dokploy-docs

The documentation describes a legitimate self-hosted deployment platform and the requested capabilities align with the stated purpose. The primary security concern is the use of an unpinned, pipe-to-shell installation command (curl | sh) which executes remote code on the user's machine. That pattern is a significant supply-chain risk because it allows arbitrary code execution from the remote host if the installer or domain is compromised. There is no clear evidence in the provided text of active malicious behavior (no hardcoded secrets, exfiltration endpoints, or obfuscated payloads), but the installation approach elevates the risk for users. Recommended mitigations: inspect the install.sh script before running, prefer installation via package manager or pinned release artifacts with checksums/signatures, and run the installer in a controlled environment (VM) if possible.

The script is a functional installer for Dokploy but contains multiple high-risk patterns for supply-chain and host compromise. The most dangerous elements are: 1) piping remote scripts (get.docker.com, dokploy.com) directly to sh (root execution of remote code), 2) mounting /var/run/docker.sock into the dokploy container (granting that container effective host control and the ability to exfiltrate secrets or create privileged containers), and 3) pulling and running unpinned images (dokploy/dokploy:latest) without verification. Other concerns include overly permissive filesystem permissions (chmod 777 /etc/dokploy) and reliance on third-party IP-discovery endpoints. While there is no clear evidence the script itself contains intentionally malicious payloads, these patterns create easy vectors for supply-chain attacks and host compromise if upstream images or remote installers are tampered with. Recommendation: do not pipe remote scripts directly to sh; verify signatures/digests and pin image digests; avoid mounting docker.sock into application containers where possible; reduce file permission scope; and run installers with audit and review in controlled environments.