The docker-compose port binding that Trivy, Checkov, and Semgrep all miss

# security# docker# devops# opensource
The docker-compose port binding that Trivy, Checkov, and Semgrep all missPrem kumar Akula

Most developers know UFW blocks unwanted traffic. What they don't know is that Docker bypasses UFW...

Most developers know UFW blocks unwanted traffic. What they don't know is that Docker bypasses UFW entirely by rewriting iptables directly.

This in your docker-compose.yml:

ports:

  • "5432:5432"

Exposes Postgres to the public internet. UFW never sees it. Your firewall rules don't matter.

The fix is one token:

ports:

  • "127.0.0.1:5432:5432"

We ran this pattern against Trivy, Checkov, Semgrep, and Snyk. None of them catch it. It's a blind spot across every major IaC scanner.

So we built a rule for it — VGL-D001 — and open-sourced the scanner that runs it as a Claude Code hook, catching the exposure the moment you write the file.

vigilsec-io/cordon on GitHub

It runs as a PostToolUse hook in Claude Code — zero friction, catches IaC issues inline as you write them, not in CI after the fact.