Skip to content
API

App API

Application info, server configuration, and diagnostic endpoints.

Get App information

Returns application name and version.

curl http://drydock:3000/api/v1/app

{
  "name":"drydock",
  "version":"1.6.0-rc.1"
}

Get server configuration

Returns the server configuration, webhook status, and legacy input compatibility summary.

curl http://drydock:3000/api/v1/server

{
  "configuration": {
    "port": 3000,
    "feature": { "delete": false },
    "webhook": { "enabled": true }
  },
  "compatibility": {
    "legacyInputs": {}
  }
}

Get security runtime status

Returns backend, provider, scanner-asset, Cosign, and SBOM-generator status. Command mode checks local binaries; Docker/remote modes inspect digest-pinned worker assets.

curl http://drydock:3000/api/v1/server/security/runtime

{
  "checkedAt": "2026-03-18T19:33:00.000Z",
  "ready": true,
  "backend": "docker",
  "availabilityPolicy": "block",
  "gate": { "mode": "on", "allowNoWorse": true },
  "scanner": {
    "enabled": true,
    "command": "aquasec/trivy@sha256:…",
    "commandAvailable": true,
    "status": "ready",
    "message": "trivy scanner is ready via docker",
    "scanner": "trivy",
    "server": ""
  },
  "signature": {
    "enabled": false,
    "command": "",
    "commandAvailable": null,
    "status": "disabled",
    "message": "Signature verification is disabled"
  },
  "sbom": {
    "enabled": true,
    "formats": ["spdx-json", "cyclonedx-json"],
    "generator": "trivy"
  },
  "providers": [{ "provider": "trivy", "role": "scanner", "status": "ready" }],
  "assets": [{ "provider": "trivy", "state": "ready", "resolvedDigest": "sha256:…" }],
  "requirements": []
}

Response fields

FieldTypeDescription
checkedAtstringISO 8601 timestamp of the check
readybooleantrue when every required scanner/SBOM provider is ready
backendstringcommand, docker, or Trivy-only remote
availabilityPolicystringFail-closed block or explicit advisory warn
gate.modestringEffective global gate mode: on or off
gate.allowNoWorsebooleanWhether blocked candidates can pass a fail-closed severity-by-severity comparison with the current image scan
scanner.enabledbooleanWhether vulnerability scanning is configured
scanner.commandstringScanner command (e.g. trivy)
scanner.commandAvailableboolean | nullWhether the command was found in the runtime; null when disabled
scanner.statusstringready, missing, or disabled
scanner.serverstringTrivy server URL (empty when using local mode)
signature.enabledbooleanWhether signature verification is configured
signature.commandstringCosign command
signature.commandAvailableboolean | nullWhether cosign was found in the runtime
signature.statusstringready, missing, or disabled
sbom.enabledbooleanWhether SBOM generation is enabled
sbom.formatsstring[]Configured SBOM output formats
sbom.generatorstringEffective trivy or syft generator
providersobject[]Normalized provider health and remediation details
assetsobject[]Worker image state, configured/resolved digest, version, cache timestamps, and failures
requirementsstring[]Human-readable list of missing dependencies (empty when everything is ready)

Returns 200 on success, or 500 if the runtime check fails.

Pull or warm scanner assets

Docker/remote backends expose an audited lifecycle action:

curl -X POST http://drydock:3000/api/v1/server/security/assets/grype/pull
curl -X POST http://drydock:3000/api/v1/server/security/assets/grype/warm

Providers are trivy, grype, and syft; operations are pull and warm. The response is the resulting asset status. Invalid combinations return 400, while runtime/pull/warm failures return 503 without exposing credentials.

Download diagnostic debug dump

Downloads a comprehensive, redacted diagnostic dump of the running drydock instance as a JSON file. Useful for troubleshooting and support requests.

The dump includes runtime metadata, component state (watchers, registries, triggers, agents, containers), Docker API diagnostics, MQTT Home Assistant sensor definitions, recent Docker events, store statistics, and DD_* environment variable names. Store statistics include document counts and UTF-8 serialized byte attribution for the whole LokiJS store and each collection, making unexpected persistence growth traceable without exposing raw store contents. Values whose keys contain sensitive tokens such as password, passwd, pass, token, secret, credential, hash, key, apikey, accesskey, or privatekey are automatically redacted. Environment-style keys containing AUTH, BEARER, LOGIN, or URL are also redacted, which covers webhook URLs with embedded secrets.

curl -O -J "http://drydock:3000/api/v1/debug/dump?minutes=30"

The response is a JSON attachment with a timestamped filename (e.g. drydock-debug-dump-2026-03-18T19-33-00-000Z.json).

Query parameters

ParameterTypeDefaultDescription
minutesinteger30How many recent minutes of event history to include (min: 1)

Dump sections

SectionContents
metadataGenerated timestamp, drydock version, Node.js version, uptime
stateAll registered components: containers, watchers, triggers, registries, authentications, agents
mqttHomeAssistantHome Assistant MQTT sensor discovery topics and definitions
dockerEventsActive Docker event subscriptions and recent events within the time window
aliasFilteringRecent container alias filter decisions
storeLokiJS collection document counts and serialized byte attribution, including per-collection serializedBytes
dockerApiDocker daemon version and info per watcher (connection errors captured gracefully)
environmentAll DD_* environment variable names with values redacted

Returns 200 with the JSON attachment on success, 401 if not authenticated, or 500 if the dump cannot be generated.