Directus Development Workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The configuration provides hardcoded default passwords for critical infrastructure components.
- Evidence: The
databaseservice usesPOSTGRES_PASSWORD: ${DB_PASSWORD:-directus}, providing a known default credential. - Evidence: The
directusservice definesADMIN_PASSWORD: ${ADMIN_PASSWORD:-admin}, which allows unauthorized access to the CMS if the environment variable is not explicitly set. - Evidence: Static default values are provided for
KEYandSECRET(replace-with-random-value), which are critical for session signing and encryption. - [COMMAND_EXECUTION] (MEDIUM): The
backupservice executes raw shell commands to perform maintenance tasks. - Evidence: The
entrypointandcommandfields in thebackupservice execute a shell script usingpg_dumpandrm. While functional for a backup task, this pattern of manual command string assembly in a Docker configuration can be risky if environment variables (likePGUSER) are injected with malicious payloads. - [EXTERNAL_DOWNLOADS] (SAFE): The configuration pulls images from established and trusted sources.
- Evidence: Images are sourced from official or highly reputable repositories including
postgis/postgis,redis,directus/directus,mailhog/mailhog, andadminer. - [DYNAMIC_EXECUTION] (MEDIUM): The configuration enables automatic loading of code from the filesystem.
- Evidence:
EXTENSIONS_AUTO_RELOAD: ${EXTENSIONS_AUTO_RELOAD:-true}is enabled. This allows the Directus application to dynamically load and execute any JavaScript code placed in the./extensionsdirectory, creating a vector for persistence or remote code execution if an attacker gains write access to that directory.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata