This directory documents security considerations for the Torrust Tracker Deployer project, organized by priority level.
Security effort should be distributed according to exposure and risk. The highest-priority areas are those that directly affect end users in production.
Directory: production/
The most critical security surface: the Docker images, OS packages, system dependencies, and server configuration that the deployer deploys to production.
These are exposed to the internet and run continuously. Any vulnerability here directly affects tracker users.
Scope:
- Service container images:
caddy,prom/prometheus,grafana/grafana,mysql - Backup service container:
torrust/tracker-backup - OS base layers of the provisioned VM
- Server configuration (TLS, SSH access policies)
Scan history: production/scans/
Directory: user-security/
How users interact with the deployer affects the security of their deployments. Mistakes here can expose secrets or production credentials.
Scope:
- Sharing secrets with AI coding agents during deployment
- SSH access controls and key management
- Safe handling of deployment credentials (
envs/*.json)
Documents:
- AI Agents and Secrets — risks when using cloud-based AI agents during deployments
- SSH Root Access on Hetzner — SSH key behavior and hardening guidance
Directory: deployer/
The deployer itself — its Rust binary, container images, and bundled tools (OpenTofu, Ansible). This is a lower-risk surface because:
- Users run the deployer locally for minutes at a time
- It is not exposed to the internet during normal use
- It runs in a controlled local or CI environment
This priority increases if the deployer is ever embedded in a long-running service (e.g., a web application that calls the deployer on demand).
Scope:
- The deployer container image:
torrust/tracker-deployer(Rust binary + OpenTofu + Ansible) - Rust dependency vulnerabilities (
cargo audit/ RustSec) - Bundled tool vulnerabilities: OpenTofu, Ansible
Subdirectories:
deployer/docker/— Docker image scansdeployer/dependencies/— Rust dependency audits
Directory: testing/
Docker images and other artifacts used only in automated tests or local development. These never run in production and have a minimal attack surface.
Scope:
torrust/tracker-ssh-server— SSH server used in E2E integration teststorrust/tracker-provisioned-instance— Ubuntu VM simulation used in E2E deployment workflow tests
Scan history: testing/scans/
| Tool | Purpose | Run Command |
|---|---|---|
| Trivy | Docker image CVE scanning | trivy image --severity HIGH,CRITICAL <image> |
| cargo-audit | Rust dependency audits | cargo audit |
See production/scans/README.md for the latest status of all production-deployed images.
See deployer/docker/scans/README.md for the latest status of deployer-internal images.
See deployer/dependencies/README.md for the latest cargo-audit report.