Dockyard
January 20, 2026 ยท View on GitHub
A centralized repository for packaging Model Context Protocol (MCP) servers into secure, verified containers.
Dockyard automatically builds, scans, and publishes container images for MCP servers. Every container is security-scanned, signed with Sigstore, and includes full build provenance.
Quick Start
# Pull a container
docker pull ghcr.io/stacklok/dockyard/npx/context7:2.1.0
# Verify its signature
cosign verify \
--certificate-identity-regexp "https://github.com/stacklok/dockyard/.github/workflows/build-containers.yml@refs/heads/.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/stacklok/dockyard/npx/context7:2.1.0
# Run it
docker run -it ghcr.io/stacklok/dockyard/npx/context7:2.1.0
Documentation
| I want to... | Go here |
|---|---|
| Use Dockyard containers | Getting Started |
| Add my MCP server | Adding MCP Servers |
| Understand the security model | Security Overview |
| Verify attestations | Container Attestations |
| Check package provenance | Package Provenance |
Supported Protocols
| Protocol | Registry | Example |
|---|---|---|
npx:// | npm | ghcr.io/stacklok/dockyard/npx/context7:2.1.0 |
uvx:// | PyPI | ghcr.io/stacklok/dockyard/uvx/aws-documentation-mcp-server:1.1.16 |
go:// | Go modules | ghcr.io/stacklok/dockyard/go/netbird:0.1.0 |
Browse available servers: npx/ | uvx/ | go/
Add Your MCP Server
Create a spec.yaml in the appropriate directory and submit a PR:
metadata:
name: your-server
description: "What your server does"
protocol: npx # or uvx, go
spec:
package: "your-package-name"
version: "1.0.0"
Our CI/CD pipeline will automatically:
- Scan for security vulnerabilities (blocking)
- Verify package provenance (informational)
- Build multi-arch containers
- Sign and attest with Sigstore
- Publish to
ghcr.io/stacklok/dockyard
See Adding MCP Servers for the full guide.
Security
Every container includes:
- MCP Security Scan - Scanned with mcp-scanner before build
- Container Scan - Trivy vulnerability scanning
- Signed Images - Sigstore/Cosign keyless signatures
- Attestations - SBOM, build provenance, and security scan results
See Security Overview for details.
Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
To add an MCP server, see Adding MCP Servers.
License
Apache 2.0 - see LICENSE for details.
Links
- ToolHive - Container building technology
- MCP Documentation - Model Context Protocol
- Sigstore - Container signing