Releases: Finsys/dockhand
v1.0.27
What's new in v1.0.27
- ✨ network graph visualization on networks page (#894, @Penlane)
- ✨ customizable compose template for new stacks in settings (#632, @oratory)
- ✨ Microsoft Teams notifications via Power Automate Workflows (#355, @slokhorst)
- ✨ container label controls: dockhand.update, dockhand.hidden, dockhand.notify (#6, #53, #94, #215)
- ✨ configurable label filter matching mode (any/all) for environment dashboard (#607)
- ✨ log search filter mode to hide non-matching lines (#916)
- ✨ inline terminal on logs page with resizable split layout (#900)
- 🐛 disable Telegram link preview in notifications (#910, @deenle)
- 🐛 cron editor rejects 6-field expressions with seconds (#839, @GiulioSavini)
- 🐛 mirror Dockhand's ExtraHosts into scanner and self-update containers (#836, @YewFence)
- 🐛 duplicate volume binds during container recreate (#765, @itsDNNS)
- 🐛 log timestamp formatting not applied on main logs page (#882)
- 🐛 uploaded files now inherit container user ownership (#732, @ivanjx)
- 🐛 extraneous backslash in Telegram notification environment name (#955)
- 🐛 collapse ports into ranges only if 3 or more consecutive ports
- 🐛 git operations auto-merge system CAs with custom cert (#967)
Docker image
docker pull fnsys/dockhand:v1.0.27Also available as fnsys/dockhand:latest
Contributors
Assets 3
v1.0.26
What's new in v1.0.26
- ✨ persist sort order across page navigation for all data grids (#861, #912)
- ✨ show git repository URL and branch in git stack edit modal (#856)
- ✨ show memory limit alongside usage in containers and stacks views (#893)
- ✨ option to delete associated volumes when removing a stack (#655)
- ✨ collapse consecutive port mappings into ranges in container list (#821)
- 🐛 bearer token authentication fails with enterprise license active
- 🐛 clicking stack name toggles stats accordion instead of just opening editor (#628)
- 🐛 scheduled image prune notifications missing environment name (#770)
- 🐛 Gotify, ntfy, Pushover, and webhook notifications missing environment name (#943)
- 🐛 MFA code field not recognized by Bitwarden and other password managers (#566)
Docker image
docker pull fnsys/dockhand:v1.0.26Also available as fnsys/dockhand:latest
v1.0.25
What's new in v1.0.25
- ✨ API token authentication — Bearer tokens for CI/CD pipelines and scripts
- ✨ Telegram topic support — send notifications to supergroup topics (#855)
- 🐛 allow removing healthcheck, ports, and honor startAfterUpdate=false during container edit (#892)
- 🐛 validate stack names and prevent broken DB entries on invalid input (#876)
- 🐛 use per-environment timezone for schedule execution log timestamps (#882)
- 🐛 "Pull image before update" and "Start after update" settings ignored (#909)
- 🐛 image prune timeout on hawser-standard when pruning many images (#905)
- 🐛 bump Docker Compose to 5.1.3
- 🐛 mask secret environment variables in container inspect modal (#924)
- 🐛 viewer role can toggle, delete, and run schedules (#923)
- 🐛 settings show defaults instead of saved values after login until page refresh (#921)
- 🐛 settings toggle notifications show wrong state (#931)
- 🐛 stack memory tooltip shows inflated total on multi-container stacks (#936)
Docker image
docker pull fnsys/dockhand:v1.0.25Also available as fnsys/dockhand:latest
v1.0.24
What's new in v1.0.24
- 🐛 browsing HTTP registries fails with SSL error (#868)
- 🐛 git stack deploy options (build, re-pull, force redeploy) not persisted in edit dialog
Docker image
docker pull fnsys/dockhand:v1.0.24Also available as fnsys/dockhand:latest
v1.0.23
New
- Added a theme toggle with a System option that automatically follows the OS light/dark preference. (#803)
- Added a custom shell option for terminal sessions, persisted per container. (#830)
- Added a Redeploy button for internal stacks with pull, build, and force-recreate options. (#152)
- Added build, image re-pull, and force redeployment options for Git stacks. (#792, #472)
Fixes
- Fixed hostname validation to allow underscores. (#790)
- Fixed cloning and pulling from HTTPS Git repositories with self-signed CA certificates. (#842)
- Fixed stack restarts for containers using
network_mode: service:by adding a recreate option. (#844) - Fixed Git stack sync deleting data in relative volume paths. (#831)
- Fixed batch update skipping Hawser containers. (#485)
- Fixed registry deletion for multi-arch and OCI manifest images.
- Fixed scanner cache cleanup to prevent volume bloat. (#808)
- Fixed Docker API version negotiation for scanner and updater sidecar containers. (#759)
- Fixed vulnerability scan counts not matching the displayed list. (#705)
Docker image
docker pull fnsys/dockhand:v1.0.23Also available as fnsys/dockhand:latest
v1.0.22
THIS IS IMPORTANT RELEASE
On March 19, 2026, attackers compromised the official Trivy vulnerability scanner.
They force-pushed 75 out of 76 version tags in the GitHub Action repository (aquasecurity/trivy-action) to inject a credential-stealing payload executed during GitHub Actions builds.
During this time, release v0.69.4 was also published. From public GitHub data: v0.69.4 tag was created, then deleted by a Trivy maintainer hours later. Exposure window: 2026-03-19 18:22 – ~21:42 CET.
The full technical analysis is available at https://www.abgeo.dev/blog/trivy-github-actions-compromised-full-payload-analysis/.
How does this affect Dockhand?
Dockhand does not use the compromised GitHub Action, but runs Trivy as a an Docker container (aquasec/trivy) with the following setup:
- The container receives the Docker socket (to access images for scanning) and it's own cache volume (for the vulnerability database)
- No host filesystem paths are mounted into the scanner container
- No Dockhand environment variables or credentials are passed to the scanner container
- The container runs a single scan command and exits
The attack targeted the GitHub Action repository. There is no confirmation whether the Docker Hub container images (aquasec/trivy) were also affected.
If you ran vulnerability scans using Dockhand before version 1.0.22 during or after March 19, and the scanner image was not cached locally, the scanner may have pulled aquasec/trivy:latest, which could have pointed to a compromised image.
Starting with Dockhand 1.0.22, scanner images are pinned to verified versions (aquasec/trivy:0.69.3) and are configurable in Settings > General.
Recommended action: Upgrade Dockhand to 1.0.22 immediately if you haven't already.
We will update you if new information emerges about the Docker Hub images.
references:
https://github.com/aquasecurity/trivy/discussions/10425
https://www.abgeo.dev/blog/trivy-github-actions-compromised-full-payload-analysis/
[UPDATE]
CrowdStrike has confirmed that the Docker container image aquasec/trivy:0.69.4 was also compromised — not just the GitHub Action.
https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/
What the payload does:
The compromised Trivy binary drops a script to ~/.config/sysmon.py which sleeps for 5 minutes, then contacts a command-and-control server every 50 minutes. It acts as a stage-1 loader for further payloads.
Why Dockhand is likely unaffected:
Dockhand runs the Trivy Docker container (isolated from a host) for a single scan and exits — typically under 30 seconds - 1 minute.
The malicious payload requires a 5-minute sleep before it activates. Since the container is destroyed when the scan completes, the payload never had time to execute.
Additionally:
- No host filesystem paths are mounted into the scanner container
- No Dockhand environment variables or credentials are passed to it
- CrowdStrike's analysis describes a C2 loader — no Docker socket exploitation was observed
What's new in v1.0.22
- ✨ dashboard list view with inline search and connection filters (#740)
- ✨ custom environment icon (#754)
- ✨ show +N indicator for containers with multiple IP addresses (#644)
- ✨ bundle all fonts locally for privacy and offline use (#734)
- 🐛 respect PROXY settings when checking for container updates
- 🐛 git stacks force-redeploy after a failed sync (#693)
- 🐛 What's New modal shown before login, exposing version info (#717)
- 🐛 git repository files not removed from disk on delete (#671)
- 🐛 recursive chown at startup breaks stack volumes with different ownership (#719)
- 🐛 missing notification event toggles for container healthy, image prune events (#659)
- 🐛 container disappears when edit fails (e.g. invalid memory/swap) (#736)
- 🐛 regression: network container count always shows 0 (#761)
- 🐛 Grype/Trivy scan containers don't inherit proxy env vars (#780)
- 🐛 pin vulnerability scanner images to specific versions not :latest
Docker image
docker pull fnsys/dockhand:v1.0.22Also available as fnsys/dockhand:latest
v1.0.21
What's new in v1.0.21
- ✨ option to truncate port list (#702)
- ✨ log viewer supports ANSII 256 colors (#743)
- 🐛 IPv6 Problems (#714, #731)
- 🐛 polling storm & mass disconnect (#733, #741)
- 🐛 custom cron schedule displayed incorrectly (#727)
- 🐛 wrong cron schedule (#706)
- 🐛 file browser does not allow upload over 512 KB (#687)
- 🐛 can't set memory swappiness when using Podman (#691)
- 🐛 compose API negotiation fix (#692, #696)
- 🐛 not deployed git stacks continue to show the Down action (#694)
- 🐛 display time doesn't reflect time zone (#735)
- 🐛 prune dangling images counter not working (#718)
- 🐛 own PORT env not used in HEALTHCHECK (#745)
Docker image
docker pull fnsys/dockhand:v1.0.21Also available as fnsys/dockhand:latest
v1.0.20
What's new in v1.0.20
- 🐛 regression on Synology DSM
- 🐛 Fix ARM64 regression: Go collector crashing on Raspberry Pi and other ARM devices
- 🐛 autoupdate hangs on "waiting for Dockhand"
Docker image
docker pull fnsys/dockhand:v1.0.20Also available as fnsys/dockhand:latest
v1.0.19
What's new in v1.0.19
- ✨ Inline logs panel on stacks page — view container logs without leaving the page
- ✨ Make ports column sortable in containers grid
- ✨ Structured auth logging with client IP (login/logout/MFA/OIDC events)
- 🐛 Fix memory leak: TLS context accumulation for HTTPS environments (Bun)
- 🐛 Fix security scanning on Docker with custom logging drivers (Loki, Fluentd, etc.)
- 🐛 Fix grouped log viewer not auto-scrolling on new entries
- 🐛 Fix container recreation error messages not surfacing actual Docker errors
- 🐛 Fix LDAP group-to-role mapping
- 🐛 Fix container file browser hiding old files
- 🐛 Fix SSH key permission issues on NAS filesystems
- 🐛 Fix binary file corruption when syncing stacks to Hawser agents
- 🐛 Fix UI timeout issues for long running operations
Docker image
docker pull fnsys/dockhand:v1.0.19Also available as fnsys/dockhand:latest
v1.0.18
What's new in v1.0.18
- ✨ Dockhand self-update from the UI
- ✨ Show freed disk space after image removal and pruning
- ✨ Handle dynamically-spawned child containers in stack stop/down/restart/remove
- ✨ Git webhooks are logged to the audit log
- ✨ Add Mattermost notification support
- ✨ Configurable disk usage warning threshold per environment
- 🐛 Fix file upload CSRF 403 error on plain HTTP deployments
- 🐛 Fix scanner container /wait timeout causing empty scan output
- 🐛 Fix saving adopted external stack failing with 'Stack directory not found'
- 🐛 Add Bearer token auth support for ntfy notifications
- 🐛 Fix git SSH failing with 'No user exists for uid' with arbitrary UIDs
- 🐛 Fix command palette flooding API requests on open
- 🐛 Normalize stack names when adopting to prevent uppercase rejection
- 🐛 Fix container update failing for shared network modes (container:, host, none)
Docker image
docker pull fnsys/dockhand:v1.0.18Also available as fnsys/dockhand:latest