Why is exposing a database port dangerous?

A ports mapping like 5432:5432 on your database service publishes it on the host's public interface, so the database is reachable from the internet - and internet-wide scanners find exposed Postgres, MySQL, Redis, and Mongo instances within minutes, many with weak or default credentials. Databases should only be reachable from other containers on the internal compose network, never via a host port. Remove the ports mapping; the app container still reaches it by service name.

What does a missing restart policy cause?

Without restart: unless-stopped (or always), a container that crashes stays down, and every container stays down after the host reboots. You ship the app, it runs, and weeks later a transient crash or a kernel update quietly takes it offline with nothing to bring it back. A restart policy is the compose equivalent of supervising the process.

Is it safe to paste my compose file?

Yes. The auditor runs entirely in your browser - nothing you paste is uploaded or logged. It reads the structure of the file locally. If your compose file contains real secrets in plaintext, that itself is a finding the tool will flag - move them to a .env file or a secret store.

Free tool · Runs in your browser · Nothing uploaded

Audit your docker-compose.

Compose is easy to write and easy to ship with a hole in it. Paste your docker-compose.yml and get a production audit — exposed database ports, hardcoded secrets, missing restart policies, :latest images, and more — per service, with the fix.

100% client-side

The holes compose makes easy

A compose file that works on your laptop and a compose file that's safe in production are not the same file. The gaps are quiet: a database with a host port mapping that's now on the public internet, a password sitting in plaintext under environment, a service with no restart policy that won't come back after a reboot, an image: postgres with no tag that pulls a different version next month. None of them error; all of them bite later.

This catches the common ones in seconds. Keeping them caught — across every service, every deploy, every host — so a fix doesn't quietly regress, is the ongoing version of the job, and the part a control plane is built to hold.

Related free tools

systemd service generatorKeep your app running Reverse proxy + HTTPSCaddy / nginx + HTTPS Backup script generatorDump, offsite, restore RPO / RTO calculatorData loss + downtime

All free tools →

Catch it once here. Keep it caught everywhere.

Infraveil runs, supervises, and audits your containers across the hosts you own — with the restart, recovery, and tamper-evident record that turns a one-time fix into a standing guarantee.

See how it works

Get the production-compose playbook

Hardening, secrets, restarts, and healthchecks for containers you run yourself. No spam.