- 📖 Documentation
- 🚀 Quick Start
- 📸 Screenshots
- ✨ Features
- 🔌 Supported Integrations
- ⚖️ Feature Comparison
- 🔄 Migration
- 🗺️ Roadmap
- 📖 Documentation
- ⭐ Star History
- 🔧 Built With
docker run -d \
--name drydock \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-e DD_AUTH_BASIC_ADMIN_USER=admin \
-e "DD_AUTH_BASIC_ADMIN_HASH=<paste-argon2id-hash>" \
codeswhat/drydock:latestGenerate a secure hash with Node.js argon2id (requires Node 24+, replace
yourpassword):node -e 'const c=require("node:crypto");const s=c.randomBytes(32);const h=c.argon2Sync("argon2id",{message:process.argv[1],nonce:s,memory:65536,passes:3,parallelism:4,tagLength:64});console.log("argon2id$65536$3$4$"+s.toString("base64")+"$"+h.toString("base64"));' "yourpassword"Legacy
{SHA}hashes are accepted but deprecated (removed in v1.6.0). MD5/crypt/plain htpasswd hashes are not supported. Authentication is required by default. See the auth docs for OIDC, anonymous access, and other options. To explicitly allow anonymous access on fresh installs, setDD_ANONYMOUS_AUTH_CONFIRM=true.
The image includes trivy and cosign binaries for local vulnerability scanning and image verification.
See the Quick Start guide for Docker Compose, socket security, reverse proxy, and alternative registries.
Dashboard
| Light | Dark |
 |
 |
Containers
| Light | Dark |
 |
 |
Container Detail
| Light | Dark |
 |
 |
Security
| Light | Dark |
 |
 |
Login
| Light | Dark |
 |
 |
Mobile Responsive
| Dashboard Light | Dashboard Dark | Containers Light | Containers Dark |
 |
 |
 |
 |
| Auto-detect running containers and check for image updates across registries | Slack, Discord, Telegram, Teams, Matrix, SMTP, MQTT, HTTP webhooks, Gotify, NTFY, and more | Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, Harbor, Artifactory, Nexus, and more |
| Auto-pull and recreate services via docker-compose with service-scoped compose image patching | Monitor remote Docker hosts with SSE-based agent architecture | Event-based audit trail with persistent storage, REST API, and Prometheus counter |
| Authelia, Auth0, Authentik — secure your dashboard with OpenID Connect | Built-in /metrics endpoint with optional auth bypass for monitoring stacks | Automatic pre-update image backup with configurable retention and one-click rollback |
| Start, stop, restart, and update containers from the UI or API with feature-flag control | Token-authenticated HTTP endpoints with per-endpoint token support for CI/CD integration to trigger watch cycles and updates | Smart stack detection via compose project or labels with collapsible groups and batch-update |
| Pre/post-update shell commands via container labels with configurable timeout and abort control | Automatic rollback on health check failure with configurable monitoring window and interval | DVD-style animated overlay during drydock's own container update with auto-reconnect |
| Auto-resolved container icons via selfhst/icons with homarr-labs fallback and bundled selfhst seeds for internetless startup | Fully responsive dashboard with optimized mobile breakpoints for all views | Available on GHCR, Docker Hub, and Quay.io for flexible deployment |
Docker Hub · GHCR · ECR · ACR · GCR · GAR · GitLab · Quay · LSCR · Harbor · Artifactory · Nexus · Gitea · Forgejo · Codeberg · MAU · TrueForge · Custom · DOCR · DHI · IBM Cloud · Oracle Cloud · Alibaba Cloud
Apprise · Command · Discord · Docker · Docker Compose · Google Chat · Gotify · HTTP · IFTTT · Kafka · Matrix · Mattermost · MQTT · MS Teams · NTFY · Pushover · Rocket.Chat · Slack · SMTP · Telegram
Anonymous (opt-in via DD_ANONYMOUS_AUTH_CONFIRM=true) · Basic (username + password hash) · OIDC (Authelia, Auth0, Authentik). All auth flows fail closed by default.
API note: POST /api/containers/:id/env/reveal is currently scoped to authentication only (no per-container RBAC yet), so any authenticated user is treated as a trusted operator for secret reveal actions.
OpenAPI note: machine-readable API docs are available at GET /api/v1/openapi.json (canonical) and GET /api/openapi.json (compatibility alias during transition).
API versioning note: third-party integrations should migrate to /api/v1/*. The unversioned /api/* alias is deprecated and will be removed in v1.6.0.
Trivy-powered vulnerability scanning blocks unsafe updates before they deploy. Includes cosign signature verification and SBOM generation (CycloneDX & SPDX).
How does drydock compare to other container update tools?
✅ = supported ❌ = not supported
⚠️ = partial / limited For the full itemized changelog, see CHANGELOG.md.
| Feature | drydock | WUD | Diun | Watchtower † | Ouroboros † |
|---|---|---|---|---|---|
| Web UI / Dashboard | ✅ | ✅ | ❌ | ❌ | ❌ |
| Auto-update containers | ✅ | ✅ | ❌ | ✅ | ✅ |
| Docker Compose updates | ✅ | ✅ | ❌ | ❌ | |
| Notification triggers | 20 | 16 | 17 | ~19 | ~6 |
| Registry providers | 23 | 13 | |||
| OIDC / SSO authentication | ✅ | ✅ | ❌ | ❌ | ❌ |
| REST API | ✅ | ✅ | ❌ | ||
| Prometheus metrics | ✅ | ✅ | ❌ | ✅ | ✅ |
| MQTT / Home Assistant | ✅ | ✅ | ✅ | ❌ | ❌ |
| Image backup & rollback | ✅ | ❌ | ❌ | ❌ | ❌ |
| Container grouping / stacks | ✅ | ✅ | ❌ | ❌ | |
| Lifecycle hooks (pre/post) | ✅ | ❌ | ❌ | ✅ | ❌ |
| Webhook API for CI/CD | ✅ | ❌ | ❌ | ✅ | ❌ |
| Container start/stop/restart/update | ✅ | ❌ | ❌ | ❌ | ❌ |
| Distributed agents (remote) | ✅ | ❌ | ✅ | ❌ | |
| Audit log | ✅ | ❌ | ❌ | ❌ | ❌ |
| Security scanning (Trivy) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Semver-aware updates | ✅ | ✅ | ✅ | ❌ | ❌ |
| Digest watching | ✅ | ✅ | ✅ | ✅ | ✅ |
| Multi-arch (amd64/arm64) | ✅ | ✅ | ✅ | ✅ | ✅ |
| Actively maintained | ✅ | ✅ | ✅ | ❌ | ❌ |
Data based on publicly available documentation as of February 2026. Contributions welcome if any information is inaccurate.
Migrating from WUD (What's Up Docker?)
Drop-in replacement — swap the image, restart, done. All WUD_* env vars and wud.* labels are auto-mapped at startup. State file migrates automatically. Use config migrate --dry-run to preview, then config migrate --file .env --file compose.yaml to rewrite config to drydock naming.
| Version | Theme | Highlights |
|---|---|---|
| v1.3.x ✅ | Security & Stability | Trivy scanning, Update Bouncer, SBOM, 7 new registries, 4 new triggers, rollback fixes, GHCR auth, self-hosted TLS, re2js regex engine, compose trigger fixes, DB persistence on shutdown |
| v1.4.0 ✅ | UI Modernization & Hardening | Tailwind CSS 4 + custom component library, 6 themes, 7 icon libraries, font size preference, Cmd/K command palette, OpenAPI 3.1.0 endpoint, standardized API responses with pagination, compose-native YAML-preserving updates, rename-first rollback with health gates, self-update controller with SSE ack, fail-closed auth enforcement, OIDC redirect URL validation, tag-family semver, notification rules, container grouping by stack, audit history view, dual-slot security scanning, scheduled scans, WUD migration CLI, bundled offline icons, dashboard drag-reorder, gzip compression, API error sanitization, agent log validation, TLS path redaction, audit store indexing with 30-day retention, type-safe store modules, durable batch scans, recent-status API, advisory-only security scanning, compose trigger hardening (auto-detection, validation, reconciliation, digest pinning, batch mode, multi-file awareness), reactive server feature flags, identity-aware rate limiting, API hardening |
| v1.5.0 | Observability | Real-time log viewer, container resource monitoring, registry webhooks |
| v1.5.1 | Scanner Decoupling | Backend-based scanner execution (docker/remote), Grype provider, scanner asset lifecycle |
| v1.6.0 | Notifications & Release Intel | Notification templates, release notes in notifications, MS Teams & Matrix triggers, remove all deprecated compatibility aliases (see DEPRECATIONS.md) |
| v1.7.0 | Smart Updates & UX | Dependency-aware ordering, clickable port links, image prune, static image monitoring, dashboard customization |
| v1.8.0 | Fleet Management & Live Config | YAML config, live UI config panels, volume browser, parallel updates, SQLite store migration, i18n framework |
| v2.0.0 | Platform Expansion | Docker Swarm, Kubernetes watchers and triggers, basic GitOps |
| v2.1.0 | Advanced Deployment Patterns | Health check gates, canary deployments, durable self-update controller |
| v2.2.0 | Container Operations | Web terminal, file browser, image building, basic Podman support |
| v2.3.0 | Automation & Developer Experience | API keys, passkey auth, TOTP 2FA, TypeScript actions, CLI |
| v2.4.0 | Data Safety & Templates | Scheduled backups (S3, SFTP), compose templates, secret management |
| v3.0.0 | Advanced Platform | Network topology, GPU monitoring, full i18n translations |
| v3.1.0 | Enterprise Access & Compliance | RBAC, LDAP/AD, environment-scoped permissions, audit logging, Wolfi hardened image |
| Resource | Link |
|---|---|
| Website | drydock.codeswhat.com |
| Docs | drydock.codeswhat.com/docs |
| Configuration | Configuration |
| Quick Start | Quick Start |
| Changelog | CHANGELOG.md |
| Deprecations | DEPRECATIONS.md |
| Roadmap | See Roadmap section above |
| Contributing | CONTRIBUTING.md |
| Issues | GitHub Issues |
| Discussions | GitHub Discussions — feature requests & ideas welcome |
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
