This repository is used to build a trusted Docker image for docker-socket-proxy, a HAProxy-based gatekeeper for the Docker socket, using vendored source code.
I'm vendoring docker-socket-proxy because it brokers access to the Docker socket and thus poses a significant security risk if it is ever compromised: a weakened access-control rule or a backdoor in this image could hand out control of the Docker daemon, the host, and every other container. While I feel the maintainer(s) of docker-socket-proxy are trustworthy and responsible, I prefer a more cautious approach. To be fully transparent, I need to clarify that the vendoring workflow in this repository does NOT include a state-of-the-art security review process! My strategy relies on avoiding direct updates from upstream Docker images, as these could potentially be modified outside of the publicly visible code and GitHub Actions workflows. Additionally, I avoid updating immediately when a new docker-socket-proxy version is released. This delay gives the community a chance to flag any security issues before I update my instances.
Since I can't do a full security review of the code, I use a variety of AI agents and LLMs to do at least some kind of security review before updating the docker-socket-proxy code in this repository. See AI_REVIEW_PROMPT.md for the prompt I'm using for that. This is far from a foolproof security review, but it adds one more layer of defence that could possibly save me from compromised systems.
Tagged images are built and published to GitHub Container Registry:
ghcr.io/strayer/docker-socket-proxy:latest- Latest versionghcr.io/strayer/docker-socket-proxy:{major}.{minor}.{patch}- Specific version tags (e.g.,0.4.2)ghcr.io/strayer/docker-socket-proxy:{major}.{minor}- Latest patch release of a minor version (e.g.,0.4)ghcr.io/strayer/docker-socket-proxy:{major}- Latest release of a major version (e.g.,0)
The Sync Vendor Code workflow (.github/workflows/sync-code.yml) automatically syncs source code from the upstream repository when the .docker-socket-proxy-version file is updated in a pull request:
- Triggers on changes to
.docker-socket-proxy-versionin pull requests - Downloads and extracts source code from the upstream repository tag
- Validates the version format and extracted files
- Commits the synced source code automatically
The Build and Publish Image workflow (.github/workflows/build-publish.yml) builds and publishes Docker images when changes are pushed to the main branch:
- Reads the target version from
.docker-socket-proxy-version - Delegates the build to the
docker/github-builderreusable workflow - Builds multi-platform images (linux/amd64, linux/arm64) from the vendored
Dockerfile - Generates an SBOM and provenance for the image
- Tags images with both version-specific and
latesttags - Publishes to GitHub Container Registry (
ghcr.io/strayer/docker-socket-proxy)
The source code for docker-socket-proxy is vendored into the docker-socket-proxy-src/ directory directly from the official upstream repository for security review and building.
The original project is available here:
- Upstream Repository: https://github.com/Tecnativa/docker-socket-proxy
The docker-socket-proxy project is licensed under the Apache 2.0 License. In accordance with its terms, the original LICENSE.txt file is preserved within the docker-socket-proxy-src/ directory. The build scripts in this repository are also licensed under the Apache 2.0 License.
To ensure the responsible use of AI, this project adheres to a strict policy of human oversight. While a Large Language Model (LLM) is used as an assistive tool, its role is limited to implementation based on human-led design. Every line of AI-generated code is then manually reviewed and validated for correctness, security, and quality before being accepted into the codebase. The final authority and accountability for the code rests with the human developer.