Remote OpenClaw
Menu

Dockerfile Audit

UnbearableDev/dockerfile-audit
0 starsCommunity

Install to Claude Code

This server doesn't publish a one-line install command. Follow the setup in the source repository.

Summary

Hadolint-grade Dockerfile audit — 19 checks: secrets, privileges, supply chain, hygiene.

README.md

Dockerfile Security & Quality Audit

Hadolint-grade Dockerfile audit as an MCP server. 18+ checks across 5 categories, every finding ships with severity, line number, remediation text, and a copy-paste Dockerfile snippet.

Built by Unbearable Labs. Pay-per-event pricing — only billed when a tool is actually called.

---

Available on

  • Apify Actor Store — primary, metered usage (PPE)
  • MCPize — pending submission
  • MCP.so — pending submission
  • PulseMCP — pending submission
  • Smithery — pending submission
  • Glama — pending submission

Newsletter: Unbearable TechTips Weekly · All Actors: github.com/UnbearableDev

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Dockerfile, get back a structured report:

  • Severity — high / medium / low / info
  • Line number — exact location in the file
  • Description — what's wrong and why it matters
  • Remediation — what to do about it
  • Fix snippet — Dockerfile syntax you can paste directly

Tools

| Tool | Purpose | |------|---------| | audit_dockerfile(dockerfile_content? \| dockerfile_url?, min_severity='low') | Run all checks | | check_base_image(...) | FROM/tag/digest/registry checks only | | check_instructions(...) | CMD form, ADD vs COPY, MAINTAINER, etc. | | check_security(...) | USER, sudo, chmod 777, curl\|bash, hardcoded secrets, HEALTHCHECK | | check_efficiency(...) | apt cache hygiene, pip caching | | check_secrets(...) | ARG with secret-pattern names | | list_checks(category?) | Browse the full check catalog |

Provide exactly one of dockerfile_content (paste the file) or dockerfile_url (HTTPS URL — e.g. GitHub raw).

Check catalog (v1: 18 checks across 5 categories)

| ID | Category | Severity | Title | |----|----------|----------|-------| | DFA-001 | base_image | medium | Image uses :latest tag or no tag | | DFA-002 | base_image | info | No SHA256 digest pin on FROM | | DFA-003 | base_image | medium | Untrusted registry | | DFA-010 | instructions | low | CMD in shell form | | DFA-011 | instructions | low | ENTRYPOINT in shell form | | DFA-012 | instructions | info | MAINTAINER instruction is deprecated | | DFA-013 | instructions | medium | ADD used where COPY would suffice | | DFA-020 | security | medium | No USER directive (runs as root) | | DFA-021 | security | high | USER root set explicitly | | DFA-022 | security | high | sudo invoked in RUN | | DFA-023 | security | high | chmod 777 in RUN | | DFA-024 | security | medium | curl\|bash pattern in RUN | | DFA-025 | security | high | Hardcoded secret in ENV | | DFA-027 | security | low | No HEALTHCHECK | | DFA-030 | efficiency | low | apt-get update without install | | DFA-031 | efficiency | low | apt-get install without --no-install-recommends | | DFA-032 | efficiency | low | pip install without --no-cache-dir | | DFA-040 | secrets | medium | ARG with secret-pattern name |

Use list_checks to get the canonical, up-to-date catalog.

Pricing

| Event | USD | |-------|-----| | Any audit / check_* tool call | $0.02 | | list_checks discovery | $0.005 |

Example response (truncated)

{
  "summary": {
    "total_findings": 6,
    "by_severity": {"high": 2, "medium": 2, "low": 2, "info": 0}
  },
  "findings": [
    {
      "id": "DFA-021",
      "category": "security",
      "severity": "high",
      "instruction": "USER",
      "line_number": 3,
      "title": "USER root set explicitly",
      "description": "...",
      "remediation": "Switch to a non-root UID after any root-required RUN steps.",
      "fix_dockerfile_snippet": "USER 10001:10001",
      "references": ["CIS-Docker-4.1"]
    }
  ]
}

Connecting from Claude Desktop

{
  "mcpServers": {
    "dockerfile-audit": {
      "transport": "streamable-http",
      "url": "https://YOUR-ACTOR-URL.apify.actor/mcp"
    }
  }
}

Limits

  • Dockerfile size: 200 KB cap per audit
  • URL fetch: 5s timeout, max 3 redirects, HTTPS only
  • Session timeout: 5 minutes of inactivity

What's NOT covered (yet)

  • Live image vulnerability scanning (use Trivy / Grype for that)
  • Multi-stage build optimization analysis (DFA-004 / DFA-005 — roadmapped)
  • Compose-file audit (separate MCP: docker-compose-audit)

Sibling MCPs from Unbearable Labs

Source / contact

Issues and ideas: unbearabledev@gmail.com or the GitHub org UnbearableDev.

Related MCP servers

Browse all →

AWS MCP Servers

awslabs/mcp

9,330 starsOpen

Azure MCP

Azure/azure-mcp

1,219 starsOpen

Cloudflare MCP

cloudflare/mcp-server-cloudflare

3,890 starsOpen

Heroku MCP

heroku/heroku-mcp-server

78 starsOpen

Apify MCP

apify/actors-mcp-server

Browser & ScrapingOpen

Axiom MCP

axiomhq/mcp-server-axiom

61 starsOpen

Browse

MCP servers by category

Other2643AI & ML2284Search2091Developer Tools1127Vector & Memory1121Cloud & DevOps721Files & Docs719Databases704Finance & Payments701Browser & Scraping485Communication418Productivity355