🔒 All tools run entirely in your browser. No data leaves your device.
codebrûlée

Docker Compose Validator

Validate docker-compose.yml in your browser. Catches typos, missing image/build, security risks (Docker socket, privileged, 0.0.0.0 binds), and circular depends_on.

About this tool

Compose files accumulate small mistakes — a typo in a key, a hardcoded port that should be an env var, a stale :latest tag, a depends_on that points the wrong way. Most are harmless, a few are operational time bombs (mounting the Docker socket inside a container, for instance). This tool reads your file once and surfaces everything it can recognise.

Checks include: missing image or build; typos in field names; :latest or untagged images; bindings to 0.0.0.0; /var/run/docker.sock mounted into containers; privileged: true; running as root by default; and circular depends_on chains.

The validator is intentionally conservative — it warns rather than blocks for things that have legitimate uses (mounting the Docker socket is required for containerised CI runners, for example). Treat every warning as a deliberate decision, not a problem to suppress.

Frequently asked questions

Does this validate against the official Compose schema?

Not in full — full schema validation needs the Compose CLI. This tool catches the common mistakes that schema validation finds plus a handful of security issues schema validation does not. Use this for fast feedback while editing; use `docker compose config` before deploy.

What does it consider a security issue?

Mounting /var/run/docker.sock (effectively root on the host); privileged: true; cap_add: ALL; binding to 0.0.0.0 when localhost would suffice; running without an explicit non-root user. These are not always wrong — but each warrants a deliberate decision.

Why does it warn about :latest?

Because :latest moves. A working build today reproduces tomorrow only if the tag is pinned to a specific version (or, better, a digest). For ad-hoc dev environments :latest is fine; for production it is a footgun.

Does it follow `extends` and `include`?

No. Only the file you paste is checked — referenced files are out of scope. Run `docker compose config` to see the merged result and validate that.

Is the file sent anywhere?

No. Parsing and validation happen entirely in your browser.

Related tools