Simple Docker Manager is a powerful tool that provides web-based access to Docker containers. Due to the sensitive nature of container management, we take security seriously and have implemented multiple layers of protection.
- Unauthorized container access
- Container manipulation by attackers
- Privilege escalation attacks
- Data exposure from managed containers
- Host system compromise
Only deploy this tool in trusted environments with proper security controls.
- Mandatory Authentication: Authentication is enabled by default
- Secure Password Handling: Argon2 password hashing with secure defaults
- Session Management: Configurable session timeouts with secure cookies
- Auto-generated Passwords: Cryptographically secure password generation when not provided
- Minimal Attack Surface: Built on
scratchbase image with no shell or package manager - Non-root Execution: Application runs as non-privileged user (UID 10001)
- Read-only Docker Socket: Docker socket mounted read-only by default
- Static Binary: Fully statically linked with no runtime dependencies
- HTTPS Ready: Designed to run behind reverse proxy with TLS termination
- Configurable Binding: Can bind to specific interfaces (not just 0.0.0.0)
- Health Endpoints: Separate health/readiness endpoints for monitoring
This project undergoes automated security scanning:
- Trivy: Container vulnerability scanning
- Cargo Audit: Rust dependency vulnerability scanning
- Cargo Deny: License and dependency policy enforcement
- Semgrep: Static Application Security Testing (SAST)
- GitLeaks: Secret detection in code and history
- Hadolint: Dockerfile security linting
All scans run on every commit and weekly via GitHub Actions.
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
DO NOT report security vulnerabilities through public GitHub issues.
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill out the security advisory form with:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested mitigation (if known)
If you cannot use GitHub Security Advisories, email: security@oscillatelabs.com
Include in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and attack scenarios
- Your assessment of severity
- Any suggested fixes or mitigations
- Acknowledgment: Within 1 week
- Initial Assessment: Within 2 weeks
- Resolution Timeline: Best effort based on severity and maintainer availability
- We follow coordinated disclosure
- We will work with you to understand and fix the issue
- We will not take legal action against researchers who:
- Follow this policy
- Act in good faith
- Do not access data beyond what's necessary to demonstrate the vulnerability
- Do not intentionally harm our users or systems
We believe in recognizing security researchers who help improve our security:
- Public Recognition: With your permission, we'll acknowledge your contribution
- CVE Assignment: For qualifying vulnerabilities
- Security Advisory: Detailed public disclosure after fix is deployed
-
Use HTTPS: Always deploy behind a reverse proxy with TLS
server { listen 443 ssl; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }
-
Network Isolation: Use Docker networks or firewall rules
# Create isolated network docker network create --driver bridge sdm-network # Run with network isolation docker run --network sdm-network simple-docker-manager
-
Strong Authentication: Use strong passwords and short session timeouts
SDM_AUTH_PASSWORD="$(openssl rand -base64 32)" SDM_SESSION_TIMEOUT_SECONDS=1800 # 30 minutes
-
Resource Limits: Set container resource constraints
services: simple-docker-manager: deploy: resources: limits: memory: 256M cpus: "0.5"
-
Read-only Filesystem: Mount application directories read-only
services: simple-docker-manager: read_only: true tmpfs: - /tmp
- Log Monitoring: Monitor authentication failures and unusual activity
- Health Checks: Implement proper health monitoring
- Access Logs: Log all access attempts with source IPs
- Container Monitoring: Monitor managed containers for suspicious activity
- Principle of Least Privilege: Only grant necessary Docker permissions
- Network Segmentation: Isolate from production networks
- VPN/Bastion Access: Require VPN or bastion host access
- IP Allowlisting: Restrict access to known IP ranges
DO NOT:
- Expose directly to the internet without authentication
- Use weak or default passwords
- Run with
--privilegedflag - Mount Docker socket as read-write unless absolutely necessary
- Disable authentication in production
- Use HTTP in production environments
- Run as root user
- Expose on 0.0.0.0 in untrusted networks
- Security Issues: security@oscillatelabs.com
- General Questions: Use GitHub Discussions
- Bug Reports: Use GitHub Issues (for non-security bugs only)
Remember: Security is a shared responsibility. While we work hard to make this tool secure, proper deployment and operational security practices are essential for maintaining security in your environment.