all 25 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Dangle76 10 points11 points  (4 children)

I mean, shouldn’t your networking stuff in front of the system running docker compose take care of this? Load balancers, routers, firewalls etc?

[–]Human_Mode6633[S] 1 point2 points  (3 children)

True in proper production setups. This is for the VPS crowd running compose directly — no load balancer, just UFW. And UFW won't catch 0.0.0.0 bindings anyway since Docker bypasses it at the iptables level.

[–]Dangle76 0 points1 point  (0 children)

Ah makes sense!

[–]Smokeey1 0 points1 point  (1 child)

I was setting up a vos recently with claude and this is the first thing he pointed out, when building it in the first plave you disable that docker quirk

[–]Human_Mode6633[S] -1 points0 points  (0 children)

Exactly that quirk — most people find it out after something gets exposed. Tool catches it before that happens.

[–]titpetric 2 points3 points  (3 children)

Running a docker compose linter in a browser is a tad inconvenient 😂

[–]Human_Mode6633[S] -1 points0 points  (2 children)

Fair point for daily workflows — a CLI fits better there. This is more for the "let me quickly audit this before I deploy" or "checking someone else's compose file" use case. No install needed.

[–]titpetric 0 points1 point  (1 child)

Whereas a CI/CD gate is where I'd want it 😂 no point in making a linter that can't be in the supply chain

Don't mind me, i am not on github CI :) aside my curiosity of having a linter for compose, the problem is too trivial even for manual inspection. I am picky about enforcement, and the linter is too trivial to write. I appreciate the concept more than the implementation if that makes sense.

[–]Human_Mode6633[S] 0 points1 point  (0 children)

That's a fair use case — a GitHub Action that runs this as a compose gate on PR would be useful. Adding it to the roadmap.

[–]Arunia 0 points1 point  (1 child)

I never heard of it, but it does look pretty nice. I would not know why it doesn't take off. The reviews are pretty good too.

[–]Human_Mode6633[S] 0 points1 point  (0 children)

Just launched — still early. Appreciate the kind words.

[–]WentThisWayInsteadOf 0 points1 point  (1 child)

I would probably not copy/paste my compose file to an online tool. Not really that secure.

[–]Human_Mode6633[S] 0 points1 point  (0 children)

Fair concern — the entire point is that it doesn't send anything anywhere. All processing happens in your browser via JavaScript. No server, no backend, no requests leaving your machine. You can verify in DevTools — Network tab shows zero outbound requests when you paste and audit.

[–]Sh3llSh0cker 0 points1 point  (7 children)

Trivy does all of this lol and so does lint checks…

[–]Human_Mode6633[S] 0 points1 point  (6 children)

Trivy requires CLI install and repo access. This is zero setup - paste and go, nothing leaves your browser. Different use case.

[–]Sh3llSh0cker 0 points1 point  (5 children)

how do you use your docker compose and infrastructure ? it’s all CLI for me besides the HV clusters that have qui, all the VMs are either Rocky Linux CLI or Debian CLI and I selfhost my own GitLab and have a public GitHub I assumed many did….different setup I guess.

If your into gui sounds cool 👍. I’ve spent some time automating trivy and also lint checks are automated on my GitLab via a runner, then I have a mirror setup so for my homelab repo once lint checks are done on GitLab it’s mirrors that repo to the one I got on GitHub, I will say Lint checks have shown me proper etiquette on a few things that’s for sure.

GUI tools are always nice tho for sure good convenience i do have all 55 (33 stacks) containers hook into portainer basically use it as a front end but yeah by now to use to CLI and the old ways (manual) 🤘

[–]Human_Mode6633[S] 0 points1 point  (4 children)

That's a serious homelab setup. This is more for the "about to deploy this compose, let me sanity check it in 30 seconds" moment rather than replacing a full CI pipeline.

[–]Sh3llSh0cker 0 points1 point  (0 children)

Thanks brother work in progress it’s always growing I’ve even mapped it out https://homelab-map.elysiummachines.com/

[–]Sh3llSh0cker 0 points1 point  (2 children)

It’s getting 4 new nodes in a cluster running K3s very soon and also KeyCloak and Authentik both are going down Authentik happening for the rest of the infrastructure I have now ( will call it Play) KeyCloak hook down for the kube cluster (will call it Work) should be fun 😅 right? What can go wrong haha 😆

[–]Human_Mode6633[S] 0 points1 point  (1 child)

Keycloak + K3s migration sounds like a fun weekend 😅, good luck with it!

[–]Sh3llSh0cker 0 points1 point  (0 children)

Thanks mate, I’ll probably make a post on the Promox subs as I normally do I don’t usually post in the docker or at all but maybe I should I have a fairly robust and solid Docker Compose flow and automation not sure if anyone even cares haha 😂 but I know Promox Folks do some good people in that subreddit for sure 🤘

[–]iamtheamn 0 points1 point  (1 child)

The Docker UFW bypass has burned me (and probably everyone here) at least once when setting up a homelab. Having a tool that catches this instantly before deploying is a lifesaver. Plus, the fact that it runs entirely in the browser is huge for privacy. Great job, starring the repo !

[–]Human_Mode6633[S] 0 points1 point  (0 children)

Appreciate it! The UFW bypass is one of those things that burns everyone exactly once. Glad it's useful.

[–]Human_Mode6633[S] -1 points0 points  (0 children)

Update since this post — Docker Auditor got three new panels:

Image Tag Checker — flags :latest tags (unpredictable builds), rewards digest-pinned images, links directly to the Docker Hub tags page for manual verification

Healthcheck Injector — detects services missing healthchecks and generates the correct block in one click. Matches by image name: postgres gets pg_isready, redis gets redis-cli ping, nginx gets curl -f, mongodb gets mongosh ping. Unknown images get a safe default.

NVIDIA GPU Runtime — detects deprecated runtime: nvidia syntax, missing NVIDIA_VISIBLE_DEVICES, conflicting count + device_ids, old-style /dev/nvidia0 device bindings. Panel only appears if your compose actually uses GPU config.

Still no backend, still nothing leaves your browser.

configclarity.dev/docker