https://github.com/bogdanpricop/docker-dash
Lightweight Docker management dashboard β 55+ features, vulnerability scanning, Git integration, agentless multi-host, workflow automation. Self-hosted Portainer alternative. MIT license, 384 tests, zero build step.
https://github.com/bogdanpricop/docker-dash
container-management dashboard devops docker docker-management gitops nodejs portainer-alternative self-hosted sqlite vanilla-js vulnerability-scanning
Last synced: 5 days ago
JSON representation
Lightweight Docker management dashboard β 55+ features, vulnerability scanning, Git integration, agentless multi-host, workflow automation. Self-hosted Portainer alternative. MIT license, 384 tests, zero build step.
- Host: GitHub
- URL: https://github.com/bogdanpricop/docker-dash
- Owner: bogdanpricop
- License: mit
- Created: 2026-03-27T06:15:44.000Z (14 days ago)
- Default Branch: main
- Last Pushed: 2026-03-31T10:26:36.000Z (10 days ago)
- Last Synced: 2026-04-03T02:59:21.106Z (8 days ago)
- Topics: container-management, dashboard, devops, docker, docker-management, gitops, nodejs, portainer-alternative, self-hosted, sqlite, vanilla-js, vulnerability-scanning
- Language: JavaScript
- Homepage:
- Size: 6.91 MB
- Stars: 2
- Watchers: 2
- Forks: 1
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
π³ Docker Dash
A lightweight, full-featured Docker management dashboard.
Self-hosted alternative to Portainer β built with Node.js, vanilla JavaScript, and SQLite.
-brightgreen)
Quick Start β’
Features β’
Screenshots β’
Comparison β’
Multi-Host β’
Contributing
**Zero dependencies to deploy** β just Docker. No external database, no Redis, no build step.
## Screenshots
Dashboard (Dark)
Dashboard (Light)
Containers
Containers (Light)
Container Detail
Terminal (xterm.js)
Security Scanning
Image Management
Network Topology
Dependency Map
Cost Optimizer
Insights
Stacks
Multi-Host
API Playground
Notifications
## Features
### Core
- **Container Management** β Start, stop, restart, pause, kill, remove, clone, rename, update/recreate
- **Image Management** β Pull with streaming progress, remove, tag, import/export, build from Dockerfile
- **Volume Management** β Create, remove, inspect with real disk usage sizes
- **Network Management** β Create, remove, connect/disconnect containers, inspect IPAM config
- **Bulk Actions** β Checkbox selection + floating bar for batch start/stop/restart/remove
- **Container File Browser** β Navigate, view, and download files inside running containers
- **Container Diff** β See filesystem changes vs base image with color-coded entries
### Monitoring & Intelligence
- **Real-time Dashboard** β Customizable live CPU/memory charts (WebSocket, 10s interval, toggle widgets)
- **Container Health Score** β Composite 0-100 score with color dots in list view + summary bar
- **Resource Trends & Forecasting** β 7-day linear regression with 24h CPU/memory projection
- **Memory Exhaustion Prediction** β "will exceed limit in N hours" warning
- **Plain-English Status** β Exit codes mapped to messages (137=OOM, 143=SIGTERM, etc.)
- **Network Topology** β Interactive canvas map with drag, zoom, pan, hover highlighting
- **Dependency Map** β Interactive graph showing container relationships (env vars, networks, links)
- **Uptime Reports** β Per-container uptime %, restart count, first/last seen
- **Cost Optimizer** β Per-container cost breakdown, idle detection, savings recommendations
- **Image Freshness Dashboard** β Freshness score based on age + vulnerability count
- **Audit Log Analytics** β Top users, top actions, activity heatmap by hour/day
- **Notifications Center** β Dedicated page with filters, pagination, bulk mark-read/delete
### Security
- **Vulnerability Scanning** β Trivy + Grype + Docker Scout with automatic detection and fallback
- **Safe-Pull Updates** β Pull new image β scan for vulns β only swap if clean (blocks critical CVEs)
- **Deployment Pipelines** β Staged pull β scan β swap β verify β notify with full history
- **Security Dashboard** β Scan history, per-image status, AI-assisted remediation prompts
- **AI Container Doctor** β Diagnostics + 30 log pattern matchers + AI prompt generator
- **Guided Troubleshooting** β 8-step diagnostic wizard (state, health, logs, ports, volumes, resources)
- **Container Rollback** β One-click revert to previous image with version history
- **First-login Setup Wizard** β Forces password change, recommends disabling default admin
### Git Integration (GitOps)
- **Deploy from Git** β Clone repos, select branch, compose file path, deploy with one click
- **Auto-Deploy** β Webhook receiver (GitHub, GitLab, Gitea, Bitbucket) + polling-based updates
- **Deployment History** β Full audit trail with commit hash, trigger type, duration, rollback
- **Diff View** β See exactly what changed before redeploying
- **Push to Git** β Edit compose in UI, commit and push back to repository
- **Git Credentials** β Token, basic auth, SSH key (AES-256-GCM encrypted)
- **Multi-file Compose** β Multiple YAML override files per stack
- **Environment Overrides** β Per-stack env vars with sensitive value encryption
### Multi-Host
- **TCP + TLS** β Connect remote Docker hosts over the network with mutual TLS
- **SSH Tunnel** β Secure tunnel via SSH (no need to expose Docker API)
- **Docker Desktop** β Connect to Windows/Mac Docker Desktop instances
- **Podman Compatible** β Works with Podman via Docker-compatible API socket
- **Host Selector** β Switch between hosts from the sidebar dropdown
### Operations
- **Stacks Page** β Unified Compose + Git stacks management with actions (up/down/restart/pull)
- **Docker Compose Editor** β Edit, validate, save & deploy compose configs inline
- **Terminal** β Full xterm.js terminal with shell selection (`sh`, `bash`, `zsh`, `ash`)
- **Alerts** β CPU/memory threshold rules with 7 notification channels
- **Notifications** β Discord, Slack, Telegram, Ntfy, Gotify, Email (SMTP), Custom Webhook
- **Workflow Automation** β IF-THEN rules (CPU high β restart, container crash β notify, etc.)
- **Scheduled Actions** β Cron-based container actions with presets, history, run-now, enable/disable
- **Maintenance Windows** β Scheduled pull/scan/update with block-on-critical
- **Firewall** β View and manage UFW rules (Linux)
- **Container Groups** β User-defined grouping with colors, beyond Docker Compose projects
### Developer Tools
- **API Playground** β Browse and test all 230+ API endpoints from the UI with response viewer
- **docker run β Compose** β Paste any docker run command, get docker-compose YAML
- **AI Log Analysis** β Generate diagnostic prompts for ChatGPT/Claude from container logs
- **Traefik/Caddy Labels** β Generate reverse proxy labels from domain + port
- **App Templates** β 30 built-in + custom templates with CRUD, preview, and modification tracking
- **Deploy Preview** β Check for image updates via digest comparison before pulling
- **Resource Limits Editor** β Visual sliders with presets for CPU and memory
- **Resource Recommendations** β Smart advice: over-provisioned, memory pressure, idle containers
### Platform
- **Multi-user** β Admin, operator, viewer roles with session management
- **SSO Authentication** β Authelia, Authentik, Caddy forward_auth, Traefik (header-based)
- **Audit Log** β Every action logged with user, timestamp, IP address
- **Public Status Page** β Unauthenticated status page for selected services
- **Container Metadata** β Custom labels, descriptions, links, categories, owner, notes
- **Dark/Light Theme** β Per-user sync across devices, system-aware toggle, mobile responsive
- **i18n** β 11 languages: English, Romanian, German, Italian, French, Spanish, Portuguese, Chinese, Japanese, Korean, Klingon ([add yours](public/js/i18n/README.md))
- **Klingon Easter Egg** β Full activation animation with sound, dagger cursor, red theme
- **Command Palette** β Ctrl+K quick navigation with keyboard shortcuts
- **Watchtower Detection** β Auto-detect and migrate from Watchtower to native safe-pull
- **Prometheus Metrics** β `/api/metrics` endpoint for Grafana integration
- **Self-Reporting Footprint** β Docker Dash memory, uptime, DB size at `/api/footprint`
- **384 Tests** β 29 test suites covering auth, RBAC, security, CRUD, services (100% passing)
## Quick Start
```bash
# Clone the repository
git clone https://github.com/bogdanpricop/docker-dash.git
cd docker-dash
# Copy and configure environment
cp .env.example .env
# Edit .env β at minimum change APP_SECRET and ADMIN_PASSWORD
# Start with Docker Compose
docker compose up -d
# Open in browser
open http://localhost:8101
```
Default credentials: `admin` / `admin` β on first login, a **security setup wizard** will require you to change the password.
## Requirements
- Docker Engine 20.10+ (or Docker Desktop 4.x+)
- Docker Compose v2
- ~50MB RAM, minimal CPU
## Architecture
```
βββββββββββββββββββ βββββββββββββββββββββ
β Browser SPA ββββββΈβ Node.js/Express β
β (vanilla JS) βββββββ REST + WebSocketβ
βββββββββββββββββββ ββββββββββ¬βββββββββββ
β
ββββββββββββββΌβββββββββββββ
β β β
βββββββ΄βββββββ βββββ΄βββββ βββββββ΄ββββββ
β SQLite β β Docker β β Docker β
β (embedded) β β Local β β Remote β
β WAL mode β β Socket β β TCP/SSH β
ββββββββββββββ ββββββββββ βββββββββββββ
```
| Layer | Technology |
|-------|-----------|
| Backend | Node.js 20, Express 4, dockerode, better-sqlite3, ws, ssh2 |
| Frontend | Vanilla JavaScript SPA, Chart.js, xterm.js, Font Awesome (CDN) |
| Database | SQLite with WAL mode, auto-aggregation, configurable retention |
| Security | bcrypt, Helmet CSP, rate limiting, session-based auth, Bearer token fallback |
| Scanning | Trivy (OSS), Grype (Anchore), Docker Scout (SARIF format) |
**Zero build step** β no webpack, no bundler, no transpiler. Frontend files are served as-is.
## Multi-Host
Docker Dash can manage multiple Docker hosts from a single instance:
| Method | Use Case | Requirements |
|--------|----------|-------------|
| **TCP + TLS** | Remote Linux servers | Docker API exposed on port 2376 + TLS certificates |
| **Docker Desktop** | Windows / Mac | "Expose daemon on TCP" enabled in DD Settings |
| **SSH Tunnel** | Secure remote (no API exposure) | SSH access + `socat` installed + user in `docker` group |
| **Unix Socket** | Local (default) | Docker socket mounted (automatic) |
The app includes a **built-in setup guide** (Hosts page) with step-by-step instructions for each method, including TLS certificate generation and per-OS `socat` installation commands.
## Podman Support
Docker Dash works with **Podman** via its Docker-compatible API. No code changes needed.
```bash
# 1. Enable the Podman socket
systemctl --user enable --now podman.socket # rootless
# or
sudo systemctl enable --now podman.socket # rootful
# 2. Set the socket path in .env
echo 'DOCKER_SOCKET=/run/podman/podman.sock' >> .env # rootful
# or
echo 'DOCKER_SOCKET=/run/user/1000/podman/podman.sock' >> .env # rootless
# 3. Start Docker Dash
docker compose up -d # or podman-compose up -d
```
**Known differences:** Podman lacks Docker Compose labels (`com.docker.compose.project`), so containers won't auto-group into stacks. Use Docker Dash's Container Groups feature instead.
## Configuration
All config via environment variables. See [`.env.example`](.env.example) for the full list.
| Variable | Default | Description |
|----------|---------|-------------|
| `APP_PORT` | `8101` | HTTP port |
| `APP_SECRET` | β | **Required.** Session signing key |
| `ADMIN_PASSWORD` | `admin` | Initial admin password (first launch only) |
| `ENCRYPTION_KEY` | β | Encrypt registry credentials at rest |
| `STATS_INTERVAL_MS` | `10000` | Stats collection interval (ms) |
| `STATS_RAW_RETENTION_HOURS` | `24` | Keep raw stats for N hours |
| `EVENT_RETENTION_DAYS` | `7` | Keep Docker events for N days |
| `ENABLE_EXEC` | `true` | Allow terminal exec into containers |
| `READ_ONLY_MODE` | `false` | Disable all write operations |
## Development
```bash
# Install dependencies
npm install
# Start in development mode (auto-reload on file changes)
npm run dev
# Open http://localhost:8101
```
No build step needed. Edit any `.js` or `.css` file and refresh the browser.
## Adding a Language
Docker Dash uses a modular i18n system. To add a new language:
1. Copy `public/js/i18n/TEMPLATE.js` to `public/js/i18n/{code}.js`
2. Translate the values (keys stay in English)
3. Add one `` tag in `index.html`
That's it β the language appears automatically in the selector. See [`public/js/i18n/README.md`](public/js/i18n/README.md) for full instructions.
Currently supported: **English**, **Romanian**, **German**, **Italian**, **French**, **Spanish**, **Portuguese**, **Chinese**, **Japanese**, **Korean**, **Klingon** (11 languages).
## Project Structure
```
docker-dash/
βββ src/
β βββ config/ # Environment-based configuration
β βββ db/ # SQLite setup + 32 auto-migrations
β βββ middleware/ # Auth, rate limiting, hostId extraction
β βββ routes/ # REST API (containers, images, volumes, networks, hosts, ...)
β βββ services/ # Business logic (docker, stats, alerts, ssh-tunnel, registry)
β βββ ws/ # WebSocket server (exec, live logs, live stats)
β βββ utils/ # Logger, helpers
βββ public/
β βββ js/
β β βββ i18n/ # Language files (11 languages + TEMPLATE.js)
β β βββ pages/ # SPA pages (dashboard, containers, images, security, hosts, ...)
β β βββ components/ # Reusable UI (modal, toast, data table)
β β βββ api.js # HTTP client with auto host-context
β β βββ ws.js # WebSocket client with reconnect
β β βββ app.js # Router, auth, sidebar, command palette
β βββ css/app.css # Single stylesheet, CSS variables, dark/light themes
βββ docs/
β βββ screenshots/ # UI screenshots for README
βββ Dockerfile # Multi-stage: base β deps β production
βββ docker-compose.yml # Production-ready with health check
βββ .env.example # All variables documented
```
## Comparison
**75+ features compared, 40+ exclusive to Docker Dash.** See the interactive comparison at `#/compare` in the app, or via `GET /api/compare`.
| Feature | Docker Dash | Portainer CE | Dockge | Dockhand |
|---------|:-----------:|:------------:|:------:|:--------:|
| Container CRUD | Yes | Yes | Compose only | Yes |
| Image Management | Yes | Yes | No | Yes |
| Volume / Network Management | Yes | Yes | No | Yes |
| **Network Topology** | **Yes** | No | No | No |
| **Dependency Map** | **Yes** | No | No | No |
| Real-time Stats (WebSocket) | Yes | Yes | Basic | Yes |
| Terminal (xterm.js) | Yes | Yes | Yes | Yes |
| **Container File Browser** | **Yes** | Yes ($) | No | No |
| **Container Diff** | **Yes** | No | No | No |
| Vulnerability Scanning | Trivy + Grype + Scout | No | No | Grype + Trivy |
| **Safe-Pull + Pipeline** | **5-stage** | No | No | Basic |
| **Container Rollback** | **Yes** | No | No | No |
| Multi-Host (agentless) | Yes | Agent required | Agent | Yes |
| **Git Integration** | **Yes** | BE only ($) | No | No |
| **Webhooks + Polling** | **Yes** | BE only ($) | No | No |
| **Audit Log** | **Yes** | BE only ($) | No | No |
| **Alerts (7 channels)** | **Yes** | BE only ($) | No | No |
| **SSO (Authelia/Authentik)** | **Yes** | BE only ($) | No | No |
| **Health Score (0-100)** | **Yes** | No | No | No |
| **AI Container Doctor** | **Yes** | No | No | No |
| **Resource Forecasting** | **Yes** | No | No | No |
| **Cost Optimizer** | **Yes** | No | No | No |
| **Insights Dashboard** | **Yes** | No | No | No |
| **Workflow Automation** | **Yes** | No | No | No |
| **Scheduled Actions (cron)** | **Yes** | No | No | No |
| **Bulk Actions** | **Yes** | Yes | No | No |
| **Cross-Host Migration** | **Zero-downtime** | No | No | No |
| **Stack Export/Import** | **Yes** | No | No | No |
| **Compose Editor** | **Yes** | Yes ($) | Yes | No |
| **Troubleshooting Wizard** | **Yes** | No | No | No |
| **Public Status Page** | **Yes** | No | No | No |
| **Daily Auto-Backup** | **Yes** | No | No | No |
| **Notifications Center** | **Yes** | Basic | No | No |
| **API Playground** | **Yes** | Swagger ($) | No | No |
| **Container Groups** | **Yes** | No | No | No |
| **Dashboard Widgets** | **Configurable** | Fixed | No | No |
| App Templates | 30 + custom | 500+ community | No | No |
| i18n | 11 languages | Partial | No | No |
| Command Palette + Shortcuts | Yes | No | No | No |
| Mobile Responsive | Yes | Yes | Yes | Yes |
| Test Suite | **384 tests (100%)** | Yes | No | No |
| Build Step | **None** | Angular | Required | Required |
| Container Size | **~80MB** | ~250MB | ~100MB | ~80MB |
| RAM Usage | **~50MB** | ~200MB | ~50MB | ~60MB |
| License | **MIT** | Zlib | MIT | BSL 1.1 |
> **40+ features** are exclusive to Docker Dash β no competitor has them.
> **6 features** that Portainer locks behind paid Business Edition are **free** in Docker Dash.
## License
[MIT](LICENSE) β free for personal and commercial use.
## Security
Docker Dash takes security seriously. See [SECURITY.md](SECURITY.md) for our full security policy.
### Docker Socket Access
Docker Dash requires access to the Docker socket (`/var/run/docker.sock`). This is **equivalent to root access** on the host. This is the same requirement as Portainer, Dockge, and all other Docker management UIs.
**Mitigations in place:**
- Socket mounted **read-only** (`:ro`) in production docker-compose
- `no-new-privileges` security option enabled
- Role-based access control (admin/operator/viewer)
- Feature flags to disable dangerous operations (`ENABLE_EXEC=false`, `READ_ONLY_MODE=true`)
- Audit log for every action with user, timestamp, and IP
- Rate limiting on all API endpoints
- Session-based auth with bcrypt + SHA-256 hashed tokens
**Recommendations for production:**
- Deploy behind HTTPS reverse proxy (Caddy config included)
- Set strong `APP_SECRET` and `ENCRYPTION_KEY` (app refuses to start without them)
- Set `COOKIE_SECURE=true` when behind HTTPS
- Disable exec terminal if not needed (`ENABLE_EXEC=false`)
- Use read-only mode for monitoring-only deployments (`READ_ONLY_MODE=true`)
- Restrict network access to trusted IPs
- Consider [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) to limit API access (allow only read operations)
- Review [SECURITY.md](SECURITY.md) for responsible disclosure process
### Security Audit Results
| Audit | Date | Score | Critical Issues |
|-------|------|-------|----------------|
| Tech Debt Scan | 2026-03-27 | 33 items found | All 4 CRITICAL fixed |
| Production Readiness | 2026-03-28 | 9.2/10 | All P0+P1 resolved |
| Shell Injection | 2026-03-28 | 0 vectors | All execSync eliminated |
### Known Security Tradeoffs
These are conscious design decisions documented in [SECURITY.md](SECURITY.md):
1. **CSP allows `unsafe-eval`** (but NOT `unsafe-inline`) β `unsafe-eval` required by Chart.js. All 67 inline handlers were converted to addEventListener in v5.0. XSS mitigated by output escaping on all user content (400+ `escapeHtml()` calls).
2. **WebSocket accepts token via query string** β fallback for browsers that block cookies (Edge Tracking Prevention). Cookie-based auth is always preferred. Usage is logged.
3. **Mixed auth model (cookie + Bearer + API key)** β cookies for browser UI, Bearer for API/CLI, API keys for integrations. All validate against the same session store.
### Test Coverage
- **384 tests** across **29 test files** (100% passing)
- Unit tests: crypto, helpers, validation, git patterns
- Integration tests: auth flow, API endpoints, RBAC, security
- CI runs on every push via GitHub Actions
## Contributing
Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for:
- Development setup
- Architecture principles (no build step, no framework)
- How to add pages, API endpoints, database migrations
- How to add a language translation
- Pull request checklist
## Acknowledgments
Built with:
- [dockerode](https://github.com/apocas/dockerode) β Docker API client
- [better-sqlite3](https://github.com/WiseLibs/better-sqlite3) β SQLite driver
- [xterm.js](https://xtermjs.org/) β Terminal emulator
- [Chart.js](https://www.chartjs.org/) β Charts
- [Trivy](https://trivy.dev/) β Vulnerability scanner
- [Grype](https://github.com/anchore/grype) β Vulnerability scanner by Anchore
- [ssh2](https://github.com/mscdex/ssh2) β SSH client
- [Font Awesome](https://fontawesome.com/) β Icons