });
143
143
  }
144
+ if (v.startsWith('/dev:/dev') || v.startsWith('/dev/:/dev')) {
145
+ findings.push({
146
+ id: 'compose.host-dev-mount',
147
+ title: 'Host /dev mounted into container',
148
+ severity: 'high',
149
+ message: `Service '${serviceName}' mounts host /dev into the container ('${v}'), which can enable device access and privilege escalation.`,
150
+ service: serviceName,
151
+ path: `${targetPath}#services.${serviceName}.volumes`,
152
+ suggestion: 'Avoid mounting /dev. If hardware access is required, map only the specific device(s) needed via devices:.'
153
+ });
154
+ }
155
+ }
156
+
157
+ // Rule: dangerous device mappings
158
+ const devices: any[] = Array.isArray(svc?.devices) ? svc.devices : [];
159
+ for (const d of devices) {
160
+ if (typeof d !== 'string') continue;
161
+ const lower = d.toLowerCase();
162
+ if (lower.includes('/dev/mem') || lower.includes('/dev/kmem') || lower.includes('/dev/kmsg')) {
163
+ findings.push({
164
+ id: 'compose.dangerous-device',
165
+ title: 'Dangerous device mapped into container',
166
+ severity: 'high',
167
+ message: `Service '${serviceName}' maps a sensitive device into the container ('${d}').`,
168
+ service: serviceName,
169
+ path: `${targetPath}#services.${serviceName}.devices`,
170
+ suggestion: 'Avoid mapping kernel/memory/log devices into containers. If absolutely required, isolate the host and restrict container privileges.'
171
+ });
172
+ }
144
173
  }
145
174
 
146
175
  // Rule: restart policy