This directory documents security considerations for the Torrust Tracker project, organized by priority level.
Security effort should be distributed according to exposure and risk. The highest-priority areas are those that directly affect end users in production.
Directory: docker/
The production Docker image (release stage based on gcr.io/distroless/cc-debian13) is the most critical security surface. It is exposed to the internet and runs continuously. Any vulnerability here directly affects tracker users.
Scope:
- The tracker binary
- OS base layer (distroless/cc-debian13)
- Transitive library dependencies (glibc, zlib)
Scan history: docker/scans/
Directory: analysis/
When a security issue is detected (Docker Scout, dependabot, manual audit, container image scans), we create an analysis document to evaluate whether it actually affects the tracker.
Scope:
- Evaluating CVEs reported by scanning tools
- Documenting non-affecting vulnerabilities
- Tracking affecting vulnerabilities with remediation plans
Documents:
- Analysis README — process and document index
- Non-affecting CVEs — analyzed and accepted vulnerabilities
The build-time images (chef, tester, gcc stages in the Containerfile) are a lower-risk surface because:
- They run only during CI/CD or local builds
- They are not exposed to the internet
- They produce the final artifact but are not deployed themselves
This priority increases if the build images are ever used in a long-running service.
Scope:
- Base build images:
rust:trixie,rust:slim-trixie,gcc:trixie - Rust dependency vulnerabilities (
cargo audit/ RustSec) - CI/CD pipeline security
| Tool | Purpose | Run Command |
|---|---|---|
| Trivy | Docker image CVE scanning | trivy image --severity HIGH,CRITICAL <image> |
See docker/scans/README.md for the latest status of the production release stage image.
See analysis/README.md for cataloged vulnerability evaluations.
Non-affecting CVE catalog: analysis/non-affecting/ —
per-CVE files documenting why each vulnerability does not affect the tracker and what
conditions would change the verdict.
- Docker Image Security — scanning instructions and scan history
- Security Analysis — CVE evaluation process
SECURITY.md— project security policy and reporting