Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Docker Compose Audit

FreeNot checked

Security audit for docker-compose.yml — 25 checks: secrets, privileges, network, volumes, images.

GitHubEmbed

About

Security audit for docker-compose.yml — 25 checks: secrets, privileges, network, volumes, images.

README

MCP server that audits docker-compose.yml files for security misconfigurations. Trivy-grade check catalog, designed for AI agents — every finding ships with a severity rating, full remediation text, and a YAML fix snippet you can paste.

Built by Unbearable Labs. Pay-per-event pricing — you only pay when an audit runs.


Available on

  • Apify Actor Store — primary, metered usage (PPE)
  • MCPize — pending submission
  • MCP.so — pending submission
  • PulseMCP — pending submission
  • Smithery — pending submission
  • Glama — pending submission

Newsletter: Unbearable TechTips Weekly · All Actors: github.com/UnbearableDev

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it the contents of a docker-compose.yml, and get back a structured report with:

  • Severity — high / medium / low / info
  • Service — which compose service the finding affects
  • Description — what's wrong and why it matters
  • Remediation — what to do about it
  • Fix snippet — YAML you can paste directly into the file

Tools

Tool Purpose
audit_compose(compose_yaml? | compose_url?, min_severity='low') Run all checks, return full report
check_privilege(...) Container privilege & capability issues only
check_network(...) Network exposure issues only
check_filesystem(...) Volume mount & filesystem issues only
check_secrets(...) Secret hygiene issues only
check_resources(...) Resource limit issues only
check_image_hygiene(...) Image tag / registry / pinning issues only
check_runtime_lifecycle(...) Healthcheck / restart / init issues only
check_logging(...) Logging driver / rotation issues only
check_compose_hygiene(...) Deprecated fields / Compose-spec hygiene only
list_checks(category?) Browse the full check catalog

All audit-running tools accept the same input:

  • compose_yaml (string) — paste the YAML content directly, OR
  • compose_url (string) — public HTTPS URL to fetch (e.g. GitHub raw URL)

Provide exactly one. min_severity defaults to low (drops info findings); set to medium or high to filter further.

Example response (truncated)

{
  "summary": {
    "total_findings": 14,
    "by_severity": {"high": 3, "medium": 6, "low": 5, "info": 0},
    "by_category": {"privilege": 4, "network": 3, "secrets": 2, "...": 5}
  },
  "findings": [
    {
      "id": "DCS-002",
      "category": "privilege",
      "severity": "high",
      "service": "web",
      "title": "Privileged mode enabled",
      "description": "Service 'web' has `privileged: true`...",
      "remediation": "Remove `privileged: true`. If you need specific capabilities...",
      "fix_yaml_snippet": "    # remove `privileged: true`; if needed, use cap_add or devices selectively",
      "references": ["CIS-Docker-5.4", "NIST-800-190"]
    },
    ...
  ]
}

Pricing

Event USD
Any audit / check_* tool call $0.02
list_checks discovery call $0.005

You pay only when a tool is invoked. No subscription, no monthly minimums.

Check catalog (25 live in v1, growing toward 54)

Category Live checks
Privilege Root user (DCS-001), privileged mode (DCS-002), dangerous capabilities (DCS-003), cap_add: ALL (DCS-004), cap_drop: ALL missing (DCS-005), no-new-privileges missing (DCS-006)
Network network_mode: host (DCS-010), port bound to 0.0.0.0 (DCS-011), SSH port exposed (DCS-013), DB port exposed (DCS-014)
Filesystem /var/run/docker.sock mount (DCS-018), host root mount (DCS-019), sensitive host paths (DCS-020)
Secrets Hardcoded secret in env (DCS-026), secret-pattern env without Docker secrets (DCS-027)
Resources No memory limit (DCS-032), no CPU limit (DCS-033), no PID limit (DCS-034)
Image hygiene Unpinned / :latest image (DCS-037)
Runtime lifecycle No healthcheck (DCS-043), no restart policy (DCS-044)
Logging No log driver (DCS-048), no log rotation (DCS-049)
Compose hygiene Deprecated version: field (DCS-051), depends_on without healthcheck condition (DCS-052)

Use list_checks to get the canonical, up-to-date catalog with IDs, severities, and titles.

Connecting from Claude Desktop

Add to your MCP config:

{
  "mcpServers": {
    "compose-audit": {
      "transport": "streamable-http",
      "url": "https://YOUR-ACTOR-URL.apify.actor/mcp"
    }
  }
}

(Replace YOUR-ACTOR-URL with the Standby URL shown on the Apify Store page after you start the Actor.)

Limits

  • YAML size: 1 MB cap per audit call
  • URL fetch: 5-second timeout, max 3 redirects, HTTPS only
  • Session timeout: 5 minutes of inactivity

What's NOT covered (yet)

Pure static analysis of the compose file only. Out of scope for this version:

  • Image vulnerability scanning (use Trivy / Grype for that)
  • Live container inspection
  • Kubernetes / Helm manifests (different surface)
  • Dockerfile-specific lint (use Hadolint)

The next 29 checks on the v1.x → v2 roadmap include build-context security, additional capability checks, secret-pattern detection in build args, and registry trust verification.

Source / contact

Issues, ideas, or false-positive reports: open an issue on the GitHub repo or email [email protected].

get the weekly newsletter(https://unbearabletechtips.beehiiv.com).

from github.com/UnbearableDev/docker-compose-audit

Installing Docker Compose Audit

This server has no published package — it is built from source. Open the repository and follow its README.

▸ github.com/UnbearableDev/docker-compose-audit

FAQ

Is Docker Compose Audit MCP free?

Yes, Docker Compose Audit MCP is free — one-click install via Unyly at no cost.

Does Docker Compose Audit need an API key?

No, Docker Compose Audit runs without API keys or environment variables.

Is Docker Compose Audit hosted or self-hosted?

A hosted option is available: Unyly runs the server in the cloud, no local setup required.

How do I install Docker Compose Audit in Claude Desktop, Claude Code or Cursor?

Open Docker Compose Audit on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Docker Compose Audit with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs