• v0.5.2.1: Rewrite of dependency downloads, jq can be installed with package manager or static binary.
• v0.5.1: DEPENDENCY WARNING: now requires jq. + Upstreaming changes from sudo-kraken/podcheck
• v0.5.0: Rewritten notify logic - all templates are adjusted and should be migrated!
  • Copy the custom settings from your current template to the new version of the same template.
  • Look into, copy and customize the urls.list file if that's of interest.
  • Other changes:
    • Added Discord notify template.
    • Verbosity changed of regctl.
• v0.4.9: Added a function to enrich the notify-message with release note URLs. See Release notes addon
• v0.4.8: Rewrote prune logic to not prompt with options -a|-y or -n. Auto prune with -p.

$ ./dockcheck.sh -h
Syntax:     dockcheck.sh [OPTION] [part of name to filter]
Example:    dockcheck.sh -y -d 10 -e nextcloud,heimdall

Options:"
-a|y   Automatic updates, without interaction.
-c     Exports metrics as prom file for the prometheus node_exporter. Provide the collector textfile directory.
-d N   Only update to new images that are N+ days old. Lists too recent with +prefix and age. 2xSlower.
-e X   Exclude containers, separated by comma.
-f     Force stack restart after update. Caution: restarts once for every updated container within stack.
-h     Print this Help.
-i     Inform - send a preconfigured notification.
-l     Only update if label is set. See readme.
-m     Monochrome mode, no printf color codes.
-n     No updates, only checking availability.
-p     Auto-Prune dangling images after update.
-r     Allow updating images for docker run, wont update the container.
-s     Include stopped containers in the check. (Logic: docker ps -a).
-t     Set a timeout (in seconds) per container for registry checkups, 10 is default.
-v     Prints current version.

$ ./dockcheck.sh
. . .
Containers on latest version:
glances
homer

Containers with updates available:
1) adguardhome
2) syncthing
3) whoogle-search

Choose what containers to update:
Enter number(s) separated by comma, [a] for all - [q] to quit:

Then it proceeds to run pull and up -d on every container with updates.
After the updates are complete, you'll get prompted if you'd like to prune dangling images.

• Running docker (duh) and compose, either standalone or plugin. (see Podman fork
• Bash shell or compatible shell of at least v4.3
• jq
  • User will be prompted to install with package manager or download static binary.
• regclient/regctl (Licensed under Apache-2.0 License)
  • User will be prompted to download regctl if not in PATH or PWD.
  • regctl requires amd64/arm64 - see workaround if other architecture is used.

Download the script to a directory in PATH, I'd suggest using ~/.local/bin as that's usually in PATH.

# basic example with curl:
curl -L https://raw.githubusercontent.com/mag37/dockcheck/main/dockcheck.sh -o ~/.local/bin/dockcheck.sh
chmod +x ~/.local/bin/dockcheck.sh

# or oneliner with wget:
wget -O ~/.local/bin/dockcheck.sh "https://raw.githubusercontent.com/mag37/dockcheck/main/dockcheck.sh" && chmod +x ~/.local/bin/dockcheck.sh

Then call the script anywhere with just dockcheck.sh. Add preferred notify.sh-template to the same directory - this will not be touched by the scripts self-update function.

Trigger with the -i flag.
Run it scheduled with -ni to only get notified when there's updates available!

Use a notify_X.sh template file from the notify_templates directory, copy it to notify.sh alongside the script, modify it to your needs! (notify.sh is added to .gitignore)
Current templates:

• Synology DSM
• Email with mSMTP (or deprecated alternative sSMTP)
• Apprise (with it's multitude of notifications)
  • both native caronc/apprise and the standalone linuxserver/docker-apprise-api
  • Read the QuickStart
• ntfy.sh - HTTP-based pub-sub notifications.
• Gotify - a simple server for sending and receiving messages.
• Pushbullet - connecting different devices with cross-platform features.
• Telegram - Telegram chat API.
• Matrix-Synapse - Matrix, open, secure, decentralised communication.
• Pushover - Simple Notifications (to your phone, wearables, desktops)
• Discord - Discord webhooks.

Further additions are welcome - suggestions or PR!
_{^{Initiated and first contributed by yoyoma2.}}

There's a function to use a lookup-file to add release note URL's to the notification message.
Copy the notify_templates/urls.list file to the script directory, it will be used automatically if it's there. Modify it as necessary, the names of interest in the left column needs to match your container names.
The output of the notification will look something like this:

Containers on hostname with updates available:
apprise-api  ->  https://github.com/linuxserver/docker-apprise-api/releases
homer  ->  https://github.com/bastienwirtz/homer/releases
nginx  ->  https://github.com/docker-library/official-images/blob/master/library/nginx
...

The urls.list file is just an example and I'd gladly see that people contribute back when they add their preferred URLs to their lists.

Dockcheck is capable to export metrics to prometheus via the text file collector provided by the node_exporter. In order to do so the -c flag has to be specified followed by the file path that is configured in the text file collector of the node_exporter. A simple cron job can be configured to export these metrics on a regular interval as shown in the sample below:

0 1 * * * /root/dockcheck.sh -n -c /var/lib/node_exporter/textfile_collector

The following metrics are exported to prometheus

# HELP dockcheck_images_analyzed Docker images that have been analyzed
# TYPE dockcheck_images_analyzed gauge
dockcheck_images_analyzed 22
# HELP dockcheck_images_outdated Docker images that are outdated
# TYPE dockcheck_images_outdated gauge
dockcheck_images_outdated 7
# HELP dockcheck_images_latest Docker images that are outdated
# TYPE dockcheck_images_latest gauge
dockcheck_images_latest 14
# HELP dockcheck_images_error Docker images with analysis errors
# TYPE dockcheck_images_error gauge
dockcheck_images_error 1
# HELP dockcheck_images_analyze_timestamp_seconds Last dockercheck run time
# TYPE dockcheck_images_analyze_timestamp_seconds gauge
dockcheck_images_analyze_timestamp_seconds 1737924029

Once those metrics are exported they can be used to define alarms as shown below

- alert: dockcheck_images_outdated
  expr: sum by(instance) (dockcheck_images_outdated) > 0
  for: 15s
  labels:
    severity: warning
  annotations:
    summary: "{{ $labels.instance }} has {{ $value }} outdated docker images."
    description: "{{ $labels.instance }} has {{ $value }} outdated docker images."
- alert: dockcheck_images_error
  expr: sum by(instance) (dockcheck_images_error) > 0
  for: 15s
  labels:
    severity: warning
  annotations:
    summary: "{{ $labels.instance }} has {{ $value }} docker images having an error."
    description: "{{ $labels.instance }} has {{ $value }} docker images having an error."
- alert: dockercheck_image_last_analyze
  expr: (time() - dockcheck_images_analyze_timestamp_seconds) > (3600 * 24 * 3)
  for: 15s
  labels:
    severity: warning
  annotations:
    summary: "{{ $labels.instance }} has not updated the dockcheck statistics for more than  3 days."
    description: "{{ $labels.instance }} has not updated the dockcheck statistics for more than 3 days."

There is a reference Grafana dashboard in grafana/grafana_dashboard.json.

Optionally add labels to compose-files. Currently these are the usable labels:

    labels:
      mag37.dockcheck.restart-stack: true
      mag37.dockcheck.update: true

• mag37.dockcheck.restart-stack: true works instead of the -f option, forcing stop+restart on the whole compose-stack (Caution: Will restart on every updated container within stack).
• mag37.dockcheck.update: true will when used with the -l option only update containers with this label and skip the rest. Will still list updates as usual.

regctl provides binaries for amd64/arm64, to use on other architecture you could try this workaround. Run regctl in a container wrapped in a shell script. Copied from regclient/docs/install.md:

cat >regctl <<EOF
#!/bin/sh
opts=""
case "\$*" in
  "registry login"*) opts="-t";;
esac
docker container run \$opts -i --rm --net host \\
  -u "\$(id -u):\$(id -g)" -e HOME -v \$HOME:\$HOME \\
  -v /etc/docker/certs.d:/etc/docker/certs.d:ro \\
  ghcr.io/regclient/regctl:latest "\$@"
EOF
chmod 755 regctl

Test it with ./regctl --help and then either add the file to the same path as dockcheck.sh or in your path (eg. ~/.local/bin/regctl).

Example - Change names, paths, and remove cat+password flag if you rather get prompted:

function dchk {
  cat ~/pwd.txt | docker login --username YourUser --password-stdin
  ~/dockcheck.sh "$@"
}

• No detailed error feedback (just skip + list what's skipped).
• Not respecting --profile options when re-creating the container.
• Not working well with containers created by Portainer.
• Watchtower might cause issues due to retagging images when checking for updates (and thereby pulling new images).

Wont auto-update the containers, only their images. (compose is recommended)
docker run dont support using new images just by restarting a container.
Containers need to be manually stopped, removed and created again to run on the new image.

If you hit issues, you could check the output of the extras/errorCheck.sh script for clues. Another option is to run the main script with debugging in a subshell bash -x dockcheck.sh - if there's a particular container/image that's causing issues you can filter for just that through bash -x dockcheck.sh nginx.

dockcheck is created and released under the GNU GPL v3.0 license.

• avegy