Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

README.md

Docker Image Security

This directory covers security scanning for the Torrust Tracker Docker image.

Purpose

Regular security scanning ensures that the tracker's container image is free from known vulnerabilities. This documentation provides:

  • Instructions for running security scans on the tracker image
  • Scan history and current status
  • Vulnerability management decisions

Automated Scanning

See the Security Scan workflow for automated scheduled scanning via GitHub Actions.

Manual Scanning with Trivy

Installation

# macOS
brew install trivy

# Linux (Debian/Ubuntu)
sudo apt-get install trivy

# Or use Docker
docker run --rm aquasec/trivy:latest image <image-name>

Scan Commands

Build the image:

docker build -t torrust-tracker:local -f Containerfile .

Scan for HIGH and CRITICAL only (standard production check):

trivy image --severity HIGH,CRITICAL torrust-tracker:local

Scan with all severities (full report):

trivy image --severity MEDIUM,HIGH,CRITICAL torrust-tracker:local

Severity Levels

  • CRITICAL: Exploitable vulnerabilities with severe impact
  • HIGH: Significant vulnerabilities requiring attention
  • MEDIUM: Moderate vulnerabilities (tracked for awareness)

Scan Results

See scans/ for the full scan history.