Pricing

Pay per usage

Docker Compose Security Audit

Audits docker-compose.yml files for security misconfigurations. 25 checks across 9 categories with severity, remediation, and YAML fix snippets. Pay-per-event. MCP-native — call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable TechTips.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Noel Himer

Actor stats

Bookmarked

Total users

Monthly active users

18 hours ago

Last modified

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it the contents of a docker-compose.yml, and get back a structured report with:

Severity — high / medium / low / info
Service — which compose service the finding affects
Description — what's wrong and why it matters
Remediation — what to do about it
Fix snippet — YAML you can paste directly into the file

Tools

Tool	Purpose
`audit_compose(compose_yaml? \| compose_url?, min_severity='low')`	Run all checks, return full report
`check_privilege(...)`	Container privilege & capability issues only
`check_network(...)`	Network exposure issues only
`check_filesystem(...)`	Volume mount & filesystem issues only
`check_secrets(...)`	Secret hygiene issues only
`check_resources(...)`	Resource limit issues only
`check_image_hygiene(...)`	Image tag / registry / pinning issues only
`check_runtime_lifecycle(...)`	Healthcheck / restart / init issues only
`check_logging(...)`	Logging driver / rotation issues only
`check_compose_hygiene(...)`	Deprecated fields / Compose-spec hygiene only
`list_checks(category?)`	Browse the full check catalog

All audit-running tools accept the same input:

compose_yaml (string) — paste the YAML content directly, OR
compose_url (string) — public HTTPS URL to fetch (e.g. GitHub raw URL)

Provide exactly one. min_severity defaults to low (drops info findings); set to medium or high to filter further.

Example response (truncated)

{
  "summary": {
    "total_findings": 14,
    "by_severity": {"high": 3, "medium": 6, "low": 5, "info": 0},
    "by_category": {"privilege": 4, "network": 3, "secrets": 2, "...": 5}
  },
  "findings": [
    {
      "id": "DCS-002",
      "category": "privilege",
      "severity": "high",
      "service": "web",
      "title": "Privileged mode enabled",
      "description": "Service 'web' has `privileged: true`...",
      "remediation": "Remove `privileged: true`. If you need specific capabilities...",
      "fix_yaml_snippet": "    # remove `privileged: true`; if needed, use cap_add or devices selectively",
      "references": ["CIS-Docker-5.4", "NIST-800-190"]
    },
    ...
  ]
}

Pricing

Event	USD
Any audit / check_* tool call	$0.02
`list_checks` discovery call	$0.005

You pay only when a tool is invoked. No subscription, no monthly minimums.

Check catalog (25 live in v1, growing toward 54)

Category	Live checks
Privilege	Root user (DCS-001), privileged mode (DCS-002), dangerous capabilities (DCS-003), `cap_add: ALL` (DCS-004), `cap_drop: ALL` missing (DCS-005), `no-new-privileges` missing (DCS-006)
Network	`network_mode: host` (DCS-010), port bound to 0.0.0.0 (DCS-011), SSH port exposed (DCS-013), DB port exposed (DCS-014)
Filesystem	`/var/run/docker.sock` mount (DCS-018), host root mount (DCS-019), sensitive host paths (DCS-020)
Secrets	Hardcoded secret in env (DCS-026), secret-pattern env without Docker secrets (DCS-027)
Resources	No memory limit (DCS-032), no CPU limit (DCS-033), no PID limit (DCS-034)
Image hygiene	Unpinned / `:latest` image (DCS-037)
Runtime lifecycle	No healthcheck (DCS-043), no restart policy (DCS-044)
Logging	No log driver (DCS-048), no log rotation (DCS-049)
Compose hygiene	Deprecated `version:` field (DCS-051), `depends_on` without healthcheck condition (DCS-052)

Use list_checks to get the canonical, up-to-date catalog with IDs, severities, and titles.

Connecting from Claude Desktop

Add to your MCP config:

{
  "mcpServers": {
    "compose-audit": {
      "transport": "streamable-http",
      "url": "https://YOUR-ACTOR-URL.apify.actor/mcp"
    }
  }
}

(Replace YOUR-ACTOR-URL with the Standby URL shown on the Apify Store page after you start the Actor.)

Limits

YAML size: 1 MB cap per audit call
URL fetch: 5-second timeout, max 3 redirects, HTTPS only
Session timeout: 5 minutes of inactivity

What's NOT covered (yet)

Pure static analysis of the compose file only. Out of scope for this version:

Image vulnerability scanning (use Trivy / Grype for that)
Live container inspection
Kubernetes / Helm manifests (different surface)
Dockerfile-specific lint (use Hadolint)

The next 29 checks on the v1.x → v2 roadmap include build-context security, additional capability checks, secret-pattern detection in build args, and registry trust verification.

Source / contact

Issues, ideas, or false-positive reports: open an issue on the GitHub repo or email unbearabledev@gmail.com.

Get more like this in the Unbearable TechTips newsletter (launching soon).

Network Device Manager

srini047/network-device-manager

An actor that helps to manage and troubleshoot issues

Sriniketh J

Coolify MCP Server - AI DevOps Automation

aimcp/coolify-mcp-server

Most Powerful Coolify MCP Server. Connect Claude, Cursor, AI IDEs and AI Agents directly to your self-hosted Coolify instance via this MCP server. Manage & inspect deployments, logs, health, and restart containers entirely via natural language.

Neha Srivastava

Google Review Scraper

rover-omniscraper/google-review-scraper

High-performance Google Reviews scraper built with Playwright & Node.js. Extract reviews, ratings, authors & dates from any Google business using place IDs. Optimized for speed with stealth mode, Docker-ready, Apify-compatible. Batch processing, JSON output, minimal delays.

Rover Omniscraper

LinkedIn Agent

apexronin/linkedin-agent

A linkedin agent

Jensin

Github Code Auditor

devwithbobby/github-code-auditor

GitHub Code Auditor is an AI-powered Apify Actor that analyzes GitHub repositories.

Dev with Bobby

Shopify Scraper (GraphQL)

runexes/actor-shopify-scraper

An Apify actor that crawls Shopify stores via `sitemap.xml` and fetches product data using the Storefront GraphQL API. Optimized for speed and cost with per-host batching, incremental processing, and buffered dataset writes.

Alex

Grant Proposal Agent

dondata/grant-proposal-agent

The Grant Proposal Agent is a AI-powered system that automates the entire grant lifecycle from discovery to proposal generation to submission tracking. A three-tier automation system serving multiple organization types with multi-source grant discovery and intelligent proposal generation.

Willie Augustine

🛡️ Chrome Extension Security Analyzer - Permission Audit

nexgendata/chrome-extension-security-analyzer

Audit Chrome extensions for security risks. Downloads CRX files, analyzes permissions (CRITICAL/HIGH/MEDIUM/LOW), checks Manifest V2/V3, evaluates CSP & content scripts. Risk scores for SOC 2 & ISO 27001 compliance. CRXcavator is dead — same job for $0.20/extension.

Stephan Corbeil

YAML Validator & Converter

automation-lab/yaml-validator

Validate YAML, JSON, and TOML syntax. Convert between formats. Detect errors with exact line numbers. Bulk-process documents or URLs. Zero proxy, 95%+ margin.

Stas Persiianenko

PyPI Vulnerability Scraper

taroyamada/pypi-package-intelligence

Extract Python package metadata from PyPI and enrich it with OSV database alerts. Monitor dependencies for new version releases and critical CVE identifiers.