Docker Compose Inspector

Analyze docker-compose.yml files for security issues, exposed ports, privileged containers, and misconfigurations

Enter your docker-compose.yml content to inspect for security issues and misconfigurations

What is the Docker Compose Inspector?

The Docker Compose Inspector is a client-side security tool that analyzes your docker-compose.yml files for common security misconfigurations, exposed services, and deployment risks. It detects privileged containers, Docker socket mounts, sensitive bind mounts, exposed ports, unpinned images, undefined variables, and unnecessary networks — then calculates a security score with actionable recommendations.

How to Use

  1. Paste your docker-compose.yml content into the input field
  2. Click "Inspect" or wait for automatic processing
  3. Review findings with severity ratings (Critical, High, Medium, Low)
  4. Follow the recommendations to harden your composition
  5. Export a full report in JSON or Markdown format

Example: Insecure Docker Compose

This docker-compose.yml has multiple security issues that the inspector will detect:

version: '3'
services:
  app:
    image: myapp:latest
    privileged: true
    ports:
      - "3000:3000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc:/host-etc
    environment:
      - DB_URL=postgres://${DB_USER}:${DB_PASS}@db:5432/app

  db:
    image: postgres
    ports:
      - "5432:5432"

networks:
  unused-net:
    driver: bridge

What Security Issues Are Detected?

  • Privileged mode — Full host kernel access enables container escape and complete host compromise
  • Docker socket mount — Container gains full control over the Docker daemon, allowing arbitrary container creation
  • Sensitive bind mounts — Mounting /etc, /proc, /sys, /dev, or /root exposes critical host files to the container
  • Exposed ports — Ports bound to 0.0.0.0 are accessible from all network interfaces, potentially the internet
  • Latest/untagged images — Non-reproducible deployments; image content can change without notice
  • Undefined variables — Environment variables without defaults may cause runtime failures or empty values
  • Unnecessary networks — Defined networks not used by any service add complexity without purpose
  • cap_add ALL — Adding all Linux capabilities is equivalent to running in privileged mode
  • Missing memory limits — Containers without resource limits can consume unlimited host memory

Security Scoring

Each docker-compose.yml receives a score from 0 to 100 based on detected findings. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Docker Compose Security Best Practices

  • Never use privileged: true — use specific capabilities via cap_add instead
  • Avoid mounting the Docker socket unless absolutely necessary; use docker-socket-proxy
  • Bind ports to 127.0.0.1 for services that should only be accessible locally
  • Pin all images to specific version tags or SHA digests for reproducible deployments
  • Always provide default values for environment variables: $${VAR:-default}
  • Set memory limits via deploy.resources.limits.memory or mem_limit
  • Use expose instead of ports for inter-service communication
  • Remove unused network definitions to reduce configuration complexity

Privacy and Security

All inspection happens entirely in your browser using JavaScript. Your Docker Compose configuration — which may contain internal service names, registry URLs, environment variables, and infrastructure topology — is never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What security issues does the Docker Compose Inspector detect?

The inspector detects privileged mode containers, Docker socket mounts, sensitive host path bind mounts (/etc, /proc, /sys, /dev, /root), exposed ports binding to all interfaces, latest tag or untagged images, undefined environment variables without defaults, unnecessary defined networks, cap_add ALL, and missing memory limits. Each finding includes severity and remediation guidance.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues (like privileged mode or Docker socket mount) deduct 25 points, High issues (like sensitive bind mounts) deduct 15, Medium issues (like exposed ports or :latest tag) deduct 8, and Low issues (like unnecessary networks or missing memory limits) deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Is my docker-compose.yml sent to any server?

No. All inspection happens entirely in your browser using JavaScript. Your Docker Compose configuration — which may contain internal service names, registry URLs, environment variables, and infrastructure topology — never leaves your device. No data is stored, logged, or transmitted.

Why is privileged mode flagged as critical?

Privileged mode (privileged: true) gives the container full access to the host kernel and all devices. An attacker exploiting a vulnerability in a privileged container can escape to the host system, access other containers, and potentially compromise the entire infrastructure. Use specific capabilities (cap_add) for the minimum required permissions.

Why is mounting the Docker socket dangerous?

Mounting /var/run/docker.sock gives the container full control over the Docker daemon. A compromised container can then create new privileged containers, access any volume, read secrets from other containers, or delete the entire container infrastructure. If Docker API access is needed, use a proxy like docker-socket-proxy with restricted endpoints.

Why are exposed ports a concern?

Ports mapped as host_port:container_port without an IP bind to 0.0.0.0, making them accessible from any network interface including external ones. This can expose internal services to the internet. Use 127.0.0.1:port:port to bind only to localhost, or use Docker networks with 'expose' (container-only) instead of 'ports' (host-bound).

What format should the input be?

Paste your docker-compose.yml or compose.yaml content as-is. The inspector supports Compose file format versions 2.x and 3.x, including services, networks, volumes, and deploy sections. Multi-service compositions are fully analyzed.

What is the difference between Docker Compose Inspector and Dockerfile Analyzer?

The Docker Compose Inspector analyzes multi-container orchestration — exposed ports, privileged mode, volume mounts, network configurations, and service-level security. The Dockerfile Analyzer focuses on single-container build configuration — base image selection, build-time secrets, user permissions, and layer optimization. Use both for comprehensive Docker security auditing.

Related Tools

Dockerfile Analyzer

Analyze Dockerfiles for security issues, best-practice violations, and image optimization opportunities

Docker

Kubernetes YAML Validator

Validate Kubernetes resource YAML with resource type detection

Devops Tools

Environment Security Analyzer

Detect secrets, passwords, API keys, and credentials in .env files with automatic masking and security scoring

Security