Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 15 commits
- 13 files changed
- 1 contributor
Commits on Apr 9, 2026
-
Merge #436: fix: [#428] Docker vulnerability remediation pass 1 (all …
…8 images) 7a44e51 fix: [#428] restore SSH private key permission normalization (confirmed root cause) (Jose Celano) f081976 test: [#428] temporarily disable key permission normalization for CI root-cause check (Jose Celano) c6bf1e5 test: [#428] harden SSH test key permissions and print execute errors (Jose Celano) 6453494 test: [#428] add SSH CI timeout diagnostics (Jose Celano) 3b14397 docs: [#428] normalize scan table column widths (Jose Celano) a284272 fix: [#428] correct prometheus tag in docker_image test and workflow action policy (Jose Celano) 54bddfc docs: [#428] close mysql checklist and finalize plan acceptance (Jose Celano) f01833a docs: [#428] finalize mysql scan documentation and status (Jose Celano) ed7f4b3 docs: [#428] record mysql remediation decision and validation (Jose Celano) e23d7b8 docs: [#428] mark mysql triage subtask complete (Jose Celano) 457f232 docs: [#428] close grafana checklist with follow-up #434 (Jose Celano) 2fb4a22 docs: [#428] record Grafana upgrade verification results (Jose Celano) 72772af feat: [#428] upgrade default Grafana image to 12.4.2 (Jose Celano) 8fef8ac docs: [#428] mark grafana triage subtask complete (Jose Celano) c44741c docs: [#428] close prometheus checklist with follow-up #433 (Jose Celano) cbc8396 docs: [#428] record prometheus upgrade verification results (Jose Celano) 90aaffe feat: [#428] upgrade default Prometheus image to v3.5.1 (Jose Celano) e5d4cb8 docs: [#428] mark prometheus triage subtask complete (Jose Celano) 5df0d5c docs: [#428] close caddy checklist with follow-up #432 (Jose Celano) 1081a79 docs: [#428] record caddy upgrade verification results (Jose Celano) dc0312b infra: [#428] upgrade caddy reference to 2.10.2 (Jose Celano) 232f826 docs: [#428] mark caddy triage subtask complete (Jose Celano) ab053a6 docs: [#428] complete provisioned-instance remediation cycle (Jose Celano) 8b5a7a3 build: [#428] harden provisioned-instance package install (Jose Celano) 9c7d17d docs: [#428] mark provisioned-instance triage subtask complete (Jose Celano) 26e830c docs: [#428] complete ssh-server verification and close checklist (Jose Celano) 3e67e12 fix: [#428] correct ssh-server entrypoint script generation (Jose Celano) fa045d9 build: [#428] remediate ssh-server base package findings (Jose Celano) fdd3635 docs: [#428] mark ssh-server triage subtask complete (Jose Celano) ab051e7 docs: [#428] close backup checklist with follow-up #431 (Jose Celano) d4bb5c8 docs: [#428] record backup remediation verification results (Jose Celano) 3f1e1e3 build: [#428] apply backup base package upgrade remediation (Jose Celano) 364a152 docs: [#428] mark backup triage subtask complete (Jose Celano) b418db2 docs: [#428] normalize scan table formatting (Jose Celano) 7393a81 docs: [#428] close deployer checklist with follow-up #430 (Jose Celano) 213a72a docs: [#428] record deployer verification and scan delta (Jose Celano) 320334b build: [#428] reduce deployer runtime gnupg exposure (Jose Celano) 0df9623 docs: [#428] mark deployer triage subtask complete (Jose Celano) bfab622 docs: [#428] add April 2026 scan analysis baseline (Jose Celano) Pull request description: ## Summary This PR implements Docker vulnerability remediation pass 1 for all 8 images tracked in issue #428. Each image was scanned with Trivy, remediation was applied where possible, results were verified, and follow-up issues were created for remaining unresolved CVEs. Closes #428 ## Changes by Image ### 1. `torrust/tracker-deployer` (trixie) — partial remediation - Removed `gnupg` from runtime layer to reduce attack surface - After: 44 HIGH, 1 CRITICAL (was 49 HIGH) - Follow-up: #429 ### 2. `torrust/tracker-backup` (trixie) — remediation no change - Added `apt-get upgrade -y` to base layer - After: 6 HIGH, 0 CRITICAL (no change — upstream packages not yet patched) - Follow-up: #431 ### 3. `torrust/tracker-ssh-server` (Alpine 3.23.3) — fully remediated ✅ - Added `apk upgrade --no-cache` to base layer - Fixed malformed entrypoint script (`echo` → `printf` for multi-line in Alpine) - After: 0 HIGH, 0 CRITICAL ### 4. `torrust/tracker-provisioned-instance` (Ubuntu 24.04) — fully remediated ✅ - Added `--no-install-recommends` + `apt-get upgrade -y` to base layer - After: 0 HIGH, 0 CRITICAL ### 5. `caddy` (3rd-party) — partial remediation - Upgraded tag `2.10` → `2.10.2` in `docker-compose.yml.tera` and security scan CI workflow - After: 14 HIGH, 4 CRITICAL (was 18 HIGH, 6 CRITICAL) - Follow-up: #432 ### 6. `prom/prometheus` (3rd-party) — partial remediation - Upgraded default image tag `v3.5.0` → `v3.5.1` in `src/domain/prometheus/config.rs` - After: 6 HIGH, 4 CRITICAL (was 16 HIGH, 4 CRITICAL) - Follow-up: #433 ### 7. `grafana/grafana` (3rd-party) — partial remediation - Upgraded default image tag `12.3.1` → `12.4.2` in `src/domain/grafana/config.rs` - After: 4 HIGH, 0 CRITICAL (was 18 HIGH, 6 CRITICAL — CRITICAL fully cleared) - Follow-up: #434 ### 8. `mysql` (3rd-party) — monitored, no safe upgrade - `mysql:8.4` (floating tag resolves to 8.4.8) = 7 HIGH, 1 CRITICAL - All pinned minor tags (`8.4.1`–`9.1`) have 98–100 HIGH — floating tag is already optimal - Runtime validated: `mysql:8.4` → Ver 8.4.8 - Follow-up: #435 ## Documentation Updates - `docs/security/docker/scans/` — added remediation pass 1 sections to all 8 scan files - `docs/security/docker/scans/README.md` — updated global summary table - `docs/issues/428-docker-vulnerability-analysis-apr8-2026.md` — all checklists and acceptance criteria complete ## Follow-up Issues Created | Issue | Image | Remaining | |-------|-------|-----------| | #429 | deployer | 44 HIGH, 1 CRITICAL | | #431 | backup | 6 HIGH, 0 CRITICAL | | #432 | caddy | 14 HIGH, 4 CRITICAL | | #433 | prometheus | 6 HIGH, 4 CRITICAL | | #434 | grafana | 4 HIGH, 0 CRITICAL | | #435 | mysql | 7 HIGH, 1 CRITICAL | ACKs for top commit: josecelano: ACK 7a44e51 Tree-SHA512: e4283f6ea115d984cae2c4805c8932c08da235115489ed990253a1c2665996404810bb3d0e5d483e2e45de2289f83af146f6a5030164d859fd2af21ef2fba2bc
-
docs: remove completed issue #428
The remediation PR has been merged to main. The issue tracking file is no longer needed.
-
fix: [#437] upload third-party Trivy SARIF with codeql action
Replace the unsupported custom gh API SARIF upload loop (HTTP 422 on category) with github/codeql-action/upload-sarif in the third-party matrix job. This restores third-party code scanning uploads with stable per-image categories and removes the broken dynamic upload loop from the aggregate upload job.
-
Merge #438: fix: [#437] restore third-party Trivy SARIF uploads
b397688 fix: [#437] upload third-party Trivy SARIF with codeql action (Jose Celano) Pull request description: ## Summary Fix the Docker security scanning workflow so third-party Trivy SARIF results are uploaded through a supported path. ## Changes - Add `security-events: write` permission to `scan-third-party-images` - Upload third-party SARIF directly with `github/codeql-action/upload-sarif@v4` - Use stable per-image categories: `docker-third-party-${sanitized-image}` - Remove the unsupported custom `gh api /code-scanning/sarifs` upload loop - Restrict aggregate uploader to project SARIF artifacts only ## Why The previous custom upload was failing with HTTP 422 (`"category" is not a permitted key`) and silently skipping third-party uploads, which caused PR warnings like `configurations not found`. ## Validation - `cargo run --bin linter yaml` passes Closes #437 ACKs for top commit: josecelano: ACK b397688 Tree-SHA512: fb0fafb74f35724c8cb75ae3e525440eda52239eb9015827e8662ae76593d6db680f13b3ff8437ca7d054729192bef4814a7d4f8c23da0b1ffdae770ca3410dd
Commits on Apr 10, 2026
-
-
-
-
-
Merge #440: Implement cargo audit security automation for #439
1a5dc56 ci: [#439] add cargo security audit workflow (Jose Celano) 805be28 docs: [#439] add cargo audit security reports (Jose Celano) 28b7018 build: [#439] update vulnerable dependency versions (Jose Celano) Pull request description: ## Summary Implements issue #439 by adding automated Cargo dependency security auditing, documenting the initial scan, and remediating the reported vulnerable dependency versions. ## Changes - Add a scheduled and manually runnable Cargo security audit workflow - Add dependency security report documentation under docs/security/dependencies - Update vulnerable dependency versions to clear current cargo-audit findings - Add the Cargo Security Audit badge to the main README ## Commit Structure - build: [#439] update vulnerable dependency versions - docs: [#439] add cargo audit security reports - ci: [#439] add cargo security audit workflow ## Validation - ./scripts/pre-commit.sh - cargo audit Closes #439 ACKs for top commit: josecelano: ACK 1a5dc56 Tree-SHA512: b279facc688aa68d59415b56cc5fab69bdc3f54cf546924d7a95e0c0e2620d234f7815fbbee0b5593dc99012bf3b7387312d9bcece4986394399d59b6de3c197
-
-
-
Merge #441: docs: refresh README for 0.1.0 release
b58d80e docs: add tracker demo repository reference (Jose Celano) 380aab0 docs: update README for 0.1.0 release status (Jose Celano) Pull request description: ## Summary - Update the root README to reflect the 0.1.0 fully functional release status. - Simplify and clarify README structure with a concise quick start and documentation map. - Add a reference to the tracker demo repository for post-deployment operations and maintenance context. ## Validation - `cargo run --bin linter markdown` ACKs for top commit: josecelano: ACK b58d80e Tree-SHA512: 17b8eaf3eebe1351c80c5d3a3bbdb3cce0578bd30f2950caf64c43848be8780448bf19862fb9b9005a2b6f3f52d2b88cfd00c391e3b23756b5fa180670bb5a4b
-
-
-
Merge #442: Track Cargo.lock for reproducible app builds
d65c810 docs: add ADR for Cargo.lock tracking (Jose Celano) 513a0e0 fix: track Cargo.lock for reproducible app builds (Jose Celano) Pull request description: ## Summary This PR starts tracking Cargo.lock in Git and documents the decision with an ADR. ## Problem Cargo.lock was ignored in .gitignore, so it was missing after checkout in GitHub runners. That made dependency resolution non-deterministic and caused workflow failures when a lockfile was expected. ## Decision - Remove Cargo.lock from .gitignore - Commit Cargo.lock to the repository - Record the rationale in a new ADR ## Why this is correct for this repo This workspace contains library crates, but the repository is primarily used as a runnable application/deployer. For application-first repositories, versioning Cargo.lock improves reproducibility for both users and CI. ## Files changed - .gitignore - Cargo.lock - docs/decisions/cargo-lock-tracking-for-application-reproducibility.md - docs/decisions/README.md ## Related workflows impacted - .github/workflows/cargo-security-audit.yml - .github/workflows/test-dependency-installer.yml - .github/workflows/container.yaml ACKs for top commit: josecelano: ACK d65c810 Tree-SHA512: 8cabff10d648f56a8d481d3c307d1bf97e366a457ce149286f37cb8af8b65ca08f4f46cfbd37002ba97929a4cdf6f2a3ee435435f02257b79aac545c98a52219
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 7a44e51...c09a86a