Sensitive host path bind-mounted
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Bind-mounting host directories such as /etc, /proc, /sys, /dev, /root, or /var/lib/docker breaks container isolation and can leak or corrupt host state.
Why it matters
Bind-mounting host directories such as /etc, /proc, /sys, /dev, /root, or /var/lib/docker crosses the container boundary in ways that leak host configuration or let the container change host state. For example a writable /etc mount can alter host users, and /var/lib/docker exposes every other container. These mounts are occasionally legitimate but are a common misconfiguration.
How to fix it
Remove the sensitive host mount, or narrow it to the exact file the service reads and add :ro. Prefer passing configuration through environment variables, config files under the project directory, or Compose configs and secrets instead of mounting system directories. If a monitoring agent needs /proc or /sys, mount only the required subpaths read-only.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo