Warning
Upgrading? Read the upgrade notes first. Release 1.4.6 and the entire 1.5 line ship security-hardening fixes that change runtime behavior — they are not deprecations and have no grace period: OIDC now requires authorization_endpoint in your provider's discovery metadata, unauthenticated rate-limiting keys on the TCP peer address (shared bucket behind a reverse proxy), and HTTP-trigger proxy URLs must use http(s)://. See UPGRADE-NOTES.md before updating.
- 📖 Documentation
- 🚀 Quick Start
- 🆕 Recent Updates
- 📸 Screenshots & Live Demo
- 🤔 Why Drydock
- ✨ Features
- 🔌 Supported Integrations
- ⚖️ Feature Comparison
- 🔄 Migration
- 🗺️ Roadmap
- ⭐ Star History
- 🔧 Built With
- 🤝 Community QA
Recommended: use a socket proxy to restrict which Docker API endpoints Drydock can access. This avoids giving the container full access to the Docker socket.
services:
drydock:
image: codeswhat/drydock
depends_on:
socket-proxy:
condition: service_healthy
environment:
- DD_WATCHER_LOCAL_HOST=socket-proxy
- DD_WATCHER_LOCAL_PORT=2375
- DD_AUTH_BASIC_ADMIN_USER=admin
- "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>"
ports:
- 3000:3000
socket-proxy:
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- CONTAINERS=1
- IMAGES=1
- EVENTS=1
- SERVICES=1
- INFO=1 # Required for daemon identity detection (notification prefixes)
# Add POST=1 and NETWORKS=1 for container actions and auto-updates
healthcheck:
test: wget --spider http://localhost:2375/version || exit 1
interval: 5s
timeout: 3s
retries: 3
start_period: 5s
restart: unless-stoppedAlternative: quick start with direct socket mount
docker run -d \
--name drydock \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DD_AUTH_BASIC_ADMIN_USER=admin \
-e "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>" \
codeswhat/drydock:latestWarning: Direct socket access grants the container full control over the Docker daemon. Use the socket proxy setup above for production deployments. See the Docker Socket Security guide for all options including remote TLS and rootless Docker.
Generate a password hash (
argon2CLI — install via your package manager):echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -eOr with Node.js 24+ (no extra packages needed):
node -e 'const c=require("node:crypto");const s=c.randomBytes(32);const h=c.argon2Sync("argon2id",{message:process.argv[1],nonce:s,memory:65536,passes:3,parallelism:4,tagLength:64});console.log("argon2id$65536$3$4$"+s.toString("base64")+"$"+h.toString("base64"));' "yourpassword"Legacy v1.3.9 Basic auth hashes (
{SHA},$apr1$/$1$,crypt, and plain) are accepted for upgrade compatibility but deprecated (removed in v1.6.0). Argon2id is recommended for all new configurations. Authentication is required by default. See the auth docs for OIDC, anonymous access, and other options. To explicitly allow anonymous access on fresh installs, setDD_ANONYMOUS_AUTH_CONFIRM=true.
The image includes trivy and cosign binaries for local vulnerability scanning and image verification.
See the Quick Start guide for Docker Compose, socket security, reverse proxy, and alternative registries.
v1.5.0 highlights
- 17 UI locales — English, Simplified & Traditional Chinese, German, French, Spanish, Italian, Dutch, Polish, Turkish, Brazilian Portuguese, Japanese, Korean, Russian, Vietnamese, Ukrainian, and Arabic. Switch in Config > Appearance. (PR #344)
- Update eligibility blockers — Container rows surface pre-flight blockers inline (maturity hold, security block, maintenance window, policy exclusion, pinned version) so you can see why an update is disabled without opening the detail panel.
- Security scan digest mode —
SECURITYMODE=digestsends one severity-grouped summary per scan cycle instead of one notification per container. (#300) - Backend-driven update queue — Updates queue server-side with per-trigger concurrency limits; UI shows Queued → Updating → Updated. Configurable via
DD_UPDATE_MAX_CONCURRENT. - Unified update-completion toasts — All terminal toasts fire from a single global handler with SSE-gated emission; missed events replay from the server-side ring buffer on reconnect. (#289, #290, #291)
- Notification dropdown rework — Per-row ✕ dismiss, bulk Clear, split footer (Mark all read / Open audit log). (#267)
- Multi-server notification identification — Notifications auto-prefix
[server-name]when agents are registered. Configurable viaDD_SERVER_NAME. - SSE reconnect performance — On reconnect, views patch the container array in place and skip already-fresh endpoints, eliminating post-reconnect flicker on large inventories. (#301)
Full history in CHANGELOG.md.
Spot an update, see exactly what changes, apply it. Backup, health check, and rollback handled.
| Light | Dark |
 |
 |
Why look at screenshots when you can experience it yourself?
Fully interactive — real UI, mock data, no install required. Runs entirely in-browser.
Container images drift out of date silently. A base image patches a CVE, an app cuts a release, a tag moves. Unless you're watching every registry by hand, your running containers fall behind until something breaks or gets exploited.
Most tools force a tradeoff. The auto-updaters (Watchtower, Ouroboros) pull and restart with little visibility or control, and are now largely unmaintained. The dashboards (Portainer) manage containers but aren't built for update intelligence. Drydock is monitor-first: it watches 23 registries and tells you exactly what changed (major, minor, patch, or digest) before anything happens, then acts only when you let it. And it goes further than any of them. Trivy vulnerability scanning blocks unsafe updates, cosign verifies signatures, pre-update image backups roll back automatically on health-check failure, distributed agents cover remote hosts, and 20 notification and action integrations close the loop. The full update lifecycle, with a web UI and a REST API.
| Feature | Description | |
|---|---|---|
| 🔭 | Monitor-First Detection | Watches every running container and classifies each available update as major, minor, patch, or digest before anything happens. Nothing changes until you say so. |
| 📦 | 23 Registry Providers | Docker Hub, GHCR, ECR, ACR, GCR, GAR, GitLab, Quay, Harbor, Artifactory, Nexus, and 12 more. Public and private, cloud and self-hosted, with per-registry TLS and auth. |
| 🔔 | 20 Triggers | 17 notification channels (Slack, Discord, Telegram, Teams, SMTP, MQTT, ntfy, and more) plus Docker, Docker Compose, and Command action triggers, with threshold filtering and batch mode. |
| 🥊 | Update Bouncer | Trivy vulnerability scanning blocks unsafe updates before they deploy, with cosign signature verification and SBOM generation (CycloneDX and SPDX). |
| ↩️ | Image Backup & Auto Rollback | Pre-update image snapshots with configurable retention, automatic rollback on health-check failure, and one-click manual rollback from the UI. |
| 🪝 | Lifecycle Hooks | Pre and post-update shell commands via container labels, with per-hook timeouts and abort-on-failure control. |
| 🗂️ | Docker Compose Updates | Pull and recreate Compose services through the Docker Engine API with YAML-preserving image patching. |
| 🎛️ | Per-Container Policy | Regex tag include/exclude/transform, maturity gating, maintenance windows, plus skip, snooze, and pin. All driven by dd.* labels. |
| 🛰️ | Distributed Agents | Monitor remote Docker hosts over SSE. Edge agents behind NAT dial out over WebSocket with Ed25519 key auth, no inbound port required (DD_EXPERIMENTAL_PORTWING=true). |
| 🖥️ | Web Dashboard | Vue 3 UI with card, table, and grouped-by-stack views, live SSE updates, and per-container detail, logs, and stats. |
| 🔗 | REST API & Webhooks | Token-authenticated endpoints for CI/CD watch and update triggers, plus signed registry webhook ingestion for push events. |
| 🔐 | OIDC Authentication | Secure the dashboard with OpenID Connect (Authelia, Auth0, Authentik). All auth flows fail closed by default. |
| 📈 | Prometheus Metrics | Built-in /metrics endpoint with optional auth bypass for Prometheus and Grafana monitoring stacks. |
| 🌍 | 17 UI Locales | Fully localized interface, from English and German to Japanese, Korean, and Arabic, switchable in Config. |
| 🔒 | ReDoS-Immune Regex | Every user-supplied tag pattern compiles via re2js (a pure-JS RE2 port) for linear-time matching that can't be stalled by a catastrophic-backtracking pattern. |
Docker Hub · GHCR · ECR · ACR · GCR · GAR · GitLab · Quay · LSCR · Harbor · Artifactory · Nexus · Gitea · Forgejo · Codeberg · MAU · TrueForge · Custom · DOCR · DHI · IBM Cloud · Oracle Cloud · Alibaba Cloud
Docker · Docker Compose · Command
Apprise · Discord · Google Chat · Gotify · HTTP · IFTTT · Kafka · Matrix · Mattermost · MQTT · MS Teams · NTFY · Pushover · Rocket.Chat · Slack · SMTP · Telegram
Anonymous (opt-in via DD_ANONYMOUS_AUTH_CONFIRM=true) · Basic (username + password hash) · OIDC (Authelia, Auth0, Authentik). All auth flows fail closed by default.
Trivy-powered vulnerability scanning blocks unsafe updates before they deploy. Includes cosign signature verification and SBOM generation (CycloneDX & SPDX).
How does drydock compare to other container update tools?
✅ = supported ❌ = not supported
⚠️ = partial / limited † = archived, no longer maintained
| Feature | drydock | WUD | Diun | Watchtower † | Ouroboros † |
|---|---|---|---|---|---|
| Web UI / Dashboard | ✅ | ✅ | ❌ | ❌ | ❌ |
| Auto-update containers | ✅ | ✅ | ❌ | ✅ | ✅ |
| Docker Compose updates | ✅ | ✅ | ❌ | ❌ | |
| Trigger / notification channels | 20 | 16 | 17 | ~19 | ~6 |
| Registry providers | 23 | 13 | |||
| OIDC / SSO authentication | ✅ | ✅ | ❌ | ❌ | ❌ |
| REST API | ✅ | ✅ | ❌ | ||
| Prometheus metrics | ✅ | ✅ | ❌ | ✅ | ✅ |
| MQTT / Home Assistant | ✅ | ✅ | ✅ | ❌ | ❌ |
| Image backup & rollback | ✅ | ❌ | ❌ | ❌ | ❌ |
| Container grouping / stacks | ✅ | ✅ | ❌ | ❌ | |
| Lifecycle hooks (pre/post) | ✅ | ❌ | ❌ | ✅ | ❌ |
| Webhook API for CI/CD | ✅ | ❌ | ❌ | ✅ | ❌ |
| Container start/stop/restart/update | ✅ | ❌ | ❌ | ❌ | ❌ |
| Distributed agents (remote) | ✅ | ❌ | ✅ | ❌ | |
| Audit log | ✅ | ❌ | ❌ | ❌ | ❌ |
| Security scanning (Trivy) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Semver-aware updates | ✅ | ✅ | ✅ | ❌ | ❌ |
| Digest watching | ✅ | ✅ | ✅ | ✅ | ✅ |
| Multi-arch (amd64/arm64) | ✅ | ✅ | ✅ | ✅ | ✅ |
| Container log viewer | ✅ | ❌ | ❌ | ❌ | ❌ |
| Actively maintained | ✅ | ✅ | ✅ | ❌ | ❌ |
Data based on publicly available documentation as of March 2026. Contributions welcome if any information is inaccurate.
Migrating from WUD (What's Up Docker?)
Drop-in replacement — swap the image, restart, done. All WUD_* env vars and wud.* labels are auto-mapped at startup. State file migrates automatically. Use config migrate --dry-run to preview, then config migrate --file .env --file compose.yaml to rewrite config to drydock naming.
Version themes & highlights
High-level themes only — see CHANGELOG.md for per-release detail.
| Version | Theme | Highlights |
|---|---|---|
| v1.3.x ✅ | Security & Stability | Trivy scanning, Update Bouncer, SBOM, 7 new registries, 4 new triggers, re2js regex engine |
| v1.4.x ✅ | UI Modernization & Hardening | Tailwind 4 + custom components, 6 themes, Cmd/K palette, OpenAPI 3.1, compose-native YAML updates, dual-slot scanning, OIDC hardening |
| v1.5.0 ✅ | Observability & i18n | trigger taxonomy split (DD_ACTION_*/DD_NOTIFICATION_*), WebSocket log viewer, dashboard customization, resource monitoring, notification outbox + DLQ, security scan digest, 17 locales, SSE Last-Event-ID replay, edge agent dial-out with Ed25519 auth (experimental, DD_EXPERIMENTAL_PORTWING=true) |
| v1.5.1 | Security & Maintenance | GCR/GAR pull-auth fix, registry TLS completion (M-2), hook env-var injection hardening, DD_SESSION_SECRET__FILE support, debug-dump credential redaction, secret-file permission check, maturity gate deadlock fix, full UI translatability + community translations, maintenance-window auto-apply gate |
| v1.6.0 | Scanner Decoupling & Release Intel | Backend-based scanner + Grype, notification templates, declarative update policy, table-only UI, SBOM off-heap storage |
| v1.7.0 | Smart Updates & UX | Dependency-aware ordering, image prune, static image monitoring, keyboard shortcuts, PWA |
| v1.8.0 | Fleet Management & Live Config | YAML config, live UI config, volume browser, parallel updates, SQLite store migration |
| v2.0+ | Platform Expansion & Beyond | Swarm/Kubernetes watchers, GitOps, health gates, canary deploys, web terminal, RBAC, LDAP/AD, Podman, CLI, Wolfi hardened image, socket proxy |
| Resource | Link |
|---|---|
| Website | getdrydock.com |
| Live Demo | demo.getdrydock.com |
| Docs | getdrydock.com/docs |
| Configuration | Configuration |
| Quick Start | Quick Start |
| Changelog | CHANGELOG.md |
| Deprecations | DEPRECATIONS.md |
| Roadmap | See Roadmap section above |
| Contributing | CONTRIBUTING.md |
| Issues | GitHub Issues |
| Discussions | GitHub Discussions — feature requests & ideas welcome |
Thanks to the users who helped test v1.4.0 and v1.5.0 release candidates and reported bugs:
@RK62 · @flederohr · @rj10rd · @larueli · @Waler · @ElVit · @nchieffo · @begunfx · @Ra72xx
| Tool | Role |
|---|---|
| drydock | Container update monitoring — web UI and notification engine |
| portwing | Remote Docker agent — secure socket-level access from Drydock or standalone |
| sockguard | Docker socket proxy — default-deny allowlist filter protecting the socket |
These three tools are designed to layer: sockguard filters the socket, portwing exposes it remotely, and drydock monitors and acts on container state.
