Odel
Dockerfile Audit

Dockerfile Audit

@unbearabledevDeveloper ToolsPythonUpdated 3w ago

Hadolint-grade Dockerfile audit — 19 checks: secrets, privileges, supply chain, hygiene.

View on GitHubSign in to connect
Server endpointStreamable HTTP
https://unbearable-dev--dockerfile-audit.apify.actor/mcp

This is the third-party server itself — Odel doesn't run it. Hitting this URL directly talks straight to the upstream server with no auth or proxying. Connect through Odel to front it with managed auth.

Dockerfile Security & Quality Audit

Hadolint-grade Dockerfile audit as an MCP server. 18+ checks across 5 categories, every finding ships with severity, line number, remediation text, and a copy-paste Dockerfile snippet.

Built by Unbearable Labs. Pay-per-event pricing — only billed when a tool is actually called.

Available on

  • Apify Actor Store — primary, metered usage (PPE)
  • MCPize — pending submission
  • MCP.so — pending submission
  • PulseMCP — pending submission
  • Smithery — pending submission
  • Glama — pending submission

Newsletter: Unbearable TechTips Weekly · All Actors: github.com/UnbearableDev

What it does

Point any MCP-capable client (Claude Desktop, Cursor, n8n, Make, Zapier, custom agents) at this server, hand it a Dockerfile, get back a structured report:

  • Severity — high / medium / low / info
  • Line number — exact location in the file
  • Description — what's wrong and why it matters
  • Remediation — what to do about it
  • Fix snippet — Dockerfile syntax you can paste directly

Tools

ToolPurpose
audit_dockerfile(dockerfile_content? | dockerfile_url?, min_severity='low')Run all checks
check_base_image(...)FROM/tag/digest/registry checks only
check_instructions(...)CMD form, ADD vs COPY, MAINTAINER, etc.
check_security(...)USER, sudo, chmod 777, curl|bash, hardcoded secrets, HEALTHCHECK
check_efficiency(...)apt cache hygiene, pip caching
check_secrets(...)ARG with secret-pattern names
list_checks(category?)Browse the full check catalog

Provide exactly one of dockerfile_content (paste the file) or dockerfile_url (HTTPS URL — e.g. GitHub raw).

Check catalog (v1: 18 checks across 5 categories)

IDCategorySeverityTitle
DFA-001base_imagemediumImage uses :latest tag or no tag
DFA-002base_imageinfoNo SHA256 digest pin on FROM
DFA-003base_imagemediumUntrusted registry
DFA-010instructionslowCMD in shell form
DFA-011instructionslowENTRYPOINT in shell form
DFA-012instructionsinfoMAINTAINER instruction is deprecated
DFA-013instructionsmediumADD used where COPY would suffice
DFA-020securitymediumNo USER directive (runs as root)
DFA-021securityhighUSER root set explicitly
DFA-022securityhighsudo invoked in RUN
DFA-023securityhighchmod 777 in RUN
DFA-024securitymediumcurl|bash pattern in RUN
DFA-025securityhighHardcoded secret in ENV
DFA-027securitylowNo HEALTHCHECK
DFA-030efficiencylowapt-get update without install
DFA-031efficiencylowapt-get install without --no-install-recommends
DFA-032efficiencylowpip install without --no-cache-dir
DFA-040secretsmediumARG with secret-pattern name

Use list_checks to get the canonical, up-to-date catalog.

Pricing

EventUSD
Any audit / check_* tool call$0.02
list_checks discovery$0.005

Example response (truncated)

{
  "summary": {
    "total_findings": 6,
    "by_severity": {"high": 2, "medium": 2, "low": 2, "info": 0}
  },
  "findings": [
    {
      "id": "DFA-021",
      "category": "security",
      "severity": "high",
      "instruction": "USER",
      "line_number": 3,
      "title": "USER root set explicitly",
      "description": "...",
      "remediation": "Switch to a non-root UID after any root-required RUN steps.",
      "fix_dockerfile_snippet": "USER 10001:10001",
      "references": ["CIS-Docker-4.1"]
    }
  ]
}

Connecting from Claude Desktop

{
  "mcpServers": {
    "dockerfile-audit": {
      "transport": "streamable-http",
      "url": "https://YOUR-ACTOR-URL.apify.actor/mcp"
    }
  }
}

Limits

  • Dockerfile size: 200 KB cap per audit
  • URL fetch: 5s timeout, max 3 redirects, HTTPS only
  • Session timeout: 5 minutes of inactivity

What's NOT covered (yet)

  • Live image vulnerability scanning (use Trivy / Grype for that)
  • Multi-stage build optimization analysis (DFA-004 / DFA-005 — roadmapped)
  • Compose-file audit (separate MCP: docker-compose-audit)

Sibling MCPs from Unbearable Labs

Source / contact

Issues and ideas: unbearabledev@gmail.com or the GitHub org UnbearableDev.