Datastore port published on all interfaces
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A database or message-broker service publishes its port without binding to 127.0.0.1, so a mapping like 5432:5432 listens on every host interface and can be reached from the network.
Why it matters
Publishing a database or message-broker port without binding to 127.0.0.1 makes a mapping like 5432:5432 listen on every host interface, so the datastore is reachable from the local network and, on a cloud host with a permissive firewall, from the internet. Datastores are high-value targets and are frequently found exposed with weak or default credentials.
How to fix it
Bind the published port to loopback (127.0.0.1:5432:5432) so only the host can reach it, or remove the host mapping entirely and let other services connect over the internal Compose network by service name. Only expose a datastore port to the outside when you specifically intend to, and pair that with strong credentials and a firewall.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo