drydock.codeswhat.comWatchtower vs Drydock
Watchtower served the Docker community well for years. With its archival in December 2025, Drydock offers an actively maintained alternative with a modern UI, security scanning, and monitor-first design.
Feature Comparison
A side-by-side look at what each tool offers.
| Feature | Watchtower | Drydock |
|---|---|---|
| Project status | Archived (Dec 2025) | Actively maintained |
| Language | Go | TypeScript |
| Web UI | None (CLI only) | Full dashboard |
| Update approach | Auto-pulls & restarts | Monitor + notify (optional update) |
| Monitor-only mode | Flag exists but unreliable | Core design — monitor-first |
| Dry-run preview | No | Yes |
| Registry support | Docker Hub + private via Docker config | 23 dedicated registry integrations |
| Notifications | Via Shoutrrr (~18 services) | 20 native trigger integrations |
| Security scanning | None | Trivy + SBOM + cosign verification |
| Per-container scheduling | No | Yes (per-watcher CRON) |
| Include/exclude patterns | Labels only | Labels, regex, image sets |
| Distributed/remote hosts | Limited | SSE-based agent architecture |
| Prometheus metrics | Basic | Full /metrics endpoint + Grafana template |
| Audit log | No | Yes, with REST API |
| Auto rollback | No | Yes, on health check failure |
| Authentication | None | OIDC (Authelia, Auth0, Authentik) |
| Container actions | Restart only (via update) | Start/stop/restart from UI/API |
| Docker Compose updates | Limited | Full compose pull & recreate |
| Lifecycle hooks | Yes | Yes (pre/post-update) |
| Image backup | No | Pre-update backup with retention |
| Webhook API | HTTP API mode | Token-authenticated webhooks |
| License | Apache 2.0 | AGPL-3.0 |
Key Differentiators
Where Drydock goes beyond what Watchtower offers.
Full Web Dashboard
Watchtower is CLI-only with no built-in UI. Drydock ships with a full web dashboard for browsing containers, viewing update status, triggering actions, and inspecting logs — no terminal required.
Monitor-First Design
Watchtower's default behavior auto-pulls and restarts containers, which can be risky in production. Drydock is monitor-first by design — it detects updates and notifies you, with optional dry-run preview before any changes are applied.
Security Scanning
Drydock integrates Trivy vulnerability scanning, SBOM generation (CycloneDX & SPDX), and cosign image signature verification. Watchtower has no security scanning capabilities.
Distributed Architecture
Monitor remote Docker hosts via lightweight SSE-based agents with a centralized dashboard. Watchtower is limited to the local Docker socket or basic remote connections.
23 Registry Integrations
Dedicated integrations for Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, LSCR, ACR, Harbor, Artifactory, Nexus, and more — rather than relying on Docker's credential config.
Rollback & Backup
Pre-update image backups with configurable retention and automatic rollback on health check failure. Watchtower has no rollback or backup mechanism.
Coming from Watchtower?
Drydock takes a different approach than Watchtower — it's monitor-first rather than update-first. This means you get visibility into what's available before anything changes. Getting started takes one Docker command, and you can have the dashboard running in under a minute.
$ docker run -d \
--name drydock \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 3000:3000 \
codeswhat/drydockReady to try Drydock?
Open source, AGPL-3.0 licensed, and actively maintained.