A modern, security-focused web UI for managing your local Docker engine. Built for developers, DevSecOps, and security engineers who want more than a list of containers and a stop button.
It talks directly to the Docker socket on the host, gives you a clean Linear/Vercel-style dashboard, and layers a real container security audit and CVE scanning on top of standard container management.
Warning — This tool exposes the Docker daemon (i.e. root on the host). Run it on workstations or trusted networks only. Do not expose the backend port to the internet.
- One-click start / stop / restart / remove / rename of containers
- Build images by uploading a
Dockerfile,.zip,.tar, or.tar.gz— live build logs streamed via WebSocket - Run images with custom name and port mapping
- Folders with drag-and-drop to organize containers however you like (persisted locally)
- Live CPU & memory bars per running container, polled every 4s
- Inspect drawer with Overview / Environment / Mounts / Network / Security tabs and a "Copy raw JSON" shortcut
- Live container logs and build output in a terminal-style console
- Trivy CVE scan on any local image with one click — Critical / High / Medium / Low filterable, links to PrimaryURL, "Fixed in" version surfaced
- Graceful fallback if Trivy isn't installed (installation instructions are shown inline)
- Local activity log for every action taken in the UI (who did what, when) — useful as a lightweight audit trail
- Config audit catches non-reproducible deploys:
:latesttags, missing healthchecks, missing restart policies
- Security tab aggregates posture findings across all containers + the host, sorted by severity
- Built-in container audit flags real-world misconfigurations:
--privilegedcontainers- Mounted
/var/run/docker.sock(full daemon takeover risk) - Host network / PID / IPC / userns namespaces
- Dangerous capabilities (
SYS_ADMIN,NET_ADMIN,SYS_PTRACE,SYS_MODULE,DAC_READ_SEARCH,ALL) - Containers running as root (UID 0)
- Writable root filesystem (no
--read-only) - Ports bound to
0.0.0.0/::(publicly reachable) - Sensitive env vars in plaintext (
password,secret,token,api_key,jwt, …) - Sensitive host paths mounted in (
/,/etc,/var,/root, …)
- Host audit detects missing AppArmor / SELinux / seccomp, disabled live-restore, experimental mode
- Secret masking in the Environment tab with an explicit "Reveal" toggle (so secrets aren't on screen by default during a screen-share)
- Inspect drawer highlights
0.0.0.0port bindings anddocker.sockmounts in amber/red
At-a-glance counts (containers / running / images / security findings), recent containers, Docker engine info, and the local activity log.
Drag-and-drop folders, inline live CPU & memory bars on running containers, quick start/stop/restart/remove, rename in place, and one-click Inspect.
Build new images from a Dockerfile or archive, run with custom port mapping, and scan with Trivy straight from the card.
Aggregated container + host posture findings, severity-filterable, with remediation guidance and jump-to-container links.
Live, streaming container logs and docker build output.
Frontend — React 19, Vite, Tailwind CSS v4, Framer Motion, Socket.io client, dnd-kit, Lucide icons
Backend — Node.js, Express, dockerode (talks to /var/run/docker.sock), Socket.io, multer, unzipper, tar
Optional — Trivy on the backend host for image vulnerability scanning
- Node.js 18 or newer
- Docker running locally and reachable at
/var/run/docker.sock - The user running the backend must be in the
dockergroup (or have permission to read/write the socket) - (Optional) Trivy on
PATHto enable the image scan feature
# Verify socket access
docker psIf docker ps works as your user without sudo, the backend will work too.
git clone https://github.com/haltacademy/Docker-Management-System.git && cd Docker-Management-System && npm install && npm install --prefix frontend && npm install --prefix backend && npm run devgit clone https://github.com/haltacademy/Docker-Management-System.git
cd Docker-Management-System
# Install root + workspace deps
npm install
( cd frontend && npm install )
( cd backend && npm install )
# Run frontend (Vite) and backend (Express + Socket.io) together
npm run devThen open the URL Vite prints (typically http://localhost:5173).
Default credentials: admin / admin — change them in Settings after first login.
npm start
# builds the frontend, starts `vite preview`, and starts the backend.
├── backend/
│ ├── server.js # Express API + Socket.io + dockerode + Trivy spawn
│ └── package.json
├── frontend/
│ ├── src/
│ │ ├── App.jsx # All UI: views, drawer, modal
│ │ ├── index.css # Design tokens + reusable utilities
│ │ └── main.jsx
│ ├── index.html
│ └── package.json
└── package.json # `concurrently` runner for dev/start
Defaults to 3001. Override with PORT:
PORT=4000 npm run start --prefix backendThe frontend currently points at http://localhost:3001. If you change the
backend port, update API_URL and SOCKET_URL at the top of
frontend/src/App.jsx.
Hardcoded to /var/run/docker.sock. To target a remote engine or rootless
Docker, edit:
const docker = new Docker({ socketPath: '/var/run/docker.sock' });in backend/server.js. See the dockerode docs for host/port/protocol/ca/cert/key options.
The image scan feature shells out to trivy on the backend host:
trivy image --quiet --no-progress --format json \
--severity CRITICAL,HIGH,MEDIUM,LOW --scanners vuln <image>If Trivy isn't installed, the modal shows an install hint instead of failing. On Debian/Ubuntu/Kali:
sudo apt-get install -y wget gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update && sudo apt-get install -y trivyOther platforms: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
All endpoints are under /api.
| Method | Endpoint | Description |
|---|---|---|
| GET | /containers |
List all containers |
| POST | /containers/:id/:action |
Action: start, stop, restart, remove |
| POST | /containers/:id/rename |
Body { name } |
| GET | /containers/:id/inspect |
Full docker inspect |
| GET | /containers/:id/audit |
Derived security findings for a container |
| GET | /audit/all |
Aggregated findings for every container |
| GET | /system/audit |
Host-level posture findings |
| GET | /stats |
Bulk live CPU% / mem% for running containers |
| GET | /images |
List all images |
| GET | /images/:id/inspect |
Full image inspect |
| DELETE | /images/:id |
Remove image |
| POST | /images/run |
Body { imageId, name, portMap } |
| POST | /images/scan |
Body { ref } — runs Trivy, returns findings |
| POST | /build |
multipart/form-data with file + tag |
| GET | /system |
docker info |
WebSocket events
| Event | Direction | Purpose |
|---|---|---|
get-logs |
client → server | Subscribe to a container's log stream |
container-logs |
server → client | Streamed log chunks |
build-log |
server → client | Streamed docker build output |
The container audit produces structured findings of the form:
{
"id": "PRIV",
"severity": "high",
"category": "isolation",
"title": "Privileged container",
"description": "...",
"remediation": "..."
}Severities: high, medium, low, info.
Categories: isolation, network, identity, storage, config, host.
The list of detectors lives in buildContainerAudit() and buildSystemAudit()
in backend/server.js — extend it with your own org-specific checks.
- Interactive
docker execterminal in the browser (xterm.js + PTY over WebSocket) - SBOM generation via Syft
- CIS Docker Benchmark mapping in the Security tab
- Compose stack view & up/down
- Network and volume management UIs
- Server-side action audit log (in addition to the localStorage one)
- Replace hardcoded
admin/adminwith proper auth (JWT + bcrypt + per-user accounts)
PRs welcome. Keep changes focused, run npm run build in frontend/ and
node --check backend/server.js before opening a PR.
ISC — see package.json. Use at your own risk; this tool grants full Docker
daemon access to anyone who can reach the backend port.