ConfigSentry

Docker Compose security best practices

A short, opinionated checklist of the footguns that actually show up in the wild.

Checklist

  1. Run as non-root: set user: "1000:1000" when possible.
  2. Avoid docker.sock: mounting it gives host-level control (treat as privileged infrastructure).
  3. Don’t expose sensitive ports: bind DB ports to 127.0.0.1 or internal networks.
  4. Pin images: avoid latest / missing tags; prefer version tags or digests.
  5. Avoid privileged / ALL caps: minimize privileges and capabilities.
  6. Add healthchecks + restart: prevents silent failures and flapping services.
  7. Keep secrets out of YAML: use ${VAR} + .env (gitignored) or Docker secrets.

Automate the checklist

Run ConfigSentry locally:

npx configsentry ./docker-compose.yml

CI gating (only HIGH):

npx configsentry ./docker-compose.yml --severity-threshold high

More: Docker Compose linter