https://github.com/codeswhat/drydock
Open source container update monitoring — 23 registries, 20 notification triggers, audit log, OIDC auth, Prometheus metrics, and a modern dashboard.
https://github.com/codeswhat/drydock
containers devops docker docker-compose homelab monitoring notifications prometheus self-hosted typescript vuejs watchtower-alternative
Last synced: 1 day ago
JSON representation
Open source container update monitoring — 23 registries, 20 notification triggers, audit log, OIDC auth, Prometheus metrics, and a modern dashboard.
- Host: GitHub
- URL: https://github.com/codeswhat/drydock
- Owner: CodesWhat
- License: agpl-3.0
- Created: 2026-02-08T20:09:53.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-04-02T23:03:02.000Z (3 days ago)
- Last Synced: 2026-04-03T04:55:43.898Z (3 days ago)
- Topics: containers, devops, docker, docker-compose, homelab, monitoring, notifications, prometheus, self-hosted, typescript, vuejs, watchtower-alternative
- Language: TypeScript
- Homepage: https://getdrydock.com
- Size: 25 MB
- Stars: 171
- Watchers: 0
- Forks: 10
- Open Issues: 18
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
> [!IMPORTANT]
> **Trivy Supply Chain Compromise (GHSA-69fq-xp46-6x23):** Drydock is **not affected**. We do not use the compromised GitHub Actions, the bundled Trivy binary is pinned to a safe version (v0.69.3), and all CI actions are SHA-pinned. No compromised code was ever pulled or shipped. [Full advisory →](https://getdrydock.com/security/trivy-supply-chain-march-2026)
drydock
**Open source container update monitoring — built in TypeScript with modern tooling.**
📑 Contents
- [📖 Documentation](https://getdrydock.com/docs)
- [🚀 Quick Start](#quick-start)
- [🆕 Recent Updates](#recent-updates)
- [📸 Screenshots & Live Demo](#screenshots)
- [✨ Features](#features)
- [🔌 Supported Integrations](#supported-integrations)
- [⚖️ Feature Comparison](#feature-comparison)
- [🔄 Migration](#migration)
- [🗺️ Roadmap](#roadmap)
- [⭐ Star History](#star-history)
- [🔧 Built With](#built-with)
- [🤝 Community QA](#community-qa)
🚀 Quick Start
**Recommended: use a socket proxy** to restrict which Docker API endpoints Drydock can access. This avoids giving the container full access to the Docker socket.
```yaml
services:
drydock:
image: codeswhat/drydock
depends_on:
socket-proxy:
condition: service_healthy
environment:
- DD_WATCHER_LOCAL_HOST=socket-proxy
- DD_WATCHER_LOCAL_PORT=2375
- DD_AUTH_BASIC_ADMIN_USER=admin
- "DD_AUTH_BASIC_ADMIN_HASH="
ports:
- 3000:3000
socket-proxy:
image: tecnativa/docker-socket-proxy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- CONTAINERS=1
- IMAGES=1
- EVENTS=1
- SERVICES=1
# Add POST=1 and NETWORKS=1 for container actions and auto-updates
healthcheck:
test: wget --spider http://localhost:2375/version || exit 1
interval: 5s
timeout: 3s
retries: 3
start_period: 5s
restart: unless-stopped
```
Alternative: quick start with direct socket mount
```bash
docker run -d \
--name drydock \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DD_AUTH_BASIC_ADMIN_USER=admin \
-e "DD_AUTH_BASIC_ADMIN_HASH=" \
codeswhat/drydock:latest
```
> **Warning:** Direct socket access grants the container full control over the Docker daemon. Use the socket proxy setup above for production deployments. See the [Docker Socket Security guide](https://getdrydock.com/docs/configuration/watchers#docker-socket-security) for all options including remote TLS and rootless Docker.
> Generate a password hash (`argon2` CLI — install via your package manager):
>
> ```bash
> echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -e
> ```
>
> Or with Node.js 24+ (no extra packages needed):
>
> ```bash
> node -e 'const c=require("node:crypto");const s=c.randomBytes(32);const h=c.argon2Sync("argon2id",{message:process.argv[1],nonce:s,memory:65536,passes:3,parallelism:4,tagLength:64});console.log("argon2id$65536$3$4$"+s.toString("base64")+"$"+h.toString("base64"));' "yourpassword"
> ```
>
> Legacy v1.3.9 Basic auth hashes (`{SHA}`, `$apr1$`/`$1$`, `crypt`, and plain) are accepted for upgrade compatibility but deprecated (removed in v1.6.0). Argon2id is recommended for all new configurations.
> Authentication is **required by default**. See the [auth docs](https://getdrydock.com/docs/configuration/authentications) for OIDC, anonymous access, and other options.
> To explicitly allow anonymous access on fresh installs, set `DD_ANONYMOUS_AUTH_CONFIRM=true`.
The image includes `trivy` and `cosign` binaries for local vulnerability scanning and image verification.
See the [Quick Start guide](https://getdrydock.com/docs/quickstart) for Docker Compose, socket security, reverse proxy, and alternative registries.
🆕 Recent Updates
- **Real-time container log viewer** — WebSocket-based live log streaming with ANSI color rendering, JSON syntax highlighting, regex search, and gzip download.
- **Dashboard customization** — Drag-to-reorder, resize, and per-widget visibility toggles with a dedicated edit mode.
- **Digest notifications** — Batch update events with `MODE=digest` and configurable `DIGESTCRON`.
- **Design system components** — `AppIconButton`, `AppBadge`, `StatusDot`, `DetailField`, `AppTabBar` with WCAG 2.5.8 touch targets.
- **Floating tag detection** — `tagPrecision` classifier warns when mutable aliases like `v3` are used without digest watching.
- **Podman compatibility** — API version negotiation prevents `EAI_AGAIN` crashes with Podman socket connections.
- **Bearer token auth for `/metrics`** — `DD_SERVER_METRICS_TOKEN` for Prometheus scrapers without session auth.
- **Toast notifications** — Success/error feedback for all container actions with auto-dismiss.
📸 Screenshots & Live Demo
Light
Dark
**Why look at screenshots when you can experience it yourself?**
Fully interactive — real UI, mock data, no install required. Runs entirely in-browser.
✨ Features
Container Monitoring
Auto-detect running containers and check for image updates across registries
20 Notification Triggers
Slack, Discord, Telegram, Teams, Matrix, SMTP, MQTT, HTTP webhooks, Gotify, NTFY, and more
23 Registry Providers
Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, Harbor, Artifactory, Nexus, and more
Docker Compose Updates
Auto-pull and recreate services via Docker Engine API with YAML-preserving service-scoped image patching
Distributed Agents
Monitor remote Docker hosts with SSE-based agent architecture
Audit Log
Event-based audit trail with persistent storage, REST API, and Prometheus counter
OIDC Authentication
Authelia, Auth0, Authentik — secure your dashboard with OpenID Connect
Prometheus Metrics
Built-in /metrics endpoint with optional auth bypass for monitoring stacks
Image Backup & Rollback
Automatic pre-update image backup with configurable retention and one-click rollback
Container Actions
Start, stop, restart, and update containers from the UI or API with feature-flag control
Webhook API
Token-authenticated CI/CD endpoints for watch/update actions plus signed registry webhook ingestion for push events
Container Grouping
Smart stack detection via compose project or labels with collapsible groups and batch-update
Digest Notifications
Batch update events over a schedule with trigger `MODE=digest` and configurable digest cron windows
System Log Streaming
Real-time WebSocket system log view in the UI with shared log viewer components
Advanced List API
Container list supports queryable sort/order, watched-kind, runtime status, watcher, and maturity filters
Lifecycle Hooks
Pre/post-update shell commands via container labels with configurable timeout and abort control
Auto Rollback
Automatic rollback on health check failure with configurable monitoring window and interval
Graceful Self-Update
DVD-style animated overlay during drydock's own container update with auto-reconnect
Icon CDN
Auto-resolved container icons via selfhst/icons with homarr-labs fallback and bundled selfhst seeds for internetless startup
Mobile Responsive
Fully responsive dashboard with optimized mobile breakpoints for all views
Multi-Registry Publishing
Available on GHCR, Docker Hub, and Quay.io for flexible deployment
🔌 Supported Integrations
### 📦 Registries (23)
Docker Hub · GHCR · ECR · ACR · GCR · GAR · GitLab · Quay · LSCR · Harbor · Artifactory · Nexus · Gitea · Forgejo · Codeberg · MAU · TrueForge · Custom · DOCR · DHI · IBM Cloud · Oracle Cloud · Alibaba Cloud
### 🔔 Triggers (20)
Apprise · Command · Discord · Docker · Docker Compose · Google Chat · Gotify · HTTP · IFTTT · Kafka · Matrix · Mattermost · MQTT · MS Teams · NTFY · Pushover · Rocket.Chat · Slack · SMTP · Telegram
### 🔐 Authentication
Anonymous (opt-in via `DD_ANONYMOUS_AUTH_CONFIRM=true`) · Basic (username + password hash) · OIDC (Authelia, Auth0, Authentik). All auth flows fail closed by default.
API note: `POST /api/v1/containers/:id/env/reveal` is currently scoped to authentication only (no per-container RBAC yet), so any authenticated user is treated as a trusted operator for secret reveal actions. The unversioned `/api/containers/:id/env/reveal` alias remains available during the API-version transition.
OpenAPI note: machine-readable API docs are available at `GET /api/v1/openapi.json` (canonical) and `GET /api/openapi.json` (compatibility alias during transition).
API versioning note: third-party integrations should migrate to `/api/v1/*`. The unversioned `/api/*` alias is deprecated and will be removed in v1.6.0.
### 🥊 Update Bouncer
Trivy-powered vulnerability scanning blocks unsafe updates before they deploy. Includes cosign signature verification and SBOM generation (CycloneDX & SPDX).
⚖️ Feature Comparison
How does drydock compare to other container update tools?
> ✅ = supported ❌ = not supported ⚠️ = partial / limited For the full itemized changelog, see [CHANGELOG.md](CHANGELOG.md).
Feature
drydock
WUD
Diun
Watchtower †
Ouroboros †
Web UI / Dashboard✅✅❌❌❌
Auto-update containers✅✅❌✅✅
Docker Compose updates✅✅❌⚠️❌
Notification triggers201617~19~6
Registry providers2313⚠️⚠️⚠️
OIDC / SSO authentication✅✅❌❌❌
REST API✅✅⚠️⚠️❌
Prometheus metrics✅✅❌✅✅
MQTT / Home Assistant✅✅✅❌❌
Image backup & rollback✅❌❌❌❌
Container grouping / stacks✅✅❌⚠️❌
Lifecycle hooks (pre/post)✅❌❌✅❌
Webhook API for CI/CD✅❌❌✅❌
Container start/stop/restart/update✅❌❌❌❌
Distributed agents (remote)✅❌✅⚠️❌
Audit log✅❌❌❌❌
Security scanning (Trivy)✅❌❌❌❌
Semver-aware updates✅✅✅❌❌
Digest watching✅✅✅✅✅
Multi-arch (amd64/arm64)✅✅✅✅✅
Container log viewer✅❌❌❌❌
Actively maintained✅✅✅❌❌
> Data based on publicly available documentation as of March 2026.
> Contributions welcome if any information is inaccurate.
🔄 Migration
Migrating from WUD (What's Up Docker?)
Drop-in replacement — swap the image, restart, done. All `WUD_*` env vars and `wud.*` labels are auto-mapped at startup. State file migrates automatically. Use `config migrate --dry-run` to preview, then `config migrate --file .env --file compose.yaml` to rewrite config to drydock naming.
🗺️ Roadmap
| Version | Theme | Highlights |
| --- | --- | --- |
| **v1.3.x** ✅ | Security & Stability | Trivy scanning, Update Bouncer, SBOM, 7 new registries, 4 new triggers, rollback fixes, GHCR auth, self-hosted TLS, re2js regex engine, compose trigger fixes, DB persistence on shutdown |
| **v1.4.0** ✅ | UI Modernization & Hardening | Tailwind CSS 4 + custom component library, 6 themes, 7 icon libraries, font size preference, Cmd/K command palette, OpenAPI 3.1.0 endpoint, standardized API responses with pagination, compose-native YAML-preserving updates, rename-first rollback with health gates, self-update controller with SSE ack, fail-closed auth enforcement, OIDC redirect URL validation, tag-family semver, notification rules, container grouping by stack, audit history view, dual-slot security scanning, scheduled scans, WUD migration CLI, bundled offline icons, dashboard drag-reorder, gzip compression, API error sanitization, agent log validation, TLS path redaction, audit store indexing with 30-day retention, type-safe store modules, durable batch scans, recent-status API, advisory-only security scanning, compose trigger hardening (auto-detection, validation, reconciliation, digest pinning, batch mode, multi-file awareness), reactive server feature flags, identity-aware rate limiting, API hardening |
| **v1.4.1** ✅ | Patch & Polish | Headless mode (API-only), maturity-based update policy (NEW/MATURE badges), `?groupByStack=true` URL param, agent handshake + SSE fix (#141), mangled hash detection + anonymous fallback + login error surfacing (#147), CSRF behind reverse proxies (#146), compose trigger affinity across remapped roots, CSP inline style elimination, connection-lost animation, LokiJS metadata stripping, timing side-channel fix, image hardening |
| **v1.4.2** ✅ | Bug Fixes | Watcher container count fix (#155), container recreate alias filtering (#156), stale store data fix (#157), CI versioned-only images (#154), maturity badge sizing, dependency upgrades |
| **v1.4.3** ✅ | DNS & Security | Configurable DNS result ordering for Alpine EAI_AGAIN fix (#161), Docker socket security guide, zizmor blocking in CI, scoped GitHub environments |
| **v1.4.4** ✅ | UI Polish & Hardening | Alias dedup hardening with 30s transient window (#156), dashboard host-status for remote watchers (#155), tooltip viewport fix (#165), click-to-copy version tags (#164), Simple Icons dark mode inversion, theme switcher fix, search button polish, URL rebrand to getdrydock.com |
| **v1.5.0** ✅ | Observability & User-Requested Features | Real-time WebSocket log viewer with ANSI colors + JSON syntax highlighting, dashboard customization (grid layout, drag, resize, widget visibility), container resource monitoring (CPU/memory stats + dashboard widget), diagnostic debug dump, registry webhook receiver, trigger env var aliases (`DD_ACTION_*`/`DD_NOTIFICATION_*`), digest notification mode, design system components (WCAG touch targets, shared primitives), floating tag detection + auto digest watching, bearer token auth for `/metrics`, Podman API version negotiation, toast notifications for all container actions, UI standardization (margins, text sizes, deprecation banners) |
| **v1.5.1** | Scanner Decoupling | Backend-based scanner execution (docker/remote), Grype provider, scanner asset lifecycle |
| **v1.6.0** | Notifications & Release Intel | Notification templates, release notes in notifications, notification preferences UI, cross-device preference sync, software version column, bidirectional MQTT for HA, remove all deprecated compatibility aliases (see [DEPRECATIONS.md](DEPRECATIONS.md)) |
| **v1.7.0** | Smart Updates & UX | Dependency-aware ordering, clickable port links, image prune, static image monitoring, image maturity indicator, keyboard shortcuts, container uptime display, PWA support, debounced container discovery |
| **v1.8.0** | Fleet Management & Live Config | YAML config, live UI config panels, volume browser, parallel updates, SQLite store migration + ID-based container identity, i18n framework + Crowdin integration |
| **v2.0.0** | Platform Expansion | Docker Swarm, Kubernetes watchers and triggers, basic GitOps |
| **v2.1.0** | Advanced Deployment Patterns | Health check gates, canary deployments, durable self-update controller |
| **v2.2.0** | Container Operations | Web terminal, file browser, image building, basic Podman support |
| **v2.3.0** | Automation & Developer Experience | API keys, passkey auth, TOTP 2FA, TypeScript actions, CLI |
| **v2.4.0** | Data Safety & Templates | Scheduled backups (S3, SFTP), compose templates, secret management |
| **v3.0.0** | Advanced Platform | Network topology, GPU monitoring, full i18n translations + RTL |
| **v3.1.0** | Enterprise Access & Compliance | RBAC, LDAP/AD, environment-scoped permissions, audit logging, Wolfi hardened image |
| **v3.2.0** | Drydock Socket Proxy | Built-in companion proxy container (allowlist-filtered Docker API), rootless Docker & remote TLS security docs |
📖 Documentation
| Resource | Link |
| --- | --- |
| Website | [getdrydock.com](https://getdrydock.com/) |
| Live Demo | [demo.getdrydock.com](https://demo.getdrydock.com) |
| Docs | [getdrydock.com/docs](https://getdrydock.com/docs) |
| Configuration | [Configuration](https://getdrydock.com/docs/configuration) |
| Quick Start | [Quick Start](https://getdrydock.com/docs/quickstart) |
| Changelog | [`CHANGELOG.md`](CHANGELOG.md) |
| Deprecations | [`DEPRECATIONS.md`](DEPRECATIONS.md) |
| Roadmap | See [Roadmap](#roadmap) section above |
| Contributing | [`CONTRIBUTING.md`](CONTRIBUTING.md) |
| Issues | [GitHub Issues](https://github.com/CodesWhat/drydock/issues) |
| Discussions | [GitHub Discussions](https://github.com/CodesWhat/drydock/discussions) — feature requests & ideas welcome |
---
[](https://semver.org/)
[](https://www.conventionalcommits.org/)
[](https://keepachangelog.com/)
### Built With
[](https://www.typescriptlang.org/)
[](https://vuejs.org/)
[](https://expressjs.com/)
[](https://vitest.dev/)
[](https://biomejs.dev/)
[](https://nodejs.org/)
[](https://www.docker.com/)
[](https://claude.ai/)
### Community QA
Thanks to the users who helped test v1.4.0 and v1.5.0 release candidates and reported bugs:
[@RK62](https://github.com/RK62) · [@flederohr](https://github.com/flederohr) · [@rj10rd](https://github.com/rj10rd) · [@larueli](https://github.com/larueli) · [@Waler](https://github.com/Waler) · [@ElVit](https://github.com/ElVit) · [@nchieffo](https://github.com/nchieffo) · [@begunfx](https://github.com/begunfx) · [@Ra72xx](https://github.com/Ra72xx)
---
**[AGPL-3.0 License](LICENSE)**
[](https://ko-fi.com/codeswhat)
[](https://buymeacoffee.com/codeswhat)
[](https://github.com/sponsors/CodesWhat)