mivittek/docker-pihole-unbound

Item: mivittek/docker-pihole-unbound
Rating: 17
Author: CodeClanker

17/100

// permanent record of scan from 2026-05-10 · stack: Docker · docker-compose · Pi-Hole · Unbound · s6-overlay · lighttpd · dnsmasq

// permalink — this URL always shows scan GWZFmvdB from 2026-05-10, even if a newer public scan exists for this repo.

Nine dimensions

DevOps

No .github/workflows directory; no healthchecks in docker-compose; only basic docker-compose up/down documented.

Security

No rate limiting visible in unbound-pihole.conf or docker-compose; Pi-Hole DNS port 53 exposed without protection.

Cost & infra

No license declared limits commercial use; no cost modeling for storage, egress, or monitoring infrastructure.

QA & testing

Zero test files found; no CI workflow in .github/workflows; cannot verify DNS resolution or container startup correctness.

Performance

No caching layer, no load tests, no profiling evidence, no DNS query performance tuning visible in configs.

Architecture

Named volumes used (two-container/docker-compose.yaml line ~10) but no backup/restore scripts or migration docs.

Code quality

Shell script logic in install_unbound_and_s6_init.sh lacks linting (shellcheck) or validation; no hadolint on Dockerfile.

Observability

No error tracking (Sentry/etc), no structured logging, no Prometheus/Metrics endpoints visible in any config.

Maintainability

README only contains basic usage; no changelog, version upgrade docs, or migration guidance; LICENSE file is unknown.

Top findings (AI)

critical

Zero CI pipeline — untested container builds ship directly to users

No .github/workflows exists; no Dockerfile in two-container/ path. Container configurations never validated in isolation. Any regression in Pi-Hole/Unbound versions silently breaks deployments.

critical

No observability stack — silent failures in DNS resolution

No Prometheus metrics, no structured logs, no error tracking. DNS query failures will only surface when users report connectivity issues, with no diagnostic trail.

high

No test coverage — DNS forwarding and upstream resolver cannot be verified

Zero test files found in repo. The core value proposition (DNSSEC validation via Unbound, ad-blocking via Pi-Hole) has no automated correctness checks.

high

Unknown license — legal exposure for commercial deployment

License field is 'unknown'. Both Pi-Hole (GPLv3) and Unbound (BSD) are copyleft/ permissive, but the repo's own license status is unresolved, blocking VC due diligence.

medium

No backup or migration strategy for Pi-Hole gravity.db

two-container/docker-compose.yaml uses named volume for pihole_vol; install_unbound_and_s6_init.sh modifies apt state. No backup cron, no volume snapshot docs, no migration scripts for gravity.db growth.

medium

Shell script logic runs at container build time without validation

install_unbound_and_s6_init.sh performs apt-get install, file writes, s6 service setup with no shellcheck linting, no error trapping robustness visible, no unit tests.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →