README
¶
Dockyard
A centralized repository for packaging Model Context Protocol (MCP) servers into secure, verified containers.
Dockyard automatically builds, scans, and publishes container images for MCP servers. Every container is security-scanned, signed with Sigstore, and includes full build provenance.
Quick Start
# Pull a container
docker pull ghcr.io/stacklok/dockyard/npx/context7:2.1.0
# Verify its signature
cosign verify \
--certificate-identity-regexp "https://github.com/stacklok/dockyard/.github/workflows/build-containers.yml@refs/heads/.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/stacklok/dockyard/npx/context7:2.1.0
# Run it
docker run -it ghcr.io/stacklok/dockyard/npx/context7:2.1.0
Documentation
| I want to... | Go here |
|---|---|
| Use Dockyard containers | Getting Started |
| Add my MCP server | Adding MCP Servers |
| Understand the security model | Security Overview |
| Verify attestations | Container Attestations |
| Check package provenance | Package Provenance |
Supported Protocols
| Protocol | Registry | Example |
|---|---|---|
npx:// |
npm | ghcr.io/stacklok/dockyard/npx/context7:2.1.0 |
uvx:// |
PyPI | ghcr.io/stacklok/dockyard/uvx/aws-documentation-mcp-server:1.1.16 |
go:// |
Go modules | ghcr.io/stacklok/dockyard/go/netbird:0.1.0 |
Browse available servers: npx/ | uvx/ | go/
Add Your MCP Server
Create a spec.yaml in the appropriate directory and submit a PR:
metadata:
name: your-server
description: "What your server does"
protocol: npx # or uvx, go
spec:
package: "your-package-name"
version: "1.0.0"
Our CI/CD pipeline will automatically:
- Scan for security vulnerabilities (blocking)
- Verify package provenance (informational)
- Build multi-arch containers
- Sign and attest with Sigstore
- Publish to
ghcr.io/stacklok/dockyard
See Adding MCP Servers for the full guide.
Security
Every container includes:
- MCP Security Scan - Scanned with mcp-scanner before build
- Container Scan - Trivy vulnerability scanning
- Signed Images - Sigstore/Cosign keyless signatures
- Attestations - SBOM, build provenance, and security scan results
See Security Overview for details.
Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
To add an MCP server, see Adding MCP Servers.
License
Apache 2.0 - see LICENSE for details.
Links
- ToolHive - Container building technology
- MCP Documentation - Model Context Protocol
- Sigstore - Container signing
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
dockhand
command
Package main implements the Dockyard CLI tool for containerizing MCP servers.
|
Package main implements the Dockyard CLI tool for containerizing MCP servers. |
|
internal
|
|
|
provenance/domain
Package domain defines the core provenance domain models and interfaces
|
Package domain defines the core provenance domain models and interfaces |
|
provenance/npm
Package npm implements npm/npx provenance verification using sigstore-go
|
Package npm implements npm/npx provenance verification using sigstore-go |
|
provenance/pypi
Package pypi implements PyPI/uvx provenance verification using sigstore-go
|
Package pypi implements PyPI/uvx provenance verification using sigstore-go |
|
provenance/service
Package service implements the provenance service layer
|
Package service implements the provenance service layer |
|
provenance/sigstore
Package sigstore provides common Sigstore verification functionality
|
Package sigstore provides common Sigstore verification functionality |
Click to show internal directories.
Click to hide internal directories.