CV-C003: Host network mode
Error Security
Why This Matters
Using network_mode: host bypasses Docker network isolation entirely. The container shares the host network namespace, meaning all host ports are accessible to the container and vice versa. This eliminates network-level container isolation and can expose services that should only be available on the host.
How to Fix
Use user-defined bridge networks for service-to-service communication
Before (incorrect)
services:
web:
network_mode: hostAfter (correct)
services:
web:
networks:
- frontend
networks:
frontend:Rule Details
- Rule Code
- CV-C003
- Severity
- Error
- Category
- Security