Skip to content

bug(docker compose): docker compose file with anonymous volume false positively reported as Volume Has Sensitive Host Directory #8047

Description

@rjg21

A docker compose file containing a service using an anonymous volume is reported by query as having a sensitive host directory.

Anonymous volumes (like named volumes) don't mount host directories.

Seems like the query is assuming that after attempting to split on a colon (when the volume value doesn't have one) that the first part is the host_path when in this case it is actually the path mounted in the container: kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego

Expected Behavior

Anonymous volumes (like named volumes) not to be flagged by this query.

Actual Behavior

Anonymous volumes flagged as having this vulnerability

Steps to Reproduce the Problem

Scan a docker compose file with a fragment like:

services:
  frontend:
    volumes:
      - /usr/src/app/node_modules

Specifications

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcommunityCommunity contribution

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions