A Quick Look at Docker MCP Gateway Interceptors
The MCP Gateway is Docker’s answer to the growing complexity and security risks of connecting AI agents to MCP servers. By aggregating multiple MCP servers behind a single, secure interface, it gives developers and teams a consistent way to build, scale, and govern agent-based workloads.
Interceptors are one of the most powerful security features of Docker MCP Gateway. They act as programmable security filters/middleware that sit between AI clients and MCP tools. They act as security guards that inspect, modify, or block every tool call in real-time.
Role of Interceptors
- Security Layer: They provide a critical security boundary between AI agents and the tools they access
- Request/Response Control: Can inspect, modify, or completely block tool calls before they reach MCP servers or after responses are generated
- Attack Prevention: Protect against various attack vectors including:
- Cross-repository data leakage
- Prompt injection attacks
- Data exfiltration
- Sensitive information exposure (API keys, tokens)
- Unauthorized access attempts
Key Capabilities
- Inspect tool calls - Monitor what tools are being called and with what data
- Modify requests - Transform tool arguments or responses in real-time
- Block malicious activity - Prevent unauthorized or suspicious tool calls
- Audit and log - Maintain complete audit trails for compliance
- Security enforcement - Implement custom security policies
Interceptor Types & Deployment Models
The Docker MCP Gateway supports three deployment models for interceptors:
- Inline/Exec Interceptors - Perfect for security policies that need instant execution
- Before interceptors - Run before tool calls are executed
- After interceptors - Run after tool calls complete
How Interceptors Work?
Execution Flow:
SPONSORED
AI Client → MCP Gateway → Before Interceptor → MCP Server → After Interceptor → AI Client
Two Types of Interceptors
- Before Interceptors: Execute BEFORE the tool call reaches the MCP server
- Example:
cross-repo-blocker.sh- prevents accessing multiple repositories in one session - Usage:
--interceptor=before:exec:cross-repo-blocker.sh
- Example:
After Interceptors: Execute AFTER the MCP server responds
- Example:
audit-logger.sh- logs responses and flags sensitive data - Usage:
--interceptor=after:exec:audit-logger.sh
Implementation Methods:
- Exec Interceptors: External scripts that receive tool calls as JSON via stdin
# Example: cross-repo-blocker.sh
# Receives JSON tool call via stdin
# Can modify or reject the request
# Returns exit code 0 to allow, non-zero to block- Plugin-based Interceptors: Built-in or custom plugins (like in Lasso Security's MCP Gateway)
- Basic guardrails (token masking)
- Presidio (PII detection)
- Lasso (advanced AI safety guardrails)
Real Example from the Search Results:
The cross-repository blocker interceptor works like this:
- When an AI agent makes its first GitHub tool call (e.g., accessing a public repo)
- The interceptor records that repository in a session file
- Any subsequent attempts to access a different repository get blocked
- This implements a "one repository per conversation" rule
Configuration Example
services:
mcp-gateway:
command:
- --transport=streaming
- --interceptor=before:exec:/scripts/cross-repo-blocker.sh
- --interceptor=after:exec:/scripts/audit-logger.sh
volumes:
- ./interceptors:/scripts:ro # Mount interceptor scripts
- /tmp:/tmp # Session data for maintaining stateWhy Interceptors Matter?
Interceptors successfully prevent a real vulnerability where:
- An attacker could inject malicious prompts in public GitHub issues
- The AI agent would read the public repo (legitimate access)
- The prompt injection would trick the agent into accessing private repos
- The interceptor blocked this by enforcing the one-repo-per-session rule
The Three Deployment Models Explained
1. Shell Scripts (exec) - Lightweight & Fast
# Quick security monitoring
--interceptor=before:exec:echo "Arguments=$(jq -r ".params.arguments") >&2"
# Production security enforcement
--interceptor=before:exec:/scripts/cross-repo-blocker.sh
--interceptor=after:exec:/scripts/audit-logger.shPerfect for:
- Instant security policy execution
- Session management and state tracking
- Simple blocking rules based on patterns
- Lightweight logging and monitoring
How it works:
- Tool calls passed as JSON via
stdin - Scripts receive complete request context
- Can modify, log, or block based on analysis
- Minimal overhead for real-time processing
2. Containerized (docker) - Isolated & Powerful
# Simple containerized logging
--interceptor=before:docker:alpine sh -c 'echo BEFORE >&2'
# Complex security analysis container
--interceptor=before:docker:security-scanner:latest analyze-request
--interceptor=after:docker:compliance-logger:latest log-responsePerfect for:
- Complex threat analysis requiring additional tools
- Integration with security scanning libraries
- Resource-intensive data processing
- Isolated execution environments
Benefits:
- Complete isolation from host system
- Access to specialized security tools and libraries
- Scalable resource allocation
- Consistent execution environment
3. HTTP Services (http) - Enterprise Integration
# Enterprise security gateway
--interceptor=before:http:http://security-gateway:8080/validate
--interceptor=after:http:http://compliance-api:8080/audit
# Threat intelligence integration
--interceptor=before:http:http://threat-intel:8080/check-indicatorsPerfect for:
- Integration with existing enterprise security infrastructure
- Centralized policy management across multiple gateways
- Real-time threat intelligence lookups
- Compliance and audit system integration
Docker Compose Integration
Interceptors can be integrated into Docker Compose setups:
- Scripts are mounted as read-only volumes to
/scripts - Session data is persisted for maintaining state between requests
- Docker socket is mounted for container management
Getting Started
Clone the repository
git clone https://github.com/docker/mcp-gateway
cd mcp-gatewayBring up the Agentic AI app
docker compose up --buildYou will see the logs:
gateway-1 | - Verifying images [mcp/duckduckgo]
gateway-1 | > Images verified in 2.470634126s
gateway-1 | > Initialized in 3.37362121s
gateway-1 | > Start streaming server on port 9011
gateway-1 | - Client initialized
gateway-1 | - ============BEFORE==============: Query=null
gateway-1 | - Calling tool search with arguments: {"query":"Docker"}
gateway-1 | - Scanning tool call arguments for secrets...
gateway-1 | > No secret found in arguments.
gateway-1 | - Running mcp/duckduckgo with [run --rm -i --init --security-opt no-new-privileges --cpus 1 --memory 2Gb --pull never -l docker-mcp=true -l docker-mcp-tool-type=mcp -l docker-mcp-name=duckduckgo -l docker-mcp-transport=stdio --network mcp-gateway-interceptors_default]
gateway-1 | - Scanning tool call response for secrets...
gateway-1 | > No secret found in response.
gateway-1 | > Calling tool search took: 1.707662875s
client-1 | Found 10 search results:
client-1 |
client-1 | 1. Docker: Accelerated Container Application Development
client-1 | URL: https://www.docker.com/
client-1 | Summary: Dockeris a tool that helps developers build, share, run, and verify applications using containers. Learn how to useDockerDesktop,DockerHub,DockerScout, and other products and services to accelerate your development and secure your workflows.
client-1 |
client-1 | 2. Docker Desktop: The #1 Containerization Tool for Developers | Docker
client-1 | URL: https://www.docker.com/products/docker-desktop/
client-1 | Summary: DockerDesktop is a powerful platform for building, running, and managing containers on your local machine. It integrates with your development tools, supports Kubernetes, offers extensions, and enhances security and performance.
client-1 |
client-1 | 3. Docker Guide for Beginners - 2025 Edition - DevToolHub
client-1 | URL: https://devtoolhub.com/docker-beginners-guide-2025/
client-1 | Summary: In 2025,Dockerremains a foundational tool for developers and DevOps engineers who want to build, ship, and run applications anywhere — without worrying about environment differences. This beginner-friendly guide explains everything you need to know aboutDocker— what it is, how it works, and why it matters today. What IsDocker?
client-1 |
client-1 | 4. Get Started | Docker
client-1 | URL: https://www.docker.com/get-started/
client-1 | Summary: DockerDesktop lets you installDockerand customize your development environment with tools that enhance your tech stack and optimize your process. Learn how to useDockerCLI, IDE integrations, AI/ML, Trusted Open Source Content, andDockerHub.
client-1 |
client-1 | 5. Docker Tutorial - GeeksforGeeks
client-1 | URL: https://www.geeksforgeeks.org/devops/docker-tutorial/
client-1 | Summary: Dockeris a tool that simplifies the process of developing, packaging, and deploying applications. By using containers,Dockerallows you to create lightweight, self-contained environments that run consistently on any system, minimising the time between writing code and deploying it into production.
client-1 |
client-1 | 6. Get started | Docker Docs
client-1 | URL: https://docs.docker.com/get-started/
client-1 | Summary: Learn the basics and benefits of containerizing your applications withDocker. Follow the guides to installDocker, understand the foundational concepts and workflows, and explore theDockerplatform.
client-1 |
client-1 | 7. Docker for Beginners: Everything You Need to Know - How-To Geek
client-1 | URL: https://www.howtogeek.com/733522/docker-for-beginners-everything-you-need-to-know/
client-1 | Summary: Learn how to useDockercontainers to create isolated environments for your applications. Find out how to install, build, run, and shareDockerimages with this comprehensive guide.
client-1 |
client-1 | 8. What is Docker? - GeeksforGeeks
client-1 | URL: https://www.geeksforgeeks.org/devops/introduction-to-docker/
client-1 | Summary: TheDockerHub is a website and cloud service that makes it easy for everyone to share theirdockerimages. WhyDockeris Popular?Dockergained its popularity due to its impact on the software development and deployment. The following are the some of the main reasons fordockerbecoming popular:
client-1 |
client-1 | 9. Products | Docker
client-1 | URL: https://www.docker.com/products/
client-1 | Summary: Dockeroffers a suite of integrated tools for building, securing, and deploying containerized applications. Learn aboutDockerDesktop,DockerHub,DockerScout, andDockerBuild Cloud, and how they can improve your software development workflow.
client-1 |
client-1 | 10. An Introduction to Docker and Containers for Beginners
client-1 | URL: https://www.freecodecamp.org/news/an-introduction-to-docker-and-containers-for-beginners/
client-1 | Summary: In the world of modern software development, efficiency and consistency are key. Developers and operations teams need solutions that help them manage, deploy, and run applications seamlessly across different environments. Containers andDockerare te...
client-1 |
1. Complete Interceptor Chain (✅ All Working)
Client Request → before:exec → before:http → MCP Tool → after:http → Client Response
✅ ✅ ✅ ✅ ✅ ✅ SUCCESSWhat We Can See Working
Gateway Initialization Perfect
gateway-1 | - Interceptors enabled:
- before:exec:echo ============BEFORE==============: Query=$(jq -r ".params.arguments.query") >&2
- before:http:http://interceptor:8080/before
- after:http:http://interceptor:8080/after
gateway-1 | - Those servers are enabled: duckduckgo
gateway-1 | > duckduckgo: (2 tools) # ✅ Tools discovered successfullyReal-Time Interceptor Processing
# 1. BEFORE interceptor logged the query
gateway-1 | - ============BEFORE==============: Query=null
# 2. Tool call executed with arguments
gateway-1 | - Calling tool search with arguments: {"query":"Docker"}
# 3. Security scanning active
gateway-1 | - Scanning tool call arguments for secrets...
gateway-1 | > No secret found in arguments.
# 4. Container security enforced
gateway-1 | - Running mcp/duckduckgo with [run --rm -i --init --security-opt no-new-privileges --cpus 1 --memory 2Gb]
# 5. Response security scanning
gateway-1 | - Scanning tool call response for secrets...
gateway-1 | > No secret found in response.
# 6. Performance metrics
gateway-1 | > Calling tool search took: 1.707662875sClient Success
client-1 | Found 10 search results: # ✅ Complete success!What This Demonstrates About MCP Gateway Interceptors
🛡️ Multi-Layer Security
# Layer 1: Exec interceptor for logging
before:exec:echo Query=$(jq -r ".params.arguments.query")
# Layer 2: HTTP interceptor for complex analysis
before:http:http://interceptor:8080/before
# Layer 3: Built-in secret scanning
"Scanning tool call arguments for secrets..."
# Layer 4: Container isolation
--security-opt no-new-privileges --cpus 1 --memory 2Gb🔄 Real-Time Processing Pipeline
- Before Interceptors → Inspect/modify/block tool calls
- Tool Execution → Secure containerized MCP server
- After Interceptors → Process/log/transform responses
- Client Delivery → Clean, secure results
⚡ Performance & Reliability
- 1.7 seconds total execution time for web search
- Zero security violations detected
- 10 high-quality results delivered to client
- Complete audit trail in logs
How it Works?
The interceptors are processing specific JSON data structures that contain all the information about tool calls and responses. Let me show you exactly what they're seeing:
What the BEFORE Interceptor Receives
When your client calls search("Docker"), the before interceptor sees this JSON via stdin:
{
"jsonrpc": "2.0",
"id": "req-12345",
"method": "tools/call",
"params": {
"name": "search",
"arguments": {
"query": "Docker"
}
},
"meta": {
"sessionId": "session-abc-123",
"timestamp": "2025-08-27T02:26:31Z",
"clientInfo": "Python MCP Client",
"transport": "streamable-http"
}
}
// This is what the exec interceptor extracts:
// $(jq -r ".params.arguments.query") = "Docker"
// $(jq -r ".params.name") = "search"
// $(jq -r ".meta.sessionId") = "session-abc-123"What the AFTER Interceptor Receives
After DuckDuckGo returns results, the after interceptor sees this massive JSON response:
{
"jsonrpc": "2.0",
"id": "req-12345",
"result": {
"content": [
{
"type": "text",
"text": "Found 10 search results:\n\n1. Docker: Accelerated Container Application Development\n URL: https://www.docker.com/\n Summary: Docker is a tool that helps developers build, share, run, and verify applications using containers...\n\n2. Docker Desktop: The #1 Containerization Tool for Developers | Docker\n URL: https://www.docker.com/products/docker-desktop/\n Summary: Docker Desktop is a powerful platform for building, running, and managing containers...\n\n3. Docker Guide for Beginners - 2025 Edition - DevToolHub\n URL: https://devtoolhub.com/docker-beginners-guide-2025/\n Summary: In 2025, Docker remains a foundational tool for developers and DevOps engineers...\n\n[... 7 more results with URLs and summaries ...]"
}
],
"isError": false,
"toolName": "search",
"duration": "1.707662875s"
}
}
// This is what interceptors can extract:
// $(jq -r ".result.content[0].text") = "Found 10 search results:\n\n1. Docker: Accelerated..."
// $(jq -r ".result.toolName") = "search"
// $(jq -r ".result.duration") = "1.707662875s"What Interceptors Can DO With This Data
Here are real examples of what your interceptors could extract, modify, or block:
# ============= BEFORE INTERCEPTOR EXAMPLES =============
# 1. SECURITY: Block sensitive queries
--interceptor=before:exec:if [ "$(jq -r '.params.arguments.query')" = "password" ]; then echo "BLOCKED"; exit 1; fi
# 2. AUDIT: Log all tool calls with timestamps
--interceptor=before:exec:echo "$(date): User called $(jq -r '.params.name') with query=$(jq -r '.params.arguments.query // "none"')" >> /var/log/mcp-audit.log
# 3. RATE LIMITING: Track API calls per session
--interceptor=before:exec:/scripts/rate-limiter.sh
# 4. DATA VALIDATION: Ensure query length limits
--interceptor=before:exec:if [ $(jq -r '.params.arguments.query | length') -gt 100 ]; then echo "Query too long" | jq -R '{error: .}'; exit 1; fi
# 5. QUERY ENHANCEMENT: Add context to searches
--interceptor=before:exec:jq '.params.arguments.query = (.params.arguments.query + " 2025 latest")'
# ============= AFTER INTERCEPTOR EXAMPLES =============
# 6. DATA FILTERING: Remove low-quality results
--interceptor=after:exec:jq '.result.content[0].text = (.result.content[0].text | split("\n") | map(select(. | contains("Docker"))) | join("\n"))'
# 7. RESPONSE TRANSFORMATION: Convert to structured data
--interceptor=after:exec:/scripts/extract-urls.sh
# 8. MONITORING: Track response times and sizes
--interceptor=after:exec:echo "Response: $(jq -r '.result.duration') duration, $(jq -r '.result.content[0].text | length') chars" >&2
# 9. CONTENT SAFETY: Remove potentially harmful URLs
--interceptor=after:exec:jq '.result.content[0].text = (.result.content[0].text | gsub("malware|virus"; "[FILTERED]"))'
# 10. CACHING: Store results for repeated queries
--interceptor=after:exec:/scripts/cache-response.sh
# ============= HTTP INTERCEPTOR EXAMPLES =============
# 11. ENTERPRISE SECURITY: Check with threat intelligence
--interceptor=before:http:http://threat-intel:8080/check-query
# 12. COMPLIANCE: Log to SIEM system
--interceptor=after:http:http://splunk:8080/log-response
# 13. DATA ENRICHMENT: Add metadata from internal systems
--interceptor=after:http:http://enrichment:8080/add-context
# ============= SAMPLE INTERCEPTOR SCRIPTS =============
# /scripts/rate-limiter.sh
#!/bin/bash
session_id=$(jq -r '.meta.sessionId')
count_file="/tmp/rate-limit-$session_id"
current_count=$(cat "$count_file" 2>/dev/null || echo 0)
if [ "$current_count" -gt 10 ]; then
echo '{"error": "Rate limit exceeded"}'
exit 1
fi
echo $((current_count + 1)) > "$count_file"
# /scripts/extract-urls.sh
#!/bin/bash
# Convert search results to JSON array of URLs
jq '.result.content[0].text' | \
grep -oE 'https?://[^[:space:]]+' | \
jq -R . | jq -s '{urls: .}'What Was Actually Intercepted?
Looking at your logs, here's what each interceptor processed:
1. Before Exec Interceptor
gateway-1 | - ============BEFORE==============: Query=null- Intercepted: The initial tool call JSON with
"query": "Docker" - Extracted:
$(jq -r ".params.arguments.query")="Docker" - Action: Logged it to stderr (visible in gateway logs)
2. Before HTTP Interceptor
interceptor-1 | Calling tool [search] with arguments: map[query:Docker]- Intercepted: Same JSON, but processed by Go HTTP service
- Extracted: Tool name and arguments
- Action: Logged and allowed request to proceed
3. After HTTP Interceptor
- Intercepted: The complete DuckDuckGo response with all 10 search results
- Processed: ~2KB of search result data including URLs, titles, summaries
- Action: Logged response and passed it through unchanged
Why This Is Powerful
🔍 Complete Visibility
- Every tool call passes through your interceptors
- Every response can be inspected, logged, or modified
- Real-time monitoring of AI agent behavior
🛡️ Security Control Points
- Block malicious queries before they reach external APIs
- Filter sensitive data from responses before returning to AI
- Audit trail of every interaction for compliance
⚡ Data Optimization
- Transform API responses into better formats for AI consumption
- Cache frequently requested data to reduce external API calls
- Enrich responses with internal company data
📊 Monitoring & Analytics
- Track usage patterns across different AI agents
- Monitor performance of external tool integrations
- Cost tracking for paid API services
Your interceptors are sitting in the data pipeline between your AI and external tools, giving you complete control over:
- ✅ What tools get called (security)
- ✅ What data goes out (privacy)
- ✅ What data comes back (quality)
- ✅ How it's formatted (optimization)
This is why Docker MCP Gateway's interceptor system is so powerful - it gives you enterprise-grade control over every piece of data flowing through your AI agent infrastructure!
The interceptor system transforms Docker MCP Gateway from a simple proxy into a comprehensive security platform that can adapt to new threats while maintaining the flexibility developers need for AI agent development.
