Finsys Release Notes

What's new in v1.0.32

• ✨ container details tweaks: process count, label filter, copy all labels (#812)
• ✨ log improvements (#1130)
• 🐛 cleared Resources fields not persisted on container edit (#1119)
• 🐛 long container names overflowed in activity event details dialog (#1129)
• 🐛 git stack recreate and start operations ignored Dockhand-stored env vars (#1132)
• 🐛 dashboard stopped count reset to 0 after refresh for gracefully stopped containers (#1133)
• 🐛 auto-update preserves runtime -e env and -l label overrides (#1135)
• 🐛 git stack volume binds resolved to wrong host path when compose was in a subdirectory (#1139)
• 🐛 git stacks: subdir compose files now find their adjacent env files (#1136)
• ✨ env editor doesn't flag Docker/Compose built-in variables as unused (#141)
• ✨ container network mode: share another container's network namespace (#161)

Docker image

docker pull fnsys/dockhand:v1.0.32

Also available as fnsys/dockhand:latest

View on Docker Hub

What's new in v1.0.30

• ✨ time range filter for log viewer — filter logs by From/To date and time (#1068)
• ✨ configurable tail line count in log viewer — choose from 100 to all lines (#1066)
• ✨ toggleable line numbers in log viewer (#1067)
• ✨ "some unused" image filter — show images with both used and unused tags for selective cleanup (#621)
• ✨ IP binding and port ranges in container port mappings (#581)
• ✨ remove individual containers directly from stacks page (#576)
• 🐛 scan cache lookup by tag name never matched — results now resolved via image digest (#1064)
• 🐛 image-baked env vars not updated during auto-update container recreation (#1061)
• 🐛 git stack deploy via Hawser fails with "Invalid string length" when repo has large files (#1040)
• ✨ Gotify notification priority via URL query param — gotify://host/token?priority=5 (#1033)
• 🐛 consistent action button order across container and stack views (#1079)
• ✨ named custom URL labels — dockhand.url=Name markdown syntax (#1065)
• 🐛 HTTPS git credentials no longer leaked in process arguments (#1081)
• ✨ bump Docker Compose to 5.1.4 (GHSA-pmwq-pjrm-6p5r)
• ✨ dockhand.order label to control container display order within stacks (#847)
• ✨ live network attach/detach for running containers — join or leave Docker networks without restarting (#1051)
• 🐛 environment variable values with nested quotes progressively corrupted on each save (#1036, #1086)

Docker image

docker pull fnsys/dockhand:v1.0.30
Also available as fnsys/dockhand:latest
View on Docker Hub

What's new in v1.0.29

✨ optionally display internal (exposed) container ports alongside published ports (#193)
✨ show app version in sidebar with build info tooltip (#209)
✨ central label management — rename or delete labels across all environments (#661)
✨ find next available host port when creating or editing containers (#116)
✨ theme-aware scrollbar styling — scrollbars adapt to dark/light mode and color palettes (#462)
🐛 update buttons (single, selected, and all) now respect the "confirm dangerous actions" setting (#638, #751)
✨ custom URL labels - dockhand.url or dockhand.port.{port}.url to add links alongside container ports (#266)
✨ generate and copy token for Hawser Standard mode with run command hint (#337)
🐛 environment stack directory not cleaned up when environment is deleted (#1023)
✨ toggle to hide timestamps and container name prefix in log viewer (#124)
🐛 Podman containers health status not showing (#737)
🐛 containers with exit code 0 (init/migration) no longer cause stack "partial" status (#1026)
🐛 stats stream 400 on reconnect by skipping overlapping fetches (#1044)
🐛 env var validation false positive for values containing $ followed by text (#1048)
🐛 git-repos directory not cleaned up when environment is deleted (#1049)
🐛 webhook secret auto-generated when left empty despite hint saying otherwise (#1050)
✨ scan reports — combined or individual Grype/Trivy (#1056)

Docker image

docker pull fnsys/dockhand:v1.0.29
Also available as fnsys/dockhand:latest
View on Docker Hub

What's new in v1.0.28

• ✨ context directory for git stacks — reference files from anywhere in the repo (#864)
• ✨ no-cache build option for git stacks (#880)
• 🐛 env vars lost when switching between raw/form view (#964)
• 🐛 compose name property not respected during stack scan (#922)
• ✨ editable schedule for scanner cache cleanup (#979)
• 🐛 container labels cannot be deleted (#984)
• 🐛 env var values leaked in deploy logs — now all values are redacted (#985)
• 🐛 volume export keeps helper container alive, preventing volume prune/deletion (#983)
• 🐛 ntfy self-hosted notifications fail when using ?auth= query parameter (#840)
• 🐛 scrollbar appears in dashboard tiles when content overflows (#969)
• 🐛 case-sensitive environment sort order — lowercase names sorted after uppercase (#975)
• 🐛 inaccurate dashboard CPU gauge caused by one-shot stats flag (#932)
• ✨ ntfy notifications support ?tags=, ?title=, and ?priority= URL query parameters (#689)
• 🐛 stack .env file wiped when saving from graph view (#988)
• ✨ dismiss update available indicators without updating (#853)
• ✨ public IP setting available for hawser-edge environments — enables clickable port links (#350)
• 🐛 git stack creation silently destroys existing stacks with the same name (#1001)
• ✨ static IP/MAC address configuration for containers (#297)

Docker image

• docker pull fnsys/dockhand:v1.0.28
• Also available as fnsys/dockhand:latest
• View on Docker Hub

What's new in v1.0.27

• ✨ network graph visualization on networks page (#894, @Penlane)
• ✨ customizable compose template for new stacks in settings (#632, @oratory)
• ✨ Microsoft Teams notifications via Power Automate Workflows (#355, @slokhorst)
• ✨ container label controls: dockhand.update, dockhand.hidden, dockhand.notify (#6, #53, #94, #215)
• ✨ configurable label filter matching mode (any/all) for environment dashboard (#607)
• ✨ log search filter mode to hide non-matching lines (#916)
• ✨ inline terminal on logs page with resizable split layout (#900)
• 🐛 disable Telegram link preview in notifications (#910, @deenle)
• 🐛 cron editor rejects 6-field expressions with seconds (#839, @GiulioSavini)
• 🐛 mirror Dockhand's ExtraHosts into scanner and self-update containers (#836, @YewFence)
• 🐛 duplicate volume binds during container recreate (#765, @itsDNNS)
• 🐛 log timestamp formatting not applied on main logs page (#882)
• 🐛 uploaded files now inherit container user ownership (#732, @ivanjx)
• 🐛 extraneous backslash in Telegram notification environment name (#955)
• 🐛 collapse ports into ranges only if 3 or more consecutive ports
• 🐛 git operations auto-merge system CAs with custom cert (#967)

Docker image

docker pull fnsys/dockhand:v1.0.27

Also available as fnsys/dockhand:latest

View on Docker Hub

What's new in v1.0.26

• ✨ persist sort order across page navigation for all data grids (#861, #912)
• ✨ show git repository URL and branch in git stack edit modal (#856)
• ✨ show memory limit alongside usage in containers and stacks views (#893)
• ✨ option to delete associated volumes when removing a stack (#655)
• ✨ collapse consecutive port mappings into ranges in container list (#821)
• 🐛 bearer token authentication fails with enterprise license active
• 🐛 clicking stack name toggles stats accordion instead of just opening editor (#628)
• 🐛 scheduled image prune notifications missing environment name (#770)
• 🐛 Gotify, ntfy, Pushover, and webhook notifications missing environment name (#943)
• 🐛 MFA code field not recognized by Bitwarden and other password managers (#566)

Docker image

docker pull fnsys/dockhand:v1.0.26

Also available as fnsys/dockhand:latest

View on Docker Hub

What's new in v1.0.25

✨ API token authentication — Bearer tokens for CI/CD pipelines and scripts
✨ Telegram topic support — send notifications to supergroup topics (#855)
🐛 allow removing healthcheck, ports, and honor startAfterUpdate=false during container edit (#892)
🐛 validate stack names and prevent broken DB entries on invalid input (#876)
🐛 use per-environment timezone for schedule execution log timestamps (#882)
🐛 "Pull image before update" and "Start after update" settings ignored (#909)
🐛 image prune timeout on hawser-standard when pruning many images (#905)
🐛 bump Docker Compose to 5.1.3
🐛 mask secret environment variables in container inspect modal (#924)
🐛 viewer role can toggle, delete, and run schedules (#923)
🐛 settings show defaults instead of saved values after login until page refresh (#921)
🐛 settings toggle notifications show wrong state (#931)
🐛 stack memory tooltip shows inflated total on multi-container stacks (#936)

Docker image

docker pull fnsys/dockhand:v1.0.25

Also available as fnsys/dockhand:latest

View on Docker Hub

New

• Added a theme toggle with a System option that automatically follows the OS light/dark preference. (#803)
• Added a custom shell option for terminal sessions, persisted per container. (#830)
• Added a Redeploy button for internal stacks with pull, build, and force-recreate options. (#152)
• Added build, image re-pull, and force redeployment options for Git stacks. (#792, #472)

Fixes

• Fixed hostname validation to allow underscores. (#790)
• Fixed cloning and pulling from HTTPS Git repositories with self-signed CA certificates. (#842)
• Fixed stack restarts for containers using network_mode: service: by adding a recreate option. (#844)
• Fixed Git stack sync deleting data in relative volume paths. (#831)
• Fixed batch update skipping Hawser containers. (#485)
• Fixed registry deletion for multi-arch and OCI manifest images.
• Fixed scanner cache cleanup to prevent volume bloat. (#808)
• Fixed Docker API version negotiation for scanner and updater sidecar containers. (#759)
• Fixed vulnerability scan counts not matching the displayed list. (#705)

Docker image

docker pull fnsys/dockhand:v1.0.23

Also available as fnsys/dockhand:latest

View on Docker Hub

THIS IS IMPORTANT RELEASE

On March 19, 2026, attackers compromised the official Trivy vulnerability scanner.

They force-pushed 75 out of 76 version tags in the GitHub Action repository (aquasecurity/trivy-action) to inject a credential-stealing payload executed during GitHub Actions builds.

During this time, release v0.69.4 was also published. From public GitHub data: v0.69.4 tag was created, then deleted by a Trivy maintainer hours later. Exposure window: 2026-03-19 18:22 – ~21:42 CET.

The full technical analysis is available at https://www.abgeo.dev/blog/trivy-github-actions-compromised-full-payload-analysis/.

How does this affect Dockhand?

Dockhand does not use the compromised GitHub Action, but runs Trivy as a an Docker container (aquasec/trivy) with the following setup:

• The container receives the Docker socket (to access images for scanning) and it's own cache volume (for the vulnerability database)
• No host filesystem paths are mounted into the scanner container
• No Dockhand environment variables or credentials are passed to the scanner container
• The container runs a single scan command and exits

The attack targeted the GitHub Action repository. There is no confirmation whether the Docker Hub container images (aquasec/trivy) were also affected.

If you ran vulnerability scans using Dockhand before version 1.0.22 during or after March 19, and the scanner image was not cached locally, the scanner may have pulled aquasec/trivy:latest, which could have pointed to a compromised image.

Starting with Dockhand 1.0.22, scanner images are pinned to verified versions (aquasec/trivy:0.69.3) and are configurable in Settings > General.

Recommended action: Upgrade Dockhand to 1.0.22 immediately if you haven't already.

We will update you if new information emerges about the Docker Hub images.

references:

https://github.com/aquasecurity/trivy/discussions/10425

https://www.abgeo.dev/blog/trivy-github-actions-compromised-full-payload-analysis/

[UPDATE]

CrowdStrike has confirmed that the Docker container image aquasec/trivy:0.69.4 was also compromised — not just the GitHub Action.

https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/

What the payload does:

The compromised Trivy binary drops a script to ~/.config/sysmon.py which sleeps for 5 minutes, then contacts a command-and-control server every 50 minutes. It acts as a stage-1 loader for further payloads.

Why Dockhand is likely unaffected:

Dockhand runs the Trivy Docker container (isolated from a host) for a single scan and exits — typically under 30 seconds - 1 minute.

The malicious payload requires a 5-minute sleep before it activates. Since the container is destroyed when the scan completes, the payload never had time to execute.

Additionally:

• No host filesystem paths are mounted into the scanner container
• No Dockhand environment variables or credentials are passed to it
• CrowdStrike's analysis describes a C2 loader — no Docker socket exploitation was observed

What's new in v1.0.22

✨ dashboard list view with inline search and connection filters (#740)

✨ custom environment icon (#754)

✨ show +N indicator for containers with multiple IP addresses (#644)

✨ bundle all fonts locally for privacy and offline use (#734)

🐛 respect PROXY settings when checking for container updates

🐛 git stacks force-redeploy after a failed sync (#693)

🐛 What's New modal shown before login, exposing version info (#717)

🐛 git repository files not removed from disk on delete (#671)

🐛 recursive chown at startup breaks stack volumes with different ownership (#719)

🐛 missing notification event toggles for container healthy, image prune events (#659)

🐛 container disappears when edit fails (e.g. invalid memory/swap) (#736)

🐛 regression: network container count always shows 0 (#761)

🐛 Grype/Trivy scan containers don't inherit proxy env vars (#780)

🐛 pin vulnerability scanner images to specific versions not :latest

Docker image

docker pull fnsys/dockhand:v1.0.22

Also available as fnsys/dockhand:latest

View on Docker Hub

What's new in v1.0.21

• ✨ option to truncate port list (#702)
• ✨ log viewer supports ANSII 256 colors (#743)
• 🐛 IPv6 Problems (#714, #731)
• 🐛 polling storm & mass disconnect (#733, #741)
• 🐛 custom cron schedule displayed incorrectly (#727)
• 🐛 wrong cron schedule (#706)
• 🐛 file browser does not allow upload over 512 KB (#687)
• 🐛 can't set memory swappiness when using Podman (#691)
• 🐛 compose API negotiation fix (#692, #696)
• 🐛 not deployed git stacks continue to show the Down action (#694)
• 🐛 display time doesn't reflect time zone (#735)
• 🐛 prune dangling images counter not working (#718)
• 🐛 own PORT env not used in HEALTHCHECK (#745)

Docker image

docker pull fnsys/dockhand:v1.0.21

Also available as fnsys/dockhand:latest

View on Docker Hub

What's new in v1.0.19

• ✨ Inline logs panel on stacks page — view container logs without leaving the page
• ✨ Make ports column sortable in containers grid
• ✨ Structured auth logging with client IP (login/logout/MFA/OIDC events)
• 🐛 Fix memory leak: TLS context accumulation for HTTPS environments (Bun)
• 🐛 Fix security scanning on Docker with custom logging drivers (Loki, Fluentd, etc.)
• 🐛 Fix grouped log viewer not auto-scrolling on new entries
• 🐛 Fix container recreation error messages not surfacing actual Docker errors
• 🐛 Fix LDAP group-to-role mapping
• 🐛 Fix container file browser hiding old files
• 🐛 Fix SSH key permission issues on NAS filesystems
• 🐛 Fix binary file corruption when syncing stacks to Hawser agents
• 🐛 Fix UI timeout issues for long running operations

Docker image

docker pull fnsys/dockhand:v1.0.19

Also available as fnsys/dockhand:latest

View on Docker Hub