Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Dockerfile Audit

БесплатноНе проверен

Hadolint-grade Dockerfile audit — 19 checks: secrets, privileges, supply chain, hygiene.

GitHubEmbed

Описание

Hadolint-grade Dockerfile audit — 19 checks: secrets, privileges, supply chain, hygiene.

README

Hadolint-grade Dockerfile audit as an MCP server. 18+ checks across 5 categories, every finding ships with severity, line number, remediation text, and a copy-paste Dockerfile snippet.

Built by Unbearable Labs. Pay-per-event pricing — only billed when a tool is actually called.


Available on

  • Apify Actor Store — primary, metered usage (PPE)
  • MCPize — pending submission
  • MCP.so — pending submission
  • PulseMCP — pending submission
  • Smithery — pending submission
  • Glama — pending submission

Newsletter: Unbearable TechTips Weekly · All Actors: github.com/UnbearableDev

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Dockerfile, get back a structured report:

  • Severity — high / medium / low / info
  • Line number — exact location in the file
  • Description — what's wrong and why it matters
  • Remediation — what to do about it
  • Fix snippet — Dockerfile syntax you can paste directly

Tools

Tool Purpose
audit_dockerfile(dockerfile_content? | dockerfile_url?, min_severity='low') Run all checks
check_base_image(...) FROM/tag/digest/registry checks only
check_instructions(...) CMD form, ADD vs COPY, MAINTAINER, etc.
check_security(...) USER, sudo, chmod 777, curl|bash, hardcoded secrets, HEALTHCHECK
check_efficiency(...) apt cache hygiene, pip caching
check_secrets(...) ARG with secret-pattern names
list_checks(category?) Browse the full check catalog

Provide exactly one of dockerfile_content (paste the file) or dockerfile_url (HTTPS URL — e.g. GitHub raw).

Check catalog (v1: 18 checks across 5 categories)

ID Category Severity Title
DFA-001 base_image medium Image uses :latest tag or no tag
DFA-002 base_image info No SHA256 digest pin on FROM
DFA-003 base_image medium Untrusted registry
DFA-010 instructions low CMD in shell form
DFA-011 instructions low ENTRYPOINT in shell form
DFA-012 instructions info MAINTAINER instruction is deprecated
DFA-013 instructions medium ADD used where COPY would suffice
DFA-020 security medium No USER directive (runs as root)
DFA-021 security high USER root set explicitly
DFA-022 security high sudo invoked in RUN
DFA-023 security high chmod 777 in RUN
DFA-024 security medium curl|bash pattern in RUN
DFA-025 security high Hardcoded secret in ENV
DFA-027 security low No HEALTHCHECK
DFA-030 efficiency low apt-get update without install
DFA-031 efficiency low apt-get install without --no-install-recommends
DFA-032 efficiency low pip install without --no-cache-dir
DFA-040 secrets medium ARG with secret-pattern name

Use list_checks to get the canonical, up-to-date catalog.

Pricing

Event USD
Any audit / check_* tool call $0.02
list_checks discovery $0.005

Example response (truncated)

{
  "summary": {
    "total_findings": 6,
    "by_severity": {"high": 2, "medium": 2, "low": 2, "info": 0}
  },
  "findings": [
    {
      "id": "DFA-021",
      "category": "security",
      "severity": "high",
      "instruction": "USER",
      "line_number": 3,
      "title": "USER root set explicitly",
      "description": "...",
      "remediation": "Switch to a non-root UID after any root-required RUN steps.",
      "fix_dockerfile_snippet": "USER 10001:10001",
      "references": ["CIS-Docker-4.1"]
    }
  ]
}

Connecting from Claude Desktop

{
  "mcpServers": {
    "dockerfile-audit": {
      "transport": "streamable-http",
      "url": "https://YOUR-ACTOR-URL.apify.actor/mcp"
    }
  }
}

Limits

  • Dockerfile size: 200 KB cap per audit
  • URL fetch: 5s timeout, max 3 redirects, HTTPS only
  • Session timeout: 5 minutes of inactivity

What's NOT covered (yet)

  • Live image vulnerability scanning (use Trivy / Grype for that)
  • Multi-stage build optimization analysis (DFA-004 / DFA-005 — roadmapped)
  • Compose-file audit (separate MCP: docker-compose-audit)

Sibling MCPs from Unbearable Labs

Source / contact

Issues and ideas: [email protected] or the GitHub org UnbearableDev.

from github.com/UnbearableDev/dockerfile-audit

Установка Dockerfile Audit

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/UnbearableDev/dockerfile-audit

FAQ

Dockerfile Audit MCP бесплатный?

Да, Dockerfile Audit MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Dockerfile Audit?

Нет, Dockerfile Audit работает без API-ключей и переменных окружения.

Dockerfile Audit — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Dockerfile Audit в Claude Desktop, Claude Code или Cursor?

Открой Dockerfile Audit на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Dockerfile Audit with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development