This directory covers security scanning for the Torrust Tracker Docker image.
Regular security scanning ensures that the tracker's container image is free from known vulnerabilities. This documentation provides:
- Instructions for running security scans on the tracker image
- Scan history and current status
- Vulnerability management decisions
See the Security Scan workflow for automated scheduled scanning via GitHub Actions.
# macOS
brew install trivy
# Linux (Debian/Ubuntu)
sudo apt-get install trivy
# Or use Docker
docker run --rm aquasec/trivy:latest image <image-name>Build the image:
docker build -t torrust-tracker:local -f Containerfile .Scan for HIGH and CRITICAL only (standard production check):
trivy image --severity HIGH,CRITICAL torrust-tracker:localScan with all severities (full report):
trivy image --severity MEDIUM,HIGH,CRITICAL torrust-tracker:localCRITICAL: Exploitable vulnerabilities with severe impactHIGH: Significant vulnerabilities requiring attentionMEDIUM: Moderate vulnerabilities (tracked for awareness)
See scans/ for the full scan history.