Will It Vibe logoWill It Vibe?
K8S-008Medium severity-8 points

hostPath volume mount

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A hostPath volume mounts a node directory into the pod, which can expose or tamper with files on the host filesystem.

Why it matters

A hostPath volume mounts a directory from the node filesystem into the pod. Depending on the path and mount mode, the container can read host secrets or write files that affect the node and other pods. hostPath also ties the pod to specific nodes and breaks cleanly on rescheduling.

How to fix it

Replace hostPath with a volume type suited to the need: emptyDir for scratch space, a PersistentVolumeClaim for durable storage, or a configMap/secret for config. If a node path is genuinely required (a node agent reading logs, for example), mount the narrowest possible subdirectory read-only and set the securityContext to non-root.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks