Skip to content

feat: add docker compose security scanning and multi-service orchestr…#98

Merged
advaitpatel merged 5 commits into
mainfrom
feat/implement-docker-compose-security-scanning
Jun 12, 2026
Merged

feat: add docker compose security scanning and multi-service orchestr…#98
advaitpatel merged 5 commits into
mainfrom
feat/implement-docker-compose-security-scanning

Conversation

@advaitpatel

Copy link
Copy Markdown
Collaborator

Summary

Adds native support for scanning docker-compose.yml files. This feature detects orchestration-level misconfigurations and automatically orchestrates the existing Dockerfile and image scans for every service defined in the compose file.

Changes

  • Compose Parser: Added ComposeScanner using ruamel.yaml to parse compose files while preserving accurate line numbers for findings.
  • Compose Orchestrator: Added ComposeOrchestrator which extracts all services, identifies their build contexts/images, and runs the existing DockerSecurityScanner on each.
  • Checks Implemented:
    • CRITICAL: compose-docker-socket-mount, compose-privileged, compose-host-network, compose-host-namespace, compose-dangerous-capabilities, compose-sensitive-host-mount
    • HIGH: compose-plaintext-secret-env, compose-port-bound-all-interfaces, compose-disabled-security-opt, compose-no-non-root-user
    • MEDIUM: compose-latest-or-untagged-image, compose-no-resource-limits, compose-env-file-secret-risk, compose-writable-root-fs
    • LOW: compose-no-new-privileges, compose-no-network-segmentation, compose-missing-healthcheck
  • Pipeline Integration: All compose-level findings and per-service findings are merged and passed through the existing LLM remediation layer and scoring system.
  • CLI: Added the --compose [PATH] flag. If no path is provided, it auto-detects standard compose filenames in the current directory.
  • Docs & Examples: Updated README.md, added docs/CHANGELOG.md entries, and added insecure/secure compose examples in the examples/compose/ directory.

Testing

  • Added tests/test_compose_scanner.py with full coverage for parser logic, every rule, line mapping, integration, and offline mode.
  • Existing test suite passes unchanged.

…ation

## Summary
Adds native support for scanning `docker-compose.yml` files. This feature detects orchestration-level misconfigurations and automatically orchestrates the existing Dockerfile and image scans for every service defined in the compose file.

## Changes
- **Compose Parser**: Added `ComposeScanner` using `ruamel.yaml` to parse compose files while preserving accurate line numbers for findings.
- **Compose Orchestrator**: Added `ComposeOrchestrator` which extracts all services, identifies their build contexts/images, and runs the existing `DockerSecurityScanner` on each.
- **Checks Implemented**:
  - **CRITICAL**: `compose-docker-socket-mount`, `compose-privileged`, `compose-host-network`, `compose-host-namespace`, `compose-dangerous-capabilities`, `compose-sensitive-host-mount`
  - **HIGH**: `compose-plaintext-secret-env`, `compose-port-bound-all-interfaces`, `compose-disabled-security-opt`, `compose-no-non-root-user`
  - **MEDIUM**: `compose-latest-or-untagged-image`, `compose-no-resource-limits`, `compose-env-file-secret-risk`, `compose-writable-root-fs`
  - **LOW**: `compose-no-new-privileges`, `compose-no-network-segmentation`, `compose-missing-healthcheck`
- **Pipeline Integration**: All compose-level findings and per-service findings are merged and passed through the existing LLM remediation layer and scoring system.
- **CLI**: Added the `--compose [PATH]` flag. If no path is provided, it auto-detects standard compose filenames in the current directory.
- **Docs & Examples**: Updated `README.md`, added `docs/CHANGELOG.md` entries, and added insecure/secure compose examples in the `examples/compose/` directory.

## Testing
- Added `tests/test_compose_scanner.py` with full coverage for parser logic, every rule, line mapping, integration, and offline mode.
- Existing test suite passes unchanged.
Comment thread docksec/cli.py Fixed
Comment thread test_compose.py Fixed
Comment thread test_compose.py Fixed
Comment thread tests/test_compose_scanner.py Fixed
Comment thread tests/test_compose_scanner.py Fixed
Comment thread tests/test_compose_scanner.py Fixed
Comment thread test_compose.py Fixed
Comment thread test_compose.py Fixed
Comment thread tests/test_compose_scanner.py Fixed
Comment thread tests/test_compose_scanner.py Fixed
Comment thread tests/test_compose_scanner.py Fixed
Comment thread docksec/cli.py Fixed
Advait Patel and others added 4 commits June 12, 2026 03:35
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@advaitpatel advaitpatel merged commit fca605d into main Jun 12, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants