The docker-compose port binding that Trivy, Checkov, and Semgrep all miss
Most developers know UFW blocks unwanted traffic. What they don't know is that Docker bypasses UFW entirely by rewriting iptables directly.
This in your docker-compose.yml:
ports:
- "5432:5432"
Exposes Postgres to the public internet. UFW never sees it. Your firewall rules don't matter.
The fix is one token:
ports:
- "127.0.0.1:5432:5432"
The Blind Spot
We ran this pattern against Trivy, Checkov, Semgrep, and Snyk. None of them catch it. It's a blind spot across every major IaC scanner.
The Solution
So we built a rule for it - VGL-D001 - and open-sourced the scanner that runs it as a Claude Code hook, catching the exposure the moment you write the file.
- Repository:
vigilsec-io/cordonon GitHub - Runs as a
PostToolUsehook in Claude Code - zero friction, catches IaC issues inline as you write them, not in CI after the fact.
Comments
No comments yet. Start the discussion.