Will It Vibe logoWill It Vibe?
COMPOSE-005Medium severity-8 points

Sensitive host path bind-mounted

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Bind-mounting host directories such as /etc, /proc, /sys, /dev, /root, or /var/lib/docker breaks container isolation and can leak or corrupt host state.

Why it matters

Bind-mounting host directories such as /etc, /proc, /sys, /dev, /root, or /var/lib/docker crosses the container boundary in ways that leak host configuration or let the container change host state. For example a writable /etc mount can alter host users, and /var/lib/docker exposes every other container. These mounts are occasionally legitimate but are a common misconfiguration.

How to fix it

Remove the sensitive host mount, or narrow it to the exact file the service reads and add :ro. Prefer passing configuration through environment variables, config files under the project directory, or Compose configs and secrets instead of mounting system directories. If a monitoring agent needs /proc or /sys, mount only the required subpaths read-only.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks