This directory covers security scanning for Docker images that the deployer deploys to production. These are Priority 1 — the highest-risk surface because they run continuously and are exposed to the internet.
| Image | Role |
|---|---|
caddy |
TLS termination proxy — public-facing |
prom/prometheus |
Metrics collection |
grafana/grafana |
Metrics dashboards |
mysql |
Tracker database |
torrust/tracker-backup |
Backup service — runs on a schedule inside the deployed environment |
# Scan a production image
trivy image --severity HIGH,CRITICAL caddy:2.11.2
# Scan and output JSON
trivy image --format json --output report.json caddy:2.11.2
# Scan all severities for a full report
trivy image caddy:2.11.2CRITICAL severity:
- Check whether the upstream vendor has released a patched image
- Update the image version in
templates/docker-compose/docker-compose.yml.tera - Re-scan the updated image to confirm the fix
- Update scan history in
scans/<image>.md
HIGH severity:
- Check Debian/Alpine security tracker for fix availability
- If a fix exists, update the image as above
- If no fix exists (
affected/will_not_fix/<no-dsa>), document the accepted risk
- Pin to specific versions, never
latest, in production templates - Prefer official vendor images (
prom,grafana,mysql) - Re-scan after every image version bump
- Monitor vendor security advisories
See scans/ for per-image scan history and current status.