drydock

Open source container update monitoring — built in TypeScript with modern tooling.

📑 Contents

• 📖 Documentation
• 🚀 Quick Start
• 🆕 Recent Updates
• 📸 Screenshots & Live Demo
• ✨ Features
• 🔌 Supported Integrations
• ⚖️ Feature Comparison
• 🔄 Migration
• 🗺️ Roadmap
• ⭐ Star History
• 🔧 Built With
• 🤝 Community QA

🚀 Quick Start

Recommended: use a socket proxy to restrict which Docker API endpoints Drydock can access. This avoids giving the container full access to the Docker socket.

services:
  drydock:
    image: codeswhat/drydock
    depends_on:
      socket-proxy:
        condition: service_healthy
    environment:
      - DD_WATCHER_LOCAL_HOST=socket-proxy
      - DD_WATCHER_LOCAL_PORT=2375
      - DD_AUTH_BASIC_ADMIN_USER=admin
      - "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>"
    ports:
      - 3000:3000

  socket-proxy:
    image: tecnativa/docker-socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - CONTAINERS=1
      - IMAGES=1
      - EVENTS=1
      - SERVICES=1
      # Add POST=1 and NETWORKS=1 for container actions and auto-updates
    healthcheck:
      test: wget --spider http://localhost:2375/version || exit 1
      interval: 5s
      timeout: 3s
      retries: 3
      start_period: 5s
    restart: unless-stopped

docker run -d \
  --name drydock \
  -p 3000:3000 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e DD_AUTH_BASIC_ADMIN_USER=admin \
  -e "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>" \
  codeswhat/drydock:latest

Generate a password hash (argon2 CLI — install via your package manager):

echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -e

Or with Node.js 24+ (no extra packages needed):

node -e 'const c=require("node:crypto");const s=c.randomBytes(32);const h=c.argon2Sync("argon2id",{message:process.argv[1],nonce:s,memory:65536,passes:3,parallelism:4,tagLength:64});console.log("argon2id\$65536\$3$4$"+s.toString("base64")+"$"+h.toString("base64"));' "yourpassword"

Legacy v1.3.9 Basic auth hashes ({SHA}, $apr1$/$1$, crypt, and plain) are accepted for upgrade compatibility but deprecated (removed in v1.6.0). Argon2id is recommended for all new configurations. Authentication is required by default. See the auth docs for OIDC, anonymous access, and other options. To explicitly allow anonymous access on fresh installs, set DD_ANONYMOUS_AUTH_CONFIRM=true.

The image includes trivy and cosign binaries for local vulnerability scanning and image verification.

See the Quick Start guide for Docker Compose, socket security, reverse proxy, and alternative registries.

🆕 Recent Updates

• Chinese UI locales — First non-English locale set: Simplified Chinese and Traditional Chinese, with 1,100+ translated strings across every view, contributed by TianMiao (PR #331, PR #344). Switch languages in Config > Appearance. The i18n framework is ready for additional locales, and Crowdin sync is configured for translation PRs.
• Multi-select audit log filter — The event-type filter in the Audit Log view is now a checkbox dropdown so you can view any combination of event categories (e.g. update-applied + update-failed) in one query. The backend ?actions= parameter was already there; the UI now exposes it. (discussion #332)
• Credential redaction expanded — update-failed SSE error payloads now redact x-registry-auth, *-token, and api-key fields in addition to Authorization headers, so registry credentials and API keys no longer leak in operator-visible diagnostics.
• Update eligibility blockers — Container rows now surface structured pre-flight blockers inline (maturity hold, security block, maintenance window, policy exclusion, pinned version) so you can see exactly why an update button is disabled without opening the detail panel.
• Scan vs. update row status — Container rows correctly distinguish a scan-in-progress state from an update-in-progress state, so the row badge matches the actual operation type.
• Expand / Collapse all stacks — A single toolbar button expands or collapses every stack group at once when Stack view is enabled; the label reflects the current global expand state. Individual stack headers still toggle independently. (#311)
• Dashboard + Containers view reconnect performance — On SSE reconnect, both views now refetch only endpoints that can go stale (skipping static ones for 30s) and patch the local container array in place instead of replacing it. On large inventories this turns a reconnect storm into a handful of requests and eliminates the post-reconnect flicker. (#301)
• Security scan digest mode — SECURITYMODE=digest (or batch+digest) sends one severity-grouped summary per scan cycle instead of one notification per vulnerable container. New bulk POST /api/v1/containers/scan-all endpoint scans the whole fleet server-side and emits a single security-scan-cycle-complete event; the UI Scan All button now uses it so a 40-container inventory produces one email instead of forty. (#300)
• Notification dropdown rework — The bell dropdown gains per-row ✕ dismiss, a header Clear bulk action, and a split footer (Mark all as read / Open audit log). New --dd-zebra-stripe theme token keeps alternate rows legible on every stock theme. (#267)
• Actionable deprecation banners — Every deprecation warning now carries the concrete migration action inline plus a "View migration guide" link that deep-jumps to the relevant anchor on the deprecations doc. (#214)
• Per-channel notification dedup — The batch and digest notification channels now track once=true dedup independently, so MODE=batch+digest reliably delivers both the immediate batch email and the scheduled morning digest for each detected update.
• Container list performance — GET /api/containers now preloads active update operations in a single indexed scan with per-row O(1) lookup, eliminating the rc.8 slowdown on large inventories (Dashboard / Watchers / Servers / Container Logs all benefit).
• Persistent once-dedup — once=true notification dedup survives process restarts and transient changed=false scan cycles via a new on-disk notification history store, so notifications no longer re-fire after a restart.
• Hide Pinned surfaces actionable rows — Pinned containers with a pending update stay visible when Hide Pinned is on; only static pinned rows are hidden, matching the decluttering intent without suppressing actionable updates.
• Remote-agent updates work end-to-end — Controller trims the remote-trigger payload for docker / dockercompose updates so the agent's json body cap can't block an update with HTTP 413.
• Socket-proxy identity detection — Daemon host-name detection now runs for host-based watchers (TCP to a local socket-proxy, the common Synology / Compose pattern), so notification prefixes stop falling back to container short IDs.
• Backend-driven update queue — Container updates queued server-side with per-trigger concurrency limits. UI shows Queued → Updating → Updated progression with sequence labels (e.g. "Updating 1 of 3"). Global cap configurable via DD_UPDATE_MAX_CONCURRENT (default 0 = unlimited; set to a positive integer to bound how many updates run simultaneously across the whole controller instance).
• Identity-keyed container tracking — Containers tracked by stable identity key (agent::watcher::name) across renames/replacements, preventing cross-host status contamination.
• Watcher next-run schedule visibility — Watcher API and Agents view now show when each watcher will next poll for updates.
• Notification delivery failure audit trail — Failed notification deliveries surface in the notification bell dropdown for visibility without leaving the UI.
• Multi-server notification identification — Notifications automatically include [server-name] prefix when agents are registered, identifying which server each update comes from. Configurable via DD_SERVER_NAME (defaults to the detected daemon host name, then the process hostname). Custom templates can use container.notificationServerName.
• System log viewer overhaul — Pinned toolbar, line wrapping, sort toggle (newest/oldest), filter mode (funnel icon shows matches only), auto-apply filters, component dropdown from API, aligned columns, floating copy button.
• Hide Pinned containers — Checkbox toggle in the container filter bar hides version-pinned containers. Persisted in user preferences.
• Combined batch+digest notifications — MODE=batch+digest sends both immediate batch emails and scheduled digest summaries.
• Multi-host same-name container support — Containers with identical names across different hosts no longer collide in the UI. Actions, logs, and detail panels route by container ID.
• Lazy OIDC discovery — SSO provider startup failures no longer block the server. Discovery retries on first use.

📸 Screenshots & Live Demo

Light	Dark

✨ Features

🔌 Supported Integrations

📦 Registries (23)

Docker Hub · GHCR · ECR · ACR · GCR · GAR · GitLab · Quay · LSCR · Harbor · Artifactory · Nexus · Gitea · Forgejo · Codeberg · MAU · TrueForge · Custom · DOCR · DHI · IBM Cloud · Oracle Cloud · Alibaba Cloud

🔔 Triggers (20)

Apprise · Command · Discord · Docker · Docker Compose · Google Chat · Gotify · HTTP · IFTTT · Kafka · Matrix · Mattermost · MQTT · MS Teams · NTFY · Pushover · Rocket.Chat · Slack · SMTP · Telegram

🔐 Authentication

Anonymous (opt-in via DD_ANONYMOUS_AUTH_CONFIRM=true) · Basic (username + password hash) · OIDC (Authelia, Auth0, Authentik). All auth flows fail closed by default.

API note: POST /api/v1/containers/:id/env/reveal is currently scoped to authentication only (no per-container RBAC yet), so any authenticated user is treated as a trusted operator for secret reveal actions. The unversioned /api/containers/:id/env/reveal alias remains available during the API-version transition.

OpenAPI note: machine-readable API docs are available at GET /api/v1/openapi.json (canonical) and GET /api/openapi.json (compatibility alias during transition).

API versioning note: third-party integrations should migrate to /api/v1/*. The unversioned /api/* alias is deprecated and will be removed in v1.6.0.

🥊 Update Bouncer

Trivy-powered vulnerability scanning blocks unsafe updates before they deploy. Includes cosign signature verification and SBOM generation (CycloneDX & SPDX).

⚖️ Feature Comparison

🔄 Migration

🗺️ Roadmap

📖 Documentation