Dockhand - Modern Docker Management

Source
dockercontainer-managementself-hostinghomelabportainer-alternativedevopssecurity-scanning

Summary

Dockhand is a new Docker management UI positioning itself as a Portainer replacement. It’s free forever for homelabs (SQLite-based, runs on a Raspberry Pi, zero telemetry), with paid tiers at 499 USD/host/year (SMB) and 1 499 USD/host/year (enterprise) for commercial use, RBAC, and compliance features.

Key Insight

  • Portainer alternative with security focus: builds its own OS layer from scratch using Wolfi packages via apko instead of relying on Alpine base images. Scans its own image for CVEs.
  • Free tier is genuinely generous: OIDC/SSO, MFA, vulnerability scanning (Grype + Trivy), Git-based deployments, container activity logging all included at no cost. Commercial license, RBAC, LDAP/AD, and audit logging are paid.
  • Safe-pull auto-update: pulls new images to a temporary tag, scans for vulnerabilities before touching running containers. If scan fails, temp image is deleted and running container stays untouched. This is a differentiator over Portainer’s update mechanism.
  • Remote agent (Hawser): open-source Go agent initiates outbound connections to Dockhand, so you can manage Docker hosts behind NAT/firewalls without exposing ports. Useful for distributed homelabs or edge deployments.
  • Minimal dependencies: SQLite by default (optional PostgreSQL for HA), no Redis or message queues. Single container deployment with one docker run command.
  • Current version: v1.0.21, actively developed with frequent releases.