Homepage
Not present in the local metadata.
brew package intelligence
docker
Automic Vault tracks docker because ambient docker registry credentials matters when AI agents run command-line tools on macOS.
overview
What Automic Vault knows about docker
Pack, ship and run any application as a lightweight container
Commands and aliases
No executable aliases were found in the local package database.
radioisotope
Ambient Docker Registry Credentials
Docker registry credentials can be stored inline in ~/.docker/config.json or exposed through ambient Docker credential helpers such as docker-credential-osxkeychain and docker-credential-desktop. Those helpers store secrets outside the Docker config file, but any local process can invoke Docker's helper protocol directly and request stored registry credentials once Keychain allows the helper binary. Automic Vault currently detects this exposure but does not yet provide a Docker credential-helper adapter.
Local README excerpt
Docker Radioisotope Detector
This detector reports Docker registry credential configurations that expose credentials to agents or other local processes.
Detected hazards:
- Inline
auth,identitytoken, oridentityTokenentries in
~/.docker/config.json or $DOCKER_CONFIG/config.json
- Legacy
~/.dockercfgregistry credentials credsStoreorcredHelpersentries that use ambient Docker credential
helpers such as osxkeychain or desktop
- Docker Desktop installs that do not configure an Automic Vault-backed default
credential helper
This radioisotope is detect-only. It does not wrap Docker, because Docker Desktop owns the usual CLI symlink locations and can replace wrappers during install, update, or settings changes.
Source: data/radioisotopes/docker/README.md
Coverage source
Caveats
- This radioisotope is detect-only.
- We do not wrap the Docker CLI because Docker Desktop can replace the usual CLI symlinks.
- Docker Desktop installs without an Automic Vault-backed default credential helper are reported.
- Future remediation should configure Docker credsStore or credHelpers to use av credential-helper.
approval gates
Human review metadata for risky commands
The local approval-gate seed includes 7 rules for docker. Covered entrypoints: docker. Severity labels: critical, high.
Example gated actions
- Pack, ship and run any application as a lightweight container
- Store registry credentials.
- Push an image to a registry.
- Run a container with elevated host privileges.
- Mount host paths into a container.
- Force-remove containers, images, volumes, networks, or system data.
- Execute a command inside a running container.
install metadata
Resolver facts
| Package key | brew:docker |
|---|---|
| Last updated | 2026-05-20T21:15:28Z |
| Pulse | updated |
source trail
Generated from repository data
This page is regenerated by scripts/generate-pkg-pages.py. Deployments refuse to publish if www/pkg/ is stale relative to local package data.
Used sources
- Nucleus package database
- approval-gate seed metadata
- local isotope README
- radioisotope security manifest