Local security scanner for self-hosters

Find security problems on your Docker host, then fix them.

hostveil combines Docker Compose audits, Trivy image CVEs, and Lynis host hardening into one scored snapshot. It runs locally, needs no cloud account, and ships fixes with rollback.

curl -fsSL https://raw.githubusercontent.com/seolcu/hostveil/main/scripts/install.sh | bash
hostveil
Security score 68/100 Fixes raise the score immediately
CriticalDocker socket mountedcompose.ds016
HighSSH password auth enabledlynis.AUTH-9286
MediumImage CVE with patchtrivy.cve-2024-0001
1 binaryNo SaaS, no database, no frontend build
3 scannersCompose, Trivy, and Lynis in one snapshot
0 cloud accountsEverything runs on the host you control
Rollback readyFix checkpoints keep changes reversible

Why hostveil

Built for operators who want action, not another report.

Successful security tools make the next step obvious. hostveil turns scan output into a prioritized queue with concrete fixes, warnings, and recovery points.

One scored list

Stop cross-referencing scanner output.

Trivy, Lynis, and Compose findings land in one table with severity, source, service, remediation kind, and a capped 0-100 score.

Auto-fix with guardrails

Apply the safe fix from TUI or browser.

Every automated fix shows the action first. File edits save checkpoints, and risky choices are marked for review instead of hidden behind a magic button.

Self-hosted by design

No agents, no cloud upload, no account.

The scanner reads local Compose files, image metadata, and host configuration. Results stay on the machine unless you export them.

AI-ready

Export a remediation brief, not raw secrets.

The AI brief is a local Markdown prompt with prioritized findings, prompt-injection guidance, and redacted evidence for ChatGPT, Claude, or a local LLM.

Coverage

Three independent views of the same host.

Most self-hosting incidents are boring: a privileged container, a public admin panel, an unpatched image, SSH left too open. hostveil checks those paths together.

Compose audit

Privileged mode, host networking, Docker socket mounts, exposed datastores/admin panels, missing no-new-privileges, unsafe bind mounts, missing healthchecks, and hardcoded secrets.

Image CVEs

Trivy scans the container images your Compose services actually run and maps patched versions into fix guidance.

Host hardening

Lynis checks SSH, firewall, kernel settings, file permissions, audit/logging, and other Linux host controls.

Product

Terminal-first, browser-friendly.

Run the TUI by default, or serve the same scan state over localhost when a browser is better for review.

hostveil terminal UI showing score cards and findings table
TUIKeyboard-driven findings, detail panel, dry-run fixes, export, and rollback workflow.
hostveil Web UI showing dashboard filters and detail panel
Web UILocalhost dashboard with filters, batch fixes, JSON/CSV/AI brief export, and live scan status.

Workflow

Scan, decide, apply, recover.

  1. 01Scan locally

    Run hostveil on a Linux Docker Compose host. Missing Trivy or Lynis is skipped gracefully.

  2. 02Prioritize

    Sort by severity, source, service, remediation kind, or score impact. Clean scans show Clean instead of pretending at certainty.

  3. 03Apply fixes

    Use Auto for clear fixes, Review for alternatives, and Manual when the tool should guide instead of mutate.

  4. 04Rollback if needed

    Fix checkpoints keep edited files recoverable through hostveil rollback.

Install

One command, then scan.

The installer downloads the release binary, verifies checksums, installs hostveil, and sets up Trivy and Lynis when possible.

# Install or update hostveil
curl -fsSL https://raw.githubusercontent.com/seolcu/hostveil/main/scripts/install.sh | bash

# Terminal UI
hostveil

# Web UI on localhost
hostveil serve

FAQ

Designed for real self-hosting constraints.

Does it upload scan data?

No. hostveil runs locally. Exports are files you explicitly download or save.

Why not just run Trivy and Lynis?

You can. hostveil adds Compose checks, one scored snapshot, UI workflows, registered fixes, and rollback.

What if a fix has tradeoffs?

It is a Review fix, not Auto. hostveil shows independent alternatives and makes you choose.

Can I use it in a browser?

Yes. hostveil serve starts the Web UI on 127.0.0.1:8787 by default.