Skip to main content

CV-C011: Writable root filesystem

Warning Security

Why This Matters

By default, a container has a writable root filesystem. If an attacker gains access to the container, they can modify binaries, install tools, or tamper with application files. Setting read_only: true makes the root filesystem read-only, forcing writable paths to be explicitly declared as tmpfs or volume mounts.

How to Fix

Set read_only: true and use tmpfs mounts for paths that need to be writable

Before (incorrect)

services:
  web:
    image: nginx

After (correct)

services:
  web:
    image: nginx
    read_only: true
    tmpfs:
      - /tmp
      - /var/run

Rule Details

Rule Code
CV-C011
Severity
Warning
Category
Security

Related Rules

CV-C001 Error

Privileged mode enabled
CV-C002 Error

Docker socket mounted
CV-C003 Error

Host network mode
CV-C004 Error

Host PID mode
CV-C005 Error

Host IPC mode