This rule advises against configuring services with a writable filesystem in Docker Compose files. Allowing a writable filesystem can increase the attack surface by enabling potential attackers or malicious processes to modify the container’s file system, which could lead to unauthorized changes or persistence of malicious code.
Ensuring that services run with a read-only filesystem enhances security by preventing in-container modifications during runtime. This practice helps maintain the integrity of the container environment and reduces the risk of accidental or intentional file tampering.
To comply with this rule, explicitly set read_only: true for your service definitions in the Docker Compose YAML file. For example, use read_only: true under the service configuration to enforce a read-only root filesystem.
By adopting this approach, you improve the overall security posture of your containerized applications and make them more resilient against attacks or unintended changes.