Skip to main content

CV-C009: Unbound port interface

Warning Security

Why This Matters

When a port mapping does not specify a host IP address, Docker binds it to all network interfaces (0.0.0.0). This means the port is accessible from any network the host is connected to, including public-facing interfaces. For services that should only be accessible locally, bind to 127.0.0.1 explicitly.

How to Fix

Bind to 127.0.0.1 for local-only access or a specific interface IP

Before (incorrect)

services:
  web:
    ports:
      - "8080:80"

After (correct)

services:
  web:
    ports:
      - "127.0.0.1:8080:80"

Rule Details

Rule Code
CV-C009
Severity
Warning
Category
Security

Related Rules

CV-C001 Error

Privileged mode enabled
CV-C002 Error

Docker socket mounted
CV-C003 Error

Host network mode
CV-C004 Error

Host PID mode
CV-C005 Error

Host IPC mode