Catch config mistakes before they ship.
Paste a Dockerfile, a docker-compose.yml, or a .env file. Get a security and best-practice review with concrete fixes and a hardened rewrite you can copy straight back into your repo.
No USER directive. Container runs as root.
FROM node:latest is unpinned and non-reproducible.
apt cache not cleaned, image larger than needed.
Available Tools
Pick the analyzer for the file you are shipping.
SlimDocker
Scan a Dockerfile for security, size and best-practice issues, then get a hardened rewrite.
AnalyzeComposeCheck
Audit a docker-compose.yml for security, reliability, and best-practice gaps.
AnalyzeEnvGuard
Scan a .env file for exposed secrets and unsafe config, then get a masked, safe version.
AnalyzeDeterministic plus AI
Regex and parser checks run first, then the AI explains the why and writes the fix. Fewer false positives.
Nothing is stored
Your files are analyzed in the request and discarded. We never persist your configs or secrets.
Copy-ready output
Every finding ships with a concrete fix, plus a full hardened rewrite of the file you pasted.
Questions or feedback?
Reach out anytime — we usually reply within one business day. Happy to help with billing, a tool result, or a feature request.
contact@devopsfriend.comFrequently asked questions
Everything engineers usually ask before pasting their first config into DevopsFriend.
What kinds of files can DevopsFriend analyze?
DevopsFriend reviews Dockerfiles, docker-compose.yml files, and .env files. It flags insecure defaults, missing USER directives, pinned-versus-latest image tags, exposed secrets, overly broad port mappings, and other production risks. Each finding comes with a severity, a plain-English explanation of why it matters, and a concrete fix.
How does it differ from a plain linter or ChatGPT?
Deterministic regex and parser checks run first, so the obvious issues are caught reliably with no hallucination. The AI layer then explains the reasoning behind each finding and writes a hardened rewrite of your file. You get the precision of a linter with the context of an experienced reviewer, and far fewer false positives.
Are my configuration files or secrets stored?
No. Your files are analyzed during the request and then discarded. We never persist your configs, environment variables, or secrets, and nothing is used to train any model. You can safely review production files.
Do I need an account to try it?
No. Your first analysis is free with no signup required. Paste a file, get a full report with a copy-ready hardened rewrite, and only create an account if you want to run more analyses or keep a history.
How is pricing structured?
DevopsFriend uses simple pay-as-you-go credits rather than a recurring subscription. You buy a pack of analysis credits and they do not expire monthly, so you only pay for what you actually use. See the pricing page for current credit packs.