mivittek/docker-pihole-unbound

17/100
// latest public scan, scanned 2026-05-10 · stack: Docker · docker-compose · Pi-Hole · Unbound · s6-overlay · lighttpd · dnsmasq
// this URL always shows the latest public scan for this repo. permanent permalink to this specific scan: www.codeclanker.com/scan/id/GWZFmvdB

Nine dimensions

DevOps
15
No .github/workflows directory; no healthchecks in docker-compose; only basic docker-compose up/down documented.
Security
28
No rate limiting visible in unbound-pihole.conf or docker-compose; Pi-Hole DNS port 53 exposed without protection.
Cost & infra
20
No license declared limits commercial use; no cost modeling for storage, egress, or monitoring infrastructure.
QA & testing
8
Zero test files found; no CI workflow in .github/workflows; cannot verify DNS resolution or container startup correctness.
Performance
20
No caching layer, no load tests, no profiling evidence, no DNS query performance tuning visible in configs.
Architecture
22
Named volumes used (two-container/docker-compose.yaml line ~10) but no backup/restore scripts or migration docs.
Code quality
22
Shell script logic in install_unbound_and_s6_init.sh lacks linting (shellcheck) or validation; no hadolint on Dockerfile.
Observability
18
No error tracking (Sentry/etc), no structured logging, no Prometheus/Metrics endpoints visible in any config.
Maintainability
20
README only contains basic usage; no changelog, version upgrade docs, or migration guidance; LICENSE file is unknown.

Top findings (AI)

critical

Zero CI pipeline — untested container builds ship directly to users

No .github/workflows exists; no Dockerfile in two-container/ path. Container configurations never validated in isolation. Any regression in Pi-Hole/Unbound versions silently breaks deployments.

critical

No observability stack — silent failures in DNS resolution

No Prometheus metrics, no structured logs, no error tracking. DNS query failures will only surface when users report connectivity issues, with no diagnostic trail.

high

No test coverage — DNS forwarding and upstream resolver cannot be verified

Zero test files found in repo. The core value proposition (DNSSEC validation via Unbound, ad-blocking via Pi-Hole) has no automated correctness checks.

high

Unknown license — legal exposure for commercial deployment

License field is 'unknown'. Both Pi-Hole (GPLv3) and Unbound (BSD) are copyleft/ permissive, but the repo's own license status is unresolved, blocking VC due diligence.

medium

No backup or migration strategy for Pi-Hole gravity.db

two-container/docker-compose.yaml uses named volume for pihole_vol; install_unbound_and_s6_init.sh modifies apt state. No backup cron, no volume snapshot docs, no migration scripts for gravity.db growth.

medium

Shell script logic runs at container build time without validation

install_unbound_and_s6_init.sh performs apt-get install, file writes, s6 service setup with no shellcheck linting, no error trapping robustness visible, no unit tests.

Scan your own repo

Free 60-second scan. No signup.

Run a free scan →