| Category | Status |
|---|---|
| Build & CI |        |
| SonarQube | |
| Security |   |
| Package |     |
| Technology |       |
A Model Context Protocol (MCP) server that exposes Docker functionality to AI assistants like Claude. Manage containers, images, networks, and volumes through a type-safe, documented API with safety controls.
Quick Start:
- Claude Code (stdio):
claude mcp add --transport stdio docker uvx mcp-docker@latest - Codex (stdio):
codex mcp add docker -- uvx mcp-docker@latest
- 36 Docker Tools: Individually optional via config. Complete container, image, network, volume, and system management
- 5 AI Prompts: Intelligent troubleshooting, optimization, networking debug, and security analysis
- 2 Resources: Real-time container logs and resource statistics
- 3 Transport Options: stdio (local), SSE (Server-Sent Events), and HTTP Stream Transport (modern unified endpoint)
- Type Safety: Full type hints with Pydantic validation and mypy strict mode
- Safety Controls: Three-tier safety system (safe/moderate/destructive) with configurable restrictions
- Comprehensive Testing: Extensive test coverage with unit, integration, E2E, and fuzz tests
- Continuous Fuzzing: ClusterFuzzLite integration for security and robustness (OpenSSF Scorecard compliant)
- Modern Python: Built with Python 3.11+, uv package manager, and async-first design
- Python 3.11+ and Docker installed
- uv package manager (automatically installed by
uvx)
Run this command in your terminal:
claude mcp add --transport stdio docker uvx mcp-docker@latestThat's it! The Docker socket is auto-detected for your OS (Windows, Linux, macOS, WSL).
Add to your claude_desktop_config.json:
{
"mcpServers": {
"docker": {
"command": "uvx",
"args": ["mcp-docker"]
}
}
}Note: No additional configuration needed for local use. The Docker socket is automatically detected based on your operating system.
Getting Updates: uvx caches packages and won't automatically update. To get the latest version:
# Run the latest version (recommended - no caching)
uvx mcp-docker@latest
# Or clear all cached tool environments
uv cache pruneThe HTTP Stream Transport is a modern MCP transport protocol using a single unified endpoint (POST /) for all operations.
Features:
- Single Endpoint: All MCP communication through
POST /(no separate SSE/messages endpoints) - Session Management: Automatic session tracking via
mcp-session-idheader - Stream Resumability: Reconnect and replay missed messages using
last-event-idheader - Flexible Response Modes: Choose between streaming (SSE) or batch (JSON) responses
- Browser Support: Enhanced CORS configuration for web clients
- DNS Rebinding Protection: Configure allowed hosts to prevent attacks
Basic Usage:
# Development (localhost only)
mcp-docker --transport httpstream --host 127.0.0.1 --port 8000
# Production with TLS
./start-mcp-docker-httpstream.shConfiguration: The complete list of HTTP Stream, CORS, and DNS-rebinding settings lives in CONFIGURATION.md (including the security toggles that pair with OAuth, rate limiting, and audit logging). Use that reference to keep runtime behavior in sync with CI and production deployments.
Endpoint Documentation:
-
POST /: Main endpoint for all MCP operations
- Send JSON-RPC messages in request body
- Session tracked via
mcp-session-idresponse header - Streaming responses use SSE format
- Batch responses return complete JSON arrays
-
Resumability: Include
last-event-idheader to replay missed events after reconnection
For network-accessible deployments, use SSE transport with TLS/HTTPS:
# Production: Use the startup script with TLS
./start-mcp-docker-sse.sh
# Development: Run with SSE transport (no TLS)
mcp-docker --transport sse --host 127.0.0.1 --port 8000Command-line options: --transport (stdio/sse/httpstream), --host, --port
The MCP Docker server provides enterprise-grade security for production deployments with OAuth authentication, TLS encryption, rate limiting, audit logging, and safety controls.
For production deployment, see SECURITY.md for:
- Complete security feature guide (OAuth, TLS, IP filtering, rate limiting, audit logging)
- Production deployment checklist
- Threat model and mitigation strategies
- Security best practices
All environment variables (safety, server, transports, OAuth, rate limits, CORS) are documented in CONFIGURATION.md. Production hardening steps, threat models, and deployment checklists live in SECURITY.md.
Documentation:
- CONFIGURATION.md - Complete configuration reference (all options)
- SECURITY.md - Security features and production guidelines
The server provides 36 tools organized into 5 categories:
docker_list_containers- List containers with filtersdocker_inspect_container- Get detailed container infodocker_create_container- Create new containerdocker_start_container- Start containerdocker_stop_container- Stop container gracefullydocker_restart_container- Restart containerdocker_remove_container- Remove containerdocker_container_logs- Get container logsdocker_exec_command- Execute command in containerdocker_container_stats- Get resource usage stats
docker_list_images- List imagesdocker_inspect_image- Get image detailsdocker_pull_image- Pull from registrydocker_build_image- Build from Dockerfiledocker_push_image- Push to registrydocker_tag_image- Tag imagedocker_remove_image- Remove imagedocker_prune_images- Clean unused imagesdocker_image_history- View layer history
docker_list_networks- List networksdocker_inspect_network- Get network detailsdocker_create_network- Create networkdocker_connect_container- Connect container to networkdocker_disconnect_container- Disconnect from networkdocker_remove_network- Remove network
docker_list_volumes- List volumesdocker_inspect_volume- Get volume detailsdocker_create_volume- Create volumedocker_remove_volume- Remove volumedocker_prune_volumes- Clean unused volumes
docker_system_info- Get Docker system informationdocker_system_df- Disk usage statisticsdocker_system_prune- Clean all unused resourcesdocker_version- Get Docker version infodocker_events- Stream Docker eventsdocker_healthcheck- Check Docker daemon health
Five prompts help AI assistants work with Docker:
- troubleshoot_container - Diagnose container issues with logs and configuration analysis
- optimize_container - Get optimization suggestions for resource usage and security
- generate_compose - Generate docker-compose.yml from containers or descriptions
- debug_networking - Deep-dive analysis of container networking problems with systematic L3-L7 troubleshooting
- security_audit - Comprehensive security analysis following CIS Docker Benchmark with compliance mapping
Two resources provide real-time access to container data:
- container://logs/{container_id} - Stream container logs
- container://stats/{container_id} - Get resource usage statistics
The server implements a three-tier safety system with configurable operation modes and fine-grained tool filtering:
-
SAFE - Read-only operations (list, inspect, logs, stats)
- No restrictions
- Always allowed
- Examples:
docker_list_containers,docker_inspect_image,docker_container_logs
-
MODERATE - State-changing but reversible (start, stop, create)
- Can modify system state
- Controlled by
SAFETY_ALLOW_MODERATE_OPERATIONS(default:true) - Examples:
docker_create_container,docker_start_container,docker_pull_image
-
DESTRUCTIVE - Permanent changes (remove, prune)
- Cannot be easily undone
- Requires
SAFETY_ALLOW_DESTRUCTIVE_OPERATIONS=true - Can require confirmation
- Examples:
docker_remove_container,docker_prune_images,docker_system_prune
In addition to safety levels, you can control exactly which tools are available using allow and deny lists:
Deny List - Block specific tools (takes precedence over allow list)
# Block destructive operations by tool name
SAFETY_DENIED_TOOLS="docker_remove_container,docker_prune_images,docker_system_prune"Allow List - Only permit specific tools (empty = allow all based on safety level)
# Only allow read-only monitoring tools
SAFETY_ALLOWED_TOOLS="docker_list_containers,docker_inspect_container,docker_container_logs,docker_container_stats,docker_version"How it works:
- Safety level restrictions apply first (MODERATE/DESTRUCTIVE settings)
- Deny list blocks specific tools regardless of safety level
- Allow list (if non-empty) restricts to only listed tools
- Tools are filtered in both
list_tools()and at execution time
Use cases:
- Restrict AI agents to read-only operations for monitoring
- Block specific dangerous tools while allowing others at same safety level
- Create custom tool subsets for different user roles or environments
- Prevent accidental execution of critical operations
Configure the safety mode using environment variables:
Read-Only Mode (Safest) - Monitoring and observability only
SAFETY_ALLOW_MODERATE_OPERATIONS=false
SAFETY_ALLOW_DESTRUCTIVE_OPERATIONS=false
# Optional: Explicitly allow only monitoring tools
SAFETY_ALLOWED_TOOLS="docker_list_containers,docker_list_images,docker_inspect_container,docker_inspect_image,docker_container_logs,docker_container_stats,docker_version,docker_system_info"- ✅ List, inspect, logs, stats
- ❌ Create, start, stop, pull
- ❌ Remove, prune
Default Mode (Balanced) - Development and operations
SAFETY_ALLOW_MODERATE_OPERATIONS=true # or omit (default)
SAFETY_ALLOW_DESTRUCTIVE_OPERATIONS=false
# Optional: Deny only the most dangerous operations
SAFETY_DENIED_TOOLS="docker_system_prune,docker_prune_volumes"- ✅ List, inspect, logs, stats
- ✅ Create, start, stop, pull
- ❌ Remove, prune
Full Mode (Least Restrictive) - Infrastructure management
SAFETY_ALLOW_MODERATE_OPERATIONS=true
SAFETY_ALLOW_DESTRUCTIVE_OPERATIONS=true- ✅ List, inspect, logs, stats
- ✅ Create, start, stop, pull
- ✅ Remove, prune
Note: Read-only mode is ideal for monitoring, auditing, and observability use cases where no changes to Docker state should be allowed.
| Feature | Docker CLI Directly | MCP Docker Server |
|---|---|---|
| Claude Desktop | ❌ No CLI access | ✅ Required (only option) |
| Claude Code | ✅ Works immediately | ✅ Optional (adds safety) |
| Setup | None needed | Install & configure |
| Safety Controls | ❌ None | ✅ Read-only mode, operation blocking |
| Data Format | Text (requires parsing) | Structured JSON |
| Audit Logging | Manual setup | ✅ Built-in |
| Rate Limiting | ❌ None | ✅ Configurable |
| Input Validation | ❌ None | ✅ Pydantic schemas |
| Docker Coverage | 100% (all features) | 36 core operations |
| Complexity | Low (standard commands) | Medium (MCP protocol) |
When to use MCP Server:
- Required: Claude Desktop (no other option)
- Recommended: Production automation, compliance requirements, multi-user access, safety controls needed
When to use CLI directly:
- Best for: Claude Code with simple tasks, advanced Docker features, minimal setup
Hybrid approach: Use MCP for common operations + CLI for advanced features.
- Security Guide - Security features, TLS/HTTPS, authentication, production checklist
# Clone repository
git clone https://github.com/williajm/mcp_docker.git
cd mcp_docker
# Install dependencies
uv sync --group dev
# Run tests
uv run pytest
# Run linting
uv run ruff check src tests
uv run ruff format src tests
# Run type checking
uv run mypy src testsThe project includes four levels of testing: unit, integration, end-to-end (E2E), and fuzz tests.
| Aspect | Unit Tests | Integration Tests | E2E Tests | Fuzz Tests |
|---|---|---|---|---|
| Docker Daemon | ❌ Not required | ✅ Required | ✅ Required | ❌ Not required |
| Docker Operations | ❌ None | ✅ Real operations | ✅ Real operations | ❌ None |
| Server Instance | ❌ None / Mocked | ✅ Real MCPDockerServer | ✅ Real MCPDockerServer | ❌ Component-level |
| MCP Client | ❌ None | ❌ Direct server calls | ✅ Real ClientSession | ❌ None |
| Transport Layer | ❌ None | ❌ Bypassed | ✅ Real stdio/SSE | ❌ None |
| Purpose | Logic/validation | Component integration | Full workflows | Security/robustness |
| Speed | ⚡ Very fast (<5s) | ⚡ Fast (~10s) | 🐌 Slower (~30-60s) | ⚡ Continuous (CI) |
# Run all tests with coverage
uv run pytest --cov=mcp_docker --cov-report=html
# Run unit tests only (fast, no Docker required)
uv run pytest tests/unit/ -v
# Run integration tests (requires Docker)
uv run pytest tests/integration/ -v -m integration
# Run E2E tests (requires Docker, comprehensive)
uv run pytest tests/e2e/ -v -m e2e
# Run E2E tests excluding slow tests
uv run pytest tests/e2e/ -v -m "e2e and not slow"
# Run fuzz tests locally (requires atheris)
python3 tests/fuzz/fuzz_validation.py -atheris_runs=10000The project uses ClusterFuzzLite for continuous fuzzing to meet OpenSSF Scorecard requirements. Fuzz tests run automatically in CI/CD to discover security vulnerabilities and edge cases.
mcp_docker/
├── src/
│ └── mcp_docker/
│ ├── __main__.py # Entry point
│ ├── server.py # MCP server implementation
│ ├── config.py # Configuration management
│ ├── docker/ # Docker SDK wrapper
│ ├── tools/ # MCP tool implementations
│ ├── resources/ # MCP resource providers
│ ├── prompts/ # MCP prompt templates
│ └── utils/ # Utilities (logging, validation, safety)
├── tests/ # Test suite
├── docs/ # Documentation
└── pyproject.toml # Project configuration
- Python: 3.11 or higher
- Docker: Any recent version (tested with 20.10+)
- Dependencies:
mcp>=1.2.0- MCP SDKdocker>=7.1.0- Docker SDK for Pythonpydantic>=2.0.0- Data validationloguru>=0.7.0- Loggingsecure>=1.0.1- Security headersauthlib>=1.6.5- OAuth/OIDC authentication (JWT validation)httpx>=0.28.1- HTTP client for OAuth token introspectionlimits>=5.6.0- Rate limitingcachetools>=6.2.1- JWKS caching
- Follow PEP 8 style guidelines
- Use type hints for all functions
- Write docstrings (Google style)
- Maintain high test coverage
- Pass all linting and type checking
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with the Model Context Protocol by Anthropic
- Uses the official Docker SDK for Python
- Powered by modern Python tooling: uv, ruff, mypy, pytest