container
Doco-CD stands for Docker Compose Continuous Deployment and is a lightweight GitOps tool that automatically deploys and updates Docker Compose projects and Swarm stacks via webhooks or polling when a change is pushed to a Git repository.
Containerized Learning Environment Ansible-HandsOn is a lightweight local lab environment designed for learning, testing, and mastering Ansible infrastructure automation.
Instead of relying on resource-heavy Virtual Machines (VMs), this project leverages Docker containers to simulate a real-world network infrastructure in seconds.
Docker monitoring that fits in an SSH connection.
One binary, barely any memory. Metrics, logs, and alerts across all your hosts. Runs 24/7 on the server, notifies you when things break, whether you're connected or not.
Sysbox is an open-source, next-generation runc that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Related contents:
Windows pod system for Linux.
Native Linux windows for every Windows app — real icons, real WM_CLASS, pin-to-taskbar. FreeRDP RemoteApp + dockur/windows. Zero config.
Project Hummingbird builds a collection of minimal, hardened, and secure container images with a significantly reduced attack surface. This strong focus on security combined with a highly automated update workflow aims to minimize CVE counts, targeting near-zero vulnerabilities. All images support amd64 and arm64 architectures.
Related contents:
AI-Powered Docker Security Analyzer. AI-powered Docker security scanner that explains vulnerabilities in plain English.
DockSec is an OWASP Incubator Project that combines traditional Docker security scanners (Trivy, Hadolint, Docker Scout) with AI to provide context-aware security analysis.
Related contents:
A fast and lightweight fully featured OCI runtime and C library for running containers
CLI tool for spawning and running containers according to the OCI specification.
youki is an implementation of the OCI runtime-spec in Rust, similar to runc.
Open Source Container Runtime Software.
Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
Related contents:
The Container Security Platform. Application Kernel for Containers.
gVisor provides a strong layer of isolation between running applications and the host operating system. It is an application kernel that implements a Linux-like interface. Unlike Linux, it is written in a memory-safe language (Go) and runs in userspace.
gVisor includes an Open Container Initiative (OCI) runtime called runsc that makes it easy to work with existing container tooling. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
Run multiple agents in parallel — each in its own container, with its own workspace, collaborating on your code or project files simultaneously.
Scion is an experimental multi-agent orchestration testbed designed to manage "deep agents" running in containers.
Containerized Hosts for AI Agents. Localhost service isolation and orchestration for git worktrees.
Coasts (Containerized Hosts) is a CLI tool with a local observability UI for running multiple isolated instances of a full development environment on a single machine. It works out of the box with your current setup: no changes to your existing application code, just a small Coastfile at your repo root. If you already use Docker Compose, Coasts can boot from your existing docker-compose.yml; if you do not use Docker or Compose, Coasts works just as well.
Go hard on agents, not on your filesystem. easy containment for AI agents.
Use jai for effortless containment of AI agents on Linux. jai strives to be the easiest container in the world to configure--so easy that you never again need to run a code assistant without protection. It's not a substitute for docker or podman when you need better isolation. But if you regularly do risky things like run an AI CLI with your own privileges in your home directory on a computer that you care about, then jai could reduce the damage when things go wrong.
layerleak the Docker Hub Secret Scanner.
Traditional secret scanners often treat a container image as a flat blob or depend on a local Docker daemon. This project is designed around OCI image internals
CLI tool for inspecting and managing services listening on localhost ports.
I got tired of running lsof -iTCP -sTCP:LISTEN | grep ... every time a port was already taken, then spending another minute figuring out if it was a Docker container or some orphaned dev server from another worktree. So I built sonar.
It shows everything listening on localhost, with Docker container names, Compose projects, resource usage, and clickable URLs. You can kill processes, tail logs, shell into containers, and more — all by port number.
Easy self-hosting for Docker-based web apps.
ONCE is a platform for installing and managing Docker-based web applications. Its goal is to make self-hosting applications as simple as possible.
As well as simplifying the initial setup, ONCE also provides automatic updates, backups, and system information. It has a TUI interface with a dashboard for monitoring and operating your applications, as well as CLI commands for common operations should you (or your AI agent) prefer that.
ONCE runs on Linux and macOS, and can be used to run applications on a variety of hardware: a physical server, a cloud VPS, a Raspberry Pi, or your laptop, are all suitable.
ONCE comes with a set of 37signals apps built-in, but you can use it to install any compatible Docker image as well.
The Container Streaming Platform. Stream your workspace directly to your web browser on any device and from any location.
Related contents:
CredSweeper is an advanced credential detection tool designed to identify exposed credentials such as passwords, API keys, tokens, and other sensitive information across source code, configuration files, documents, and binary assets. CredSweeper scans regular files, embedded data in containers, and files added in Git commits. The tool combines pattern-based detection, machine learning–based validation, and deep file inspection to deliver comprehensive and accurate security scanning for modern codebases and repositories.
Related contents:
Incus-based container management with native KDE/Plasma integration. A distrobox-like tool using Incus as the container/VM backend, designed for KDE Linux.
Related contents:
The Open Container Initiative is an open governance structure for the express purpose of creating open industry standards around container formats and runtimes.
Established in June 2015 by Docker and other leaders in the container industry, the OCI currently contains three specifications: the Runtime Specification (runtime-spec), the Image Specification (image-spec) and the Distribution Specification (distribution-spec). The Runtime Specification outlines how to run a “filesystem bundle” that is unpacked on disk. At a high-level an OCI implementation would download an OCI Image then unpack that image into an OCI Runtime filesystem bundle. At this point the OCI Runtime Bundle would be run by an OCI Runtime.
Related contents:
An updated sample database for PostgreSQL, building off of the Pagila database.
Minimal CVE Hardened container image collection.
A collection of production-ready container images with minimal CVEs, rebuilt daily using Chainguard's apko and Wolfi packages. By including only required packages, these images maintain a reduced attack surface and typically have zero or near-zero known vulnerabilities.
Related contents:
A lightweight alternative to Clawdbot / OpenClaw that runs in Apple containers for security. Connects to WhatsApp, has memory, scheduled jobs, and runs directly on Anthropic's Agents SDK.
My personal Claude assistant that runs securely in containers. Lightweight and built to be understood and customized for your own needs.
Related contents:
Kubernetes simplified, containerized, and democratized for rootless environments.
Single-node rootless Kubernetes cluster running in a Podman container.
a container wrapper.
Podenv provides a declarative interface to manage containerized applications. Using rootless containers, podenv let you run applications seamlessly.
Related contents:
VaultOS is a terminal-based user interface (TUI) for managing "Desktop" Docker containers.
VaultOS is a terminal-based user interface (TUI) for managing "Desktop" Docker containers. It allows you to effortlessly spin up ephemeral or persistent Linux desktop environments (like Alpine XFCE, Ubuntu KDE, etc.) accessible directly via your web browser.
Make shipping applications more enjoyable.
KubeVela is a modern software delivery platform that makes deploying and operating applications across today's hybrid, multi-cloud environments easier, faster and more reliable.
A PostgreSQL Docker container that automatically upgrades your database.
Its whole purpose in life is to automatically detect the version of PostgreSQL used in the existing PostgreSQL data directory, then automatically upgrade it (if needed) to the required version of PostgreSQL using pg_upgrade with the --link option.
🤖 A minimal and customizable Docker image running the Android emulator as a service.
Docker Container Monitoring for Your Terminal.
A powerful TUI for monitoring Docker containers across multiple hosts with real-time CPU, memory, and network metrics. Built with Rust for blazing-fast performance and minimal resource usage.
A Lightweight, Ready-to-Use Web Browsing Environment in Docker with VNC Access.
VNC-Browser is a ready to use, minimal, customizable docker image designed to provide a lightweight and secure environment for browsing the web via VNC.
An archive-less dockerTools.buildImage implementation.
nix2container provides an efficient container development workflow with images built by Nix: it doesn't write tarballs to the Nix store and allows to skip already pushed layers (without having to rebuild them).
Related contents:
IncusOS is an immutable OS solely designed around safely and reliably running Incus. It uses modern security features like UEFI Secure Boot and TPM to provide a safe boot experience and seamless full disk encryption.
Related contents:
Acceleration Framework For Cloud-Native Distribution.
the Dragonfly image service, providing fast, secure and easy access to container images. Nydus implements a content-addressable file system on the RAFS format, which enhances the current OCI image specification by improving container launch speed, image space and network bandwidth efficiency, and data integrity.
Related contents:
Manage your docker containers and generate a report to share and compare with other self hosters.
Container Census is a lightweight, Go-powered tool that automatically scans your Docker environment across one or many hosts and gives you a clear, historical view of everything running in your stack.
Related contents:
🥑 Language focused docker images, minus the operating system.
"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
Related contents:
An application for automating docker containers updates with a web ui.
It's like well-known watchtower, but with a web UI where you can change most of the settings or view the current state of the containers.
Related contents:
Patch the past. Build the future. Eliminate your CVEs
Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.:
1,700+ trusted container images to eliminate your vulnerabilities and mitigate malware.
Related contents:
Ubuntu, Alpine, Arch, and Fedora based Webtop images, Linux in a web browser supporting popular desktop environments.
Related contents:
Docker Registry UI.
A simple, lightweight UI for exploring and managing Docker/OCI container registries.
Run Windows Apps on Linux with Seamless Integration.
WinBoat is an Electron app which allows you to run Windows apps on Linux using a containerized approach. Windows runs as a VM inside a Docker container, we communicate with it using the WinBoat Guest Server to retrieve data we need from Windows. For compositing applications as native OS-level windows, we use FreeRDP together with Windows's RemoteApp protocol.
Related contents:
A simple and flexible scheduler and orchestrator to deploy and manage containers and non-containerized applications across on-prem and clouds at scale.
Related contents:
an open source geocoder for openstreetmap data.
photon is an open source geocoder built for OpenStreetMap data. It is based on elasticsearch/OpenSearch - an efficient, powerful and highly scalable search platform.
Related contents:
Search engine for address. Only address.
Addok will index your address data and provide an HTTP API for full text search.
It is extensible with plugins, for example for geocoding CSV files.
Used in production by France administration, with around 26 millions addresses. In those servers, full France data is imported in about 15 min and it scales to around 2000 searches per second.
- Addok @ GitHub.
- Conteneurs Addok pour Docker avec les données de références diffusées par la Base Adresse Nationale :fr: @ GitHub.
Related contents:
Easy Tailscale to WireGuard bridge in a container.
A simple Docker container app which allows connecting existing WireGuard hosts to the Tailscale network, in case the device running WireGuard is locked in and/or does not support Tailscale binaries.
Related contents:
Securing containers, one scan at a time.
Harbor Guard is a comprehensive container security scanning platform that provides an intuitive web interface for managing and visualizing security assessments of Docker images.
A modular backup solution designed for Docker environments, safely handling containerized workloads by stopping and restarting containers during backup operations, ensuring data consistency.
Open-Source Low-Latency Accelerated Linux WebRTC HTML5 Remote Desktop Streaming Platform for Self-Hosting, Containers, Kubernetes, or Cloud/HPC .
Build single-executable microVMs from Docker images.
Bottlefire turns container images into standalone, zero-dependency Linux executables that bundle Firecracker and launch microVMs automatically.
bake is a Linux CLI tool that can embed microVM resources (firecracker binary, kernel, initrd, boot disk) into itself. It also implements bidirectional communication between VM and host - including networking and directory sharing - entirely in userspace, without requiring root privilege.
TUI viewer for docker-compose.
DCV is a TUI (Terminal User Interface) tool for monitoring Docker containers and Docker Compose applications.
Related contents:
RamaLama strives to make working with AI simple, straightforward, and familiar by using OCI containers.
RamaLama is an open-source developer tool that simplifies the local serving of AI models from any source and facilitates their use for inference in production, all through the familiar language of containers.
Related contents:
Run AI Generated Code Locally. A secure local sandbox to run LLM-generated code using Apple containers.
CodeRunner is an MCP (Model Context Protocol) server that executes AI-generated code in a sandboxed environment on your Mac using Apple's native containers.
Related contents:
Lock, Stock, and Two Smoking MicroVMs. Create and manage the lifecycle of MicroVMs backed by containerd.
A streamlined service to manage the lifecycle of microVMs. Flintlock lets you focus on deploying your application in MicroVMs tailored for its need.
The original use case for flintlock was to create microVMs on a bare-metal host where the microVMs will be used as nodes in a virtualized Kubernetes cluster. It is an essential part of Liquid Metal and can be orchestrated by Cluster API Provider Microvm.
Traefik Landing Page
A simple, modern, and dynamic dashboard for your Traefik services. This application automatically discovers services via the Traefik API and displays them in a clean, responsive grid. It's designed to be run as a lightweight, multi-arch Docker container.
Cloud-based development using your local tools.
Mutagen provides real-time file synchronization and flexible network forwarding for developers, extending the reach of local development tools to cloud-based containers and infrastructure.
Mutagen is a new kind of remote development tool that enables your existing local tools to work with code in remote environments like cloud servers and containers. It does this by providing high-performance real-time file synchronization and flexible network forwarding. It supports synchronization and forwarding between local systems, SSH-accessible locations, and Docker containers.
Transactional, in-place operating system updates using OCI/Docker container images. bootc is the key component in a broader mission of bootable containers.
Related contents: