I try to apply the docker CIS (https://github.com/docker/docker-bench-security)

The test 5.13 is: Mount container’s root filesystem as read only
There is an option for docker run to mount the root FS read only: --read-only=true
But I can’t find the possibility to achieve the same with docker-compose.

Is there a possibility to mount the root FS read only with docker-compose?

Hi this can be done by adding read_only: true to the service description, see also https://docs.docker.com/compose/compose-file/#cpu-shares-cpu-quota-cpuset-domainname-hostname-ipc-mac-address-mem-limit-memswap-limit-privileged-read-only-restart-stdin-open-tty-user-working-dir:91de898b5f5cdb090642a917d3dedf68

Really?

The reference documentation talks about this flag in the volume section, not in the service definition section. However, it does appears to be actually honored when at the service definition.

Is it a docu mishap?