Guardrails for docker-compose.yml.

Why

Compose files grow organically. A single line like privileged: true or mounting /var/run/docker.sock can silently turn a container into “root on host”. ConfigSentry surfaces the riskiest patterns early — locally or in CI.

Install & run

git clone https://github.com/alfredMorgenstern/configsentry
cd configsentry
npm ci
npm run build
node dist/cli.js ./docker-compose.yml

Tip: use the exit code (0=clean, 2=findings) to fail pipelines.

What it checks (MVP)

• Privileged containers
  Flags privileged: true.
• Docker socket mounts
  Flags mounting /var/run/docker.sock.
• Sensitive ports exposed
  Flags 5432:5432 / public binds for common ports.
• Missing restart policy
  Recommends restart: unless-stopped (or similar).
• Missing healthcheck
  Encourages healthchecks for reliable orchestration.
• Likely running as root
  Warns when user: is missing.

Roadmap

1. Publish to npm (configsentry)
2. GitHub Action wrapper (fail PRs with annotated findings)
3. SARIF output for GitHub “Code scanning”
4. Baselines/suppressions for incremental adoption
5. Autofix mode for safe transforms

Pricing (later)

The core linter stays open source. If there’s demand, a Pro tier can add PR comments, SARIF, baselines, and policy packs for common stacks.