diff --git a/manifest/manifest_test.go b/manifest/manifest_test.go
index 5e2fd52..d9111e7 100644
--- a/manifest/manifest_test.go
+++ b/manifest/manifest_test.go
@@ -20,7 +20,7 @@ func mustLoadEmbedded(t *testing.T) map[string]*Manifest {
 func TestLoadEmbeddedCountAndNameMatch(t *testing.T) {
 	registry := mustLoadEmbedded(t)
 
-	if got, want := len(registry), 178; got != want {
+	if got, want := len(registry), 180; got != want {
 		t.Fatalf("len(registry) = %d, want %d", got, want)
 	}
 
diff --git a/manifest/manifests/docker_stats.yaml b/manifest/manifests/docker_stats.yaml
new file mode 100644
index 0000000..609fb5c
--- /dev/null
+++ b/manifest/manifests/docker_stats.yaml
@@ -0,0 +1,10 @@
+name: docker_stats
+description: Display a live stream of container resource usage statistics
+category: containers
+flags:
+  - flag: "--no-stream"
+  - flag: "--all"
+  - flag: "--format"
+    takes_value: true
+stdin: false
+stdout: true
diff --git a/manifest/manifests/nproc.yaml b/manifest/manifests/nproc.yaml
new file mode 100644
index 0000000..4d3597c
--- /dev/null
+++ b/manifest/manifests/nproc.yaml
@@ -0,0 +1,9 @@
+name: nproc
+description: Print the number of processing units available
+category: system
+flags:
+  - flag: "--all"
+  - flag: "--ignore"
+    takes_value: true
+stdin: false
+stdout: true
diff --git a/security_pipeline_test.go b/security_pipeline_test.go
index aa9d41a..b53c14b 100644
--- a/security_pipeline_test.go
+++ b/security_pipeline_test.go
@@ -794,6 +794,7 @@ func TestSubcommandBypass_DockerDangerous(t *testing.T) {
 	mustAccept(t, registry, "docker ps -a")
 	mustAccept(t, registry, "docker logs container_id")
 	mustAccept(t, registry, "docker inspect container_id")
+	mustAccept(t, registry, "docker stats --no-stream container_id")
 }
 
 func TestSubcommandBypass_SystemctlDangerous(t *testing.T) {
diff --git a/validator/attack_vectors_test.go b/validator/attack_vectors_test.go
index 641cb26..17f42cf 100644
--- a/validator/attack_vectors_test.go
+++ b/validator/attack_vectors_test.go
@@ -621,6 +621,11 @@ func TestSubcommandBypass(t *testing.T) {
 		expectAllow(t, err, "docker inspect is allowed")
 	})
 
+	t.Run("docker_stats_allowed", func(t *testing.T) {
+		err := validateOne(t, "docker", "stats", "--no-stream", "container")
+		expectAllow(t, err, "docker stats is allowed")
+	})
+
 	t.Run("kubectl_get_allowed", func(t *testing.T) {
 		err := validateOne(t, "kubectl", "get", "pods", "-n", "default")
 		expectAllow(t, err, "kubectl get is allowed")
diff --git a/validator/validator_test.go b/validator/validator_test.go
index 5657ad2..c38261e 100644
--- a/validator/validator_test.go
+++ b/validator/validator_test.go
@@ -118,6 +118,10 @@ func TestValidatesSubcommands(t *testing.T) {
 		t.Fatalf("validate docker ps --format: %v", err)
 	}
 
+	if err := validateOne(t, "docker", "stats", "--no-stream"); err != nil {
+		t.Fatalf("validate docker stats --no-stream: %v", err)
+	}
+
 	err := validateOne(t, "docker", "run", "alpine")
 	if err == nil {
 		t.Fatal("expected docker run to be rejected")