Summary
docker-compose.yml publishes every service port using Docker's short syntax, which binds 0.0.0.0 (all host interfaces). Combined with the default credentials baked into the file (postgres/postgres, guest/guest, minioadmin/minioadmin), anyone reachable on the host's network can connect to the datastores.
Severity
Low (local-dev convenience file, but unnecessary exposure)
Affected code
docker-compose.yml — Postgres "15432:5432", Redis "6379:6379", RabbitMQ "5672:5672"/"15672:15672", MinIO "9000:9000"/"9001:9001" all bind all interfaces by default.
Impact
On a developer machine on an untrusted network (or if reused beyond pure local dev), the datastores are exposed with well-known default credentials.
Suggested fix
Bind published ports to loopback, e.g. "127.0.0.1:15432:5432", for each service, and add a comment noting this file is local-dev-only.
Summary
docker-compose.ymlpublishes every service port using Docker's short syntax, which binds0.0.0.0(all host interfaces). Combined with the default credentials baked into the file (postgres/postgres,guest/guest,minioadmin/minioadmin), anyone reachable on the host's network can connect to the datastores.Severity
Low (local-dev convenience file, but unnecessary exposure)
Affected code
docker-compose.yml— Postgres"15432:5432", Redis"6379:6379", RabbitMQ"5672:5672"/"15672:15672", MinIO"9000:9000"/"9001:9001"all bind all interfaces by default.Impact
On a developer machine on an untrusted network (or if reused beyond pure local dev), the datastores are exposed with well-known default credentials.
Suggested fix
Bind published ports to loopback, e.g.
"127.0.0.1:15432:5432", for each service, and add a comment noting this file is local-dev-only.