Dockerfile Audit
Run Hadolint-style Dockerfile reviews from your agent before you build or push images to catch secrets, root users, and supply-chain risks.
Overview
io.github.UnbearableDev/dockerfile-audit is a MCP server for the Ship phase that runs nineteen Hadolint-grade Dockerfile checks for secrets, privileges, supply chain, and hygiene.
What is this MCP server?
- 19 Hadolint-grade checks covering secrets, privileges, supply chain, and general hygiene
- Remote streamable-http MCP endpoint hosted on Apify with Bearer token auth
- Targets solo builders shipping Dockerized apps without running local lint pipelines
- Findings align with common CI gate categories for image build pipelines
- Version 1.0.0 server from UnbearableDev on GitHub
- 19 Dockerfile audit checks documented in the server description
- Remote MCP version 1.0.0 via Apify actor unbearable-dev--dockerfile-audit
What problem does it solve?
You ship Docker images without a consistent lint pass and only discover insecure base images, leaked env vars, or root containers after CI fails or a scanner complains.
Who is it for?
Indie devs who maintain one or more Dockerfiles and want agent-driven audits without installing Hadolint locally on every laptop.
Skip if: Teams that already enforce comprehensive image scanning and policy-as-code in CI and do not need an extra MCP audit path.
What do I get? / Deliverables
After you connect the server, your agent can audit Dockerfiles on demand and surface prioritized fixes before images reach your registry or cluster.
- Structured audit results across nineteen Dockerfile check categories
- Actionable findings on secrets, privileges, supply chain, and hygiene
- Agent-ready summary you can paste into PRs or fix tickets
Recommended MCP Servers
Journey fit
How it compares
Remote Dockerfile lint MCP integration, not an in-repo Claude skill or full container runtime scanner.
Common Questions / FAQ
Who is io.github.UnbearableDev/dockerfile-audit for?
It is for solo builders and small teams who use AI coding agents to harden Dockerfiles before ship, especially when local Hadolint is not always installed.
When should I use io.github.UnbearableDev/dockerfile-audit?
Use it when you change a Dockerfile, before merging a container PR, or when you want a quick security and hygiene pass without opening a separate terminal workflow.
How do I add io.github.UnbearableDev/dockerfile-audit to my agent?
Add the Apify streamable-http MCP remote URL from the server manifest, set Authorization to Bearer plus your Apify API token from console.apify.com, then restart or refresh MCP in Claude Code, Cursor, or a compatible client.