# Docker Compose Security Audit (`unbearable_dev/docker-compose-audit`) Actor Audits docker-compose.yml files for security misconfigurations. 25 checks across 9 categories with severity, remediation, and YAML fix snippets. Pay-per-event. MCP-native — call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable TechTips. - **URL**: https://apify.com/unbearable\_dev/docker-compose-audit.md - **Developed by:** [Noel Himer](https://apify.com/unbearable_dev) (community) - **Categories:** Developer tools, Automation, MCP servers - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Docker Compose Security Audit > MCP server that audits `docker-compose.yml` files for security misconfigurations. Trivy-grade check catalog, designed for AI agents — every finding ships with a severity rating, full remediation text, and a YAML fix snippet you can paste. **Built by [Unbearable TechTips](https://github.com/UnbearableDev). Pay-per-event pricing — you only pay when an audit runs.** --- ### What it does Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it the contents of a `docker-compose.yml`, and get back a structured report with: - **Severity** — high / medium / low / info - **Service** — which compose service the finding affects - **Description** — what's wrong and why it matters - **Remediation** — what to do about it - **Fix snippet** — YAML you can paste directly into the file ### Tools | Tool | Purpose | |------|---------| | `audit_compose(compose_yaml? \| compose_url?, min_severity='low')` | Run all checks, return full report | | `check_privilege(...)` | Container privilege & capability issues only | | `check_network(...)` | Network exposure issues only | | `check_filesystem(...)` | Volume mount & filesystem issues only | | `check_secrets(...)` | Secret hygiene issues only | | `check_resources(...)` | Resource limit issues only | | `check_image_hygiene(...)` | Image tag / registry / pinning issues only | | `check_runtime_lifecycle(...)` | Healthcheck / restart / init issues only | | `check_logging(...)` | Logging driver / rotation issues only | | `check_compose_hygiene(...)` | Deprecated fields / Compose-spec hygiene only | | `list_checks(category?)` | Browse the full check catalog | All audit-running tools accept the same input: - `compose_yaml` (string) — paste the YAML content directly, **OR** - `compose_url` (string) — public HTTPS URL to fetch (e.g. GitHub raw URL) Provide exactly one. `min_severity` defaults to `low` (drops `info` findings); set to `medium` or `high` to filter further. ### Example response (truncated) ```json { "summary": { "total_findings": 14, "by_severity": {"high": 3, "medium": 6, "low": 5, "info": 0}, "by_category": {"privilege": 4, "network": 3, "secrets": 2, "...": 5} }, "findings": [ { "id": "DCS-002", "category": "privilege", "severity": "high", "service": "web", "title": "Privileged mode enabled", "description": "Service 'web' has `privileged: true`...", "remediation": "Remove `privileged: true`. If you need specific capabilities...", "fix_yaml_snippet": " ## remove `privileged: true`; if needed, use cap_add or devices selectively", "references": ["CIS-Docker-5.4", "NIST-800-190"] }, ... ] } ```` ### Pricing | Event | USD | |-------|-----| | Any audit / check\_\* tool call | $0.02 | | `list_checks` discovery call | $0.005 | You pay only when a tool is invoked. No subscription, no monthly minimums. ### Check catalog (25 live in v1, growing toward 54) | Category | Live checks | |----------|------------| | **Privilege** | Root user (DCS-001), privileged mode (DCS-002), dangerous capabilities (DCS-003), `cap_add: ALL` (DCS-004), `cap_drop: ALL` missing (DCS-005), `no-new-privileges` missing (DCS-006) | | **Network** | `network_mode: host` (DCS-010), port bound to 0.0.0.0 (DCS-011), SSH port exposed (DCS-013), DB port exposed (DCS-014) | | **Filesystem** | `/var/run/docker.sock` mount (DCS-018), host root mount (DCS-019), sensitive host paths (DCS-020) | | **Secrets** | Hardcoded secret in env (DCS-026), secret-pattern env without Docker secrets (DCS-027) | | **Resources** | No memory limit (DCS-032), no CPU limit (DCS-033), no PID limit (DCS-034) | | **Image hygiene** | Unpinned / `:latest` image (DCS-037) | | **Runtime lifecycle** | No healthcheck (DCS-043), no restart policy (DCS-044) | | **Logging** | No log driver (DCS-048), no log rotation (DCS-049) | | **Compose hygiene** | Deprecated `version:` field (DCS-051), `depends_on` without healthcheck condition (DCS-052) | Use `list_checks` to get the canonical, up-to-date catalog with IDs, severities, and titles. ### Connecting from Claude Desktop Add to your MCP config: ```json { "mcpServers": { "compose-audit": { "transport": "streamable-http", "url": "https://YOUR-ACTOR-URL.apify.actor/mcp" } } } ``` (Replace `YOUR-ACTOR-URL` with the Standby URL shown on the Apify Store page after you start the Actor.) ### Limits - **YAML size:** 1 MB cap per audit call - **URL fetch:** 5-second timeout, max 3 redirects, HTTPS only - **Session timeout:** 5 minutes of inactivity ### What's NOT covered (yet) Pure static analysis of the compose file only. Out of scope for this version: - Image vulnerability scanning (use Trivy / Grype for that) - Live container inspection - Kubernetes / Helm manifests (different surface) - Dockerfile-specific lint (use Hadolint) The next 29 checks on the v1.x → v2 roadmap include build-context security, additional capability checks, secret-pattern detection in build args, and registry trust verification. ### Source / contact Issues, ideas, or false-positive reports: open an issue on the [GitHub repo](https://github.com/UnbearableDev) or email `unbearabledev@gmail.com`. Get more like this in the [Unbearable TechTips newsletter](https://github.com/UnbearableDev) (launching soon). # Actor input Schema ## Actor input object example ```json {} ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("unbearable_dev/docker-compose-audit").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("unbearable_dev/docker-compose-audit").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call unbearable_dev/docker-compose-audit --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=unbearable_dev/docker-compose-audit", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Docker Compose Security Audit", "description": "Audits docker-compose.yml files for security misconfigurations. 25 checks across 9 categories with severity, remediation, and YAML fix snippets. Pay-per-event. MCP-native — call from Claude Desktop, Cursor, n8n, or any MCP client. Built by Unbearable TechTips.", "version": "0.1", "x-build-id": "X9GCVnsAbEmN5dmuq" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/unbearable_dev~docker-compose-audit/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-unbearable_dev-docker-compose-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/unbearable_dev~docker-compose-audit/runs": { "post": { "operationId": "runs-sync-unbearable_dev-docker-compose-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/unbearable_dev~docker-compose-audit/run-sync": { "post": { "operationId": "run-sync-unbearable_dev-docker-compose-audit", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": {} }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```