DEV.co
Open-Source DevOps · mag37

dockcheck

dockcheck is a bash CLI tool that automates Docker image updates for containers, with optional notifications and image backups. It supports interactive or fully automated mode, allowing selective updates with filtering by labels, age, or container names.

Source: GitHub — github.com/mag37/dockcheck
2.4k
GitHub stars
87
Forks
Shell
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymag37/dockcheck
Ownermag37
Primary languageShell
LicenseGPL-3.0 — OSI-approved
Stars2.4k
Forks87
Open issues13
Latest releasev0.7.8 (2026-04-30)
Last updated2026-07-06
Sourcehttps://github.com/mag37/dockcheck

What dockcheck is

A shell script (bash 4.3+) that queries Docker registries via regctl to detect image updates, manages container recreation via docker-compose, and optionally prunes dangling images. It supports async subprocess management, custom notification templates, and Prometheus metrics export.

Quickstart

Get the dockcheck source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/mag37/dockcheck.gitcd dockcheck# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Homelab and Self-Hosted Infrastructure

Ideal for small-to-medium self-hosted deployments where automated but controllable updates are needed without external SaaS dependencies.

Non-Critical Container Update Workflows

Suits environments where selective, batched updates with manual approval or scheduled unattended runs reduce operational overhead.

Docker Compose-Based Stacks

Works well for monolithic or loosely coupled compose stacks where container recreation and stack restart are acceptable update patterns.

Implementation considerations

  • Requires bash 4.3+, jq, and regctl (external binary); users must download or package regctl separately.
  • Docker and docker-compose (standalone or plugin) must be installed and running; no API auth abstraction layer provided.
  • Script modifies container state (pull, stop, start, prune); ensure proper access control and test in non-production first.
  • Notification templates require external service credentials (Slack, Telegram, Discord, etc.); no end-to-end encryption or secret rotation built-in.
  • Cron scheduling or external orchestration needed for true automation; no built-in daemon mode.

When to avoid it — and what to weigh

  • High-Availability or Production Kubernetes — Not designed for Kubernetes clusters or zero-downtime rolling deployments; no native support for pod disruption budgets or gradual rollouts.
  • Strict Image Immutability or Audit Compliance — No built-in image signing verification, SBoM attestation, or fine-grained audit trails; relies on registry pull integrity alone.
  • Non-Linux or Non-amd64/arm64 Architectures — Bash-dependent and requires regctl (amd64/arm64 only); no native Podman support (community fork available but not officially maintained).
  • Organizations Requiring Commercial Support — OSS-only with community maintenance; no SLA, paid support, or enterprise backing.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft license requiring that any derivative works or distributions also be licensed under GPL-3.0 and source code be made available.

Commercial use is permitted under GPL-3.0, but with strong restrictions: any modifications or bundled distributions must be released under GPL-3.0 with source code available. Internal use (e.g., running in your own infrastructure) does not trigger GPL obligations. Requires legal review if repackaging, reselling, or embedding as part of a commercial product.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Project does not claim security hardening. Key considerations: (1) runs with privileges sufficient to pull images and restart containers; (2) stores credentials in plaintext config files (notification tokens, registry auth); (3) no input sanitization documented for container names or paths; (4) external dependency regctl is pulled from GitHub (supply chain risk); (5) notification templates may forward sensitive data to third-party services; (6) no checksum verification or signed releases mentioned; (7) shell script interpretation and eval-like constructs present inherent injection risks if inputs are untrusted. Suitable only for trusted administrators in controlled environments.

Alternatives to consider

Watchtower

Docker container that automatically updates running containers; simpler deployment, no config file needed, but less granular control and less notification integrations.

Renovate or Dependabot

CI/CD-native tooling for image updates via pull requests; better for GitOps workflows and immutable infrastructure, but overkill for small homelabs.

Podman's built-in auto-updates

Native Podman feature for quadlet/systemd-based workflows; no external dependencies, but Podman adoption not yet universal and lacks notification parity.

Software development agency

Build on dockcheck with DEV.co software developers

Download dockcheck for free from GitHub and set up automated container updates in under 5 minutes. Perfect for homelabs and self-hosted environments.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

dockcheck FAQ

Can I use dockcheck with Kubernetes?
No. dockcheck is designed for Docker Engine + docker-compose only. For Kubernetes, use tools like ArgoCD, Flux, or native Kubernetes operators like Renovate's helm plugin.
Does dockcheck support private registries?
Yes, via docker-compose and regctl's auth mechanisms; however, docker config.json credentials must be pre-configured. See regctl docs for authentication details.
What if I'm on ARM or non-amd64 architecture?
regctl binary is only available for amd64/arm64. For other architectures, no workaround is provided in the docs; consider the Podman fork (podcheck) or Watchtower.
Can I schedule dockcheck automatically?
Yes, via cron or systemd timers. The `-a` flag enables unattended mode, and `-i` enables notifications. Example: `0 10 * * * /path/to/dockcheck.sh -nix 10` runs checks every morning.

Software developers & web developers for hire

DEV.co helps companies turn open-source tools like dockcheck into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.

Ready to automate your Docker updates?

Download dockcheck for free from GitHub and set up automated container updates in under 5 minutes. Perfect for homelabs and self-hosted environments.