I wanted a quick local way to review my own Docker Compose stacks before assuming a service was private, behind a reverse proxy, or only bound to localhost.
ExposeMap is a small open-source CLI that reads a docker-compose.yml file and reports exposure hints: internal, localhost-only, directly exposed from Compose config, reverse-proxy exposed, or unknown.
It generates a Markdown report and Mermaid diagram. It checks common port mappings, localhost bindings, Traefik-style labels, likely reverse proxy services, and risky directly published database/admin ports.
Important limitation: it does not prove internet reachability, run network scans, connect to containers, modify Compose files, inspect secrets, or upload anything.
GitHub: https://github.com/kaibuild/exposemap
I’m especially looking for sanitized Compose edge cases where the classification is misleading or the wording should be clearer.
How is Rust not problematic? Cargo has the same risks involved afaik