docker · Docker

Docker CLI for AI Agents

Build, inspect, and run containers while separating local reads from destructive cleanup.

Official toolOperational risk: R1R3verified
Agent readiness
86/100
Evidence confidence
verified
Documentation checked
2026-07-10
Independently tested version
29.2.0

Install for an Agent

Choose an official installation path that matches the runtime. Pin a version for team or CI use, then record the version before the first task.

Docker Desktop with HomebrewRecommended
macos
$ shell
brew install --cask docker
Docker Desktop with winget
windows
$ shell
winget install Docker.DockerDesktop
Authentication and Minimum Permissions
Grant only the permissions the task needs. Pass credentials through environment variables or a platform secret store, never through prompts, repositories, or logs.
No authentication requiredHeadless authentication supported

No service credential is required; restrict filesystem and network access to the task.

Methods
none
Secret environment variables
None
Credential storage
No service credential is stored for this CLI.
Agent and Environment Compatibility
Confirm shell access first, then check the platform, network boundary, and credential path.
claude-codecodexgemini-clicopilot-cli
Environments
local, ci, headless, remote
Platforms
macos, linux, windows

Structured Output for Reliable Automation

Prefer a machine-readable format. Treat stdout as the result channel and stderr as diagnostics so the agent can parse failures separately.

json · text
Use --format json or --format "{{json .}}" where supported and keep diagnostic logs on stderr.
--format json--format "{{json .}}"

No independently captured output sample

Structured-output support currently comes from official documentation. CLI Finder does not show a guessed example or invented schema before a bounded, non-destructive execution captures stdout.

R0–R3 Command Risk Guide

Risk is assigned per command. R0 is local or remote read-only, R1 is reversible local write, R2 changes remote state, and R3 can be irreversible or production-impacting.

Read-only does not mean public

R0 only means the command does not change local or remote state. A read-only command may still return secrets, identity data, configuration, or production data. Expose only the minimum needed for the task, and never place it in logs, prompts, or commits.

R0Inspect a container
Reads container configuration and state as JSON.
$ shell
docker inspect CONTAINER
IdempotentSensitive output
R1Build an image
Writes local image layers and can execute Dockerfile build steps.
$ shell
docker build --tag app:local .
Confirmation requiredMay repeat a change
R3Prune Docker state
Deletes unused images, containers, networks, and optionally volumes.
$ shell
docker system prune --all --volumes
Confirmation requiredMay repeat a change

How the Agent Readiness Score Is Built

Readiness describes how reliably an agent can operate the tool. It does not make every command safe and it does not replace an independent execution test.

Documentation indicates an agent-readiness score of 86/100. A bounded local smoke test is recorded for 29.2.0; review its limitations before relying on untested commands.

Structured output
Use --format json or --format "{{json .}}" where supported and keep diagnostic logs on stderr.
18/20
x
Headless operation
Official documentation describes a non-interactive authentication or execution path.
14/15
x
Safety controls
CLI Finder separates read commands from commands that require confirmation.
11/15
x
Determinism
Commands use explicit arguments and documented output controls where available.
8/10
x
Authentication
No service credential is required; restrict filesystem and network access to the task.
10/10
x
Documentation
This entry cites official documentation checked on 2026-07-10.
9/10
x
Installation
Official installation paths cover macOS, Linux, and Windows.
8/8
x
Maintenance
An official source repository is linked for release and maintenance review.
6/7
x
Agent artifacts
CLI Finder can generate registry-derived skills and policies; the tool itself was not credited with shipping them.
2/5
x

Generate a Skill or Agent Policy

Choose an agent and safety mode to generate a copyable artifact with installation, allowed commands, approval boundaries, and the evidence limitation.

Generated artifact preview
SKILL.md
---
name: docker-cli-agent-workflow
description: Use Docker CLI for container builds, image inspection, local services with explicit command risk and evidence boundaries.
---

# Docker CLI agent workflow

Use this skill when the task needs container builds, image inspection, local services, container logs.

## Evidence boundary

- Registry confidence: `verified`
- Documentation checked: `2026-07-10`
- Locally tested version: `29.2.0`
- Treat only the recorded executed checks as independently verified; every unlisted command remains documentation-only.

## Executed smoke checks

- `docker --version` — passed; exit 0. The recorded smoke check completed successfully.
- `docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Status}}"` — passed; exit 0. The designated build host daemon responded and returned the active-container table without mutation.

## Installation

- Docker Desktop with Homebrew (macos): `brew install --cask docker`
- Docker Desktop with winget (windows): `winget install Docker.DockerDesktop`

## Authentication

- Methods: none
- Secret environment variables: none
- Minimum permissions: No service credential is required; restrict filesystem and network access to the task.
- Credential storage: No service credential is stored for this CLI.
- Never print, persist, or commit credential values.

## Allowed commands (read-only)

- `docker inspect CONTAINER` — R0: Reads container configuration and state as JSON.

## Commands requiring explicit approval (read-only)

- None recorded.

## Forbidden commands (read-only)

- R1 `docker build --tag app:local .` — Writes local image layers and can execute Dockerfile build steps.
- R3 `docker system prune --all --volumes` — Deletes unused images, containers, networks, and optionally volumes.

## Execution rules

1. Mode boundary: R0 exact commands may be used; R1, R2, and R3 commands are forbidden.
2. Confirm the selected account, project, context, database, namespace, or environment before any command.
3. Prefer structured output using `--format json`, `--format "{{json .}}"`.
4. Capture the exact command, exit code, stdout, and stderr separately.
5. A generated prefix policy must prompt unless that exact prefix is explicitly marked suffix-safe; do not infer safety from the executable name.
6. Never broaden credentials or disable safety controls to make a command succeed.

## Official sources

- [Docker CLI reference](https://docs.docker.com/reference/cli/docker/)
- [Docker CLI reference source repository](https://github.com/docker/cli)

CLI vs MCP vs API for This Task

CLI
Use the CLI on a developer machine, in CI, or in a container when the task should reuse existing shell state, credentials, and scripts and remain directly observable.
MCP
Consider MCP when the agent benefits from controlled tool definitions, delegated identity, or centrally governed server-side access.
API
Use the direct API for persistent application integrations, high-volume requests, or event-driven work where starting a process adds unnecessary overhead.
Read the full CLI vs MCP guide

Verification History and Official Evidence

CLI Finder records documentation review separately from real execution. Installation, help, exit codes, and output cannot be called Verified until they were run.

Current evidence boundary
The Docker CLI version, daemon connection, and a read-only container listing were checked on the designated LAN build host. No image pull, build, run, push, stop, removal, volume access, or cleanup command was executed.
Evidence confidence
verified
Independently tested version
29.2.0 · 2026-07-10
Test environment
Debian Linux (x86_64), old-agi host, non-interactive SSH shell

Executed checks

  • PassedExit code: 0
    docker --version

    The recorded smoke check completed successfully.

    stdout excerpt

    Docker version 29.2.0, build 0b9d198
  • PassedExit code: 0
    docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Status}}"

    The designated build host daemon responded and returned the active-container table without mutation.

Official sources
Open the official material to confirm the current version and command behavior.

Alternatives and Related Paths

Build, inspect, and manage containers or clusters with read-first commands.
Pin the context and namespace, use get, describe, logs, and auth checks, and reject mutating subcommands.
Pair Codex with deterministic local tools and add remote CLIs only when the sandbox and approval policy allow the task.
Choose CLI for shell-native local and CI work; choose MCP when typed discovery and mediated remote permissions matter more.

Questions About Docker CLI for AI Agents