Docker Compose linter

Quickstart

npx configsentry ./docker-compose.yml

Exit codes: 0 = clean, 2 = findings, 1 = error.

What it catches

• Runs as root
  Missing user: (often combined with bind mounts).
• docker.sock mounts
  Mounting /var/run/docker.sock ≈ root-on-host.
• Exposed DB ports
  Sensitive ports bound to 0.0.0.0 (e.g. 5432:5432).
• Hardcoded secrets
  Likely secrets in environment: (heuristic).
• Unpinned images
  Missing tags or :latest break reproducibility.
• Missing healthchecks
  Reliability guardrails (healthcheck, restart).

CI usage

Fail only on high severity findings:

npx configsentry ./docker-compose.yml --severity-threshold high

Incremental rollout (baselines):

npx configsentry ./docker-compose.yml --write-baseline .configsentry-baseline.json
npx configsentry ./docker-compose.yml --baseline .configsentry-baseline.json

More docs: Baselines · GitHub Action

Proof in the wild

Public repo scans (untrusted repos, no code executed):

repo-tests/ →