Safety / methodology
- Repos are treated as untrusted.
- No repo code is executed (no installs, no scripts).
- Only Compose YAML files are scanned.
- Clones are deleted after scanning.
Full reports (with aggregate summaries): repo-tests/
What we found
Across the first three repos tested, the most common patterns were:
- Running as root (missing
user:) - Missing healthchecks and restart policies
- Unpinned images (
:latest/ missing tag) - Occasional docker.sock mounts (especially in CI / agent setups)
- Hardcoded secrets in environment (often in demo stacks)
Try it yourself
npx configsentry ./docker-compose.ymlFor CI gating: --severity-threshold high
Related pages: Compose security best practices · Docker Compose linter