Docker Compose Security Audit
Pricing
from $20.00 / 1,000 docker compose audit calls
Docker Compose Security Audit
Audits docker-compose.yml files for security misconfigurations. 25 checks across 9 categories with severity, remediation, and YAML fix snippets. Pay-per-event. MCP-native - call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable Labs.
Pricing
from $20.00 / 1,000 docker compose audit calls
Rating
0.0
(0)
Developer
Noel Himer
Maintained by CommunityActor stats
0
Bookmarked
1
Total users
0
Monthly active users
8 days ago
Last modified
Categories
Share
MCP server that audits files for security misconfigurations. 25 checks across 9 categories, designed for AI agents — every finding ships with a severity rating, full remediation text, and a YAML fix snippet you can paste.
Built by Unbearable Labs. Free to use — bring your own Apify token.
Available on
- Apify Actor Store — primary
- Smithery
Newsletter: Unbearable TechTips Weekly · All Actors: github.com/UnbearableDev
What it does
Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it the contents of a , and get back a structured report with:
- Severity — high / medium / low / info
- Service — which compose service the finding affects
- Description — what's wrong and why it matters
- Remediation — what to do about it
- Fix snippet — YAML you can paste directly into the file
Tools
| Tool | Purpose |
|---|---|
| Run all checks, return full report | |
| Container privilege & capability issues only | |
| Network exposure issues only | |
| Volume mount & filesystem issues only | |
| Secret hygiene issues only | |
| Resource limit issues only | |
| Image tag / registry / pinning issues only | |
| Healthcheck / restart / init issues only | |
| Logging driver / rotation issues only | |
| Deprecated fields / Compose-spec hygiene only | |
| Browse the full check catalog |
All audit-running tools accept the same input:
- (string) — paste the YAML content directly, OR
- (string) — public HTTPS URL to fetch (e.g. GitHub raw URL)
Provide exactly one. defaults to (drops findings); set to or to filter further.
Example
Input:
Output:
Pricing
Free to use — hosted on Apify, bring your own Apify token.
Check catalog (25 checks across 9 categories)
| Category | Live checks |
|---|---|
| Privilege | Root user (DCS-001), privileged mode (DCS-002), dangerous capabilities (DCS-003), (DCS-004), missing (DCS-005), missing (DCS-006) |
| Network | (DCS-010), port bound to 0.0.0.0 (DCS-011), SSH port exposed (DCS-013), DB port exposed (DCS-014) |
| Filesystem | mount (DCS-018), host root mount (DCS-019), sensitive host paths (DCS-020) |
| Secrets | Hardcoded secret in env (DCS-026), secret-pattern env without Docker secrets (DCS-027) |
| Resources | No memory limit (DCS-032), no CPU limit (DCS-033), no PID limit (DCS-034) |
| Image hygiene | Unpinned / image (DCS-037) |
| Runtime lifecycle | No healthcheck (DCS-043), no restart policy (DCS-044) |
| Logging | No log driver (DCS-048), no log rotation (DCS-049) |
| Compose hygiene | Deprecated field (DCS-051), without healthcheck condition (DCS-052) |
Use to get the canonical, up-to-date catalog with IDs, severities, and titles.
Connecting from Claude Desktop
Add to your MCP config:
Limits
- YAML size: 1 MB cap per audit call
- URL fetch: 5-second timeout, max 3 redirects, HTTPS only
- Session timeout: 5 minutes of inactivity
What's NOT covered (yet)
Pure static analysis of the compose file only. Out of scope for this version:
- Image vulnerability scanning (use Trivy / Grype for that)
- Live container inspection
- Kubernetes / Helm manifests (see )
- Dockerfile-specific lint (see )
Source / contact
Issues, ideas, or false-positive reports: open an issue on the GitHub repo or email .
Built by Noel @ Unbearable Labs — more like this in the weekly newsletter: https://unbearabletechtips.beehiiv.com
