Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

README.md

Security Overview

This directory documents security considerations for the Torrust Tracker project, organized by priority level.

Priority Levels

Security effort should be distributed according to exposure and risk. The highest-priority areas are those that directly affect end users in production.

Priority 1 — Production Docker Image (Critical)

Directory: docker/

The production Docker image (release stage based on gcr.io/distroless/cc-debian13) is the most critical security surface. It is exposed to the internet and runs continuously. Any vulnerability here directly affects tracker users.

Scope:

  • The tracker binary
  • OS base layer (distroless/cc-debian13)
  • Transitive library dependencies (glibc, zlib)

Scan history: docker/scans/


Priority 2 — Vulnerability Analysis (Important)

Directory: analysis/

When a security issue is detected (Docker Scout, dependabot, manual audit, container image scans), we create an analysis document to evaluate whether it actually affects the tracker.

Scope:

  • Evaluating CVEs reported by scanning tools
  • Documenting non-affecting vulnerabilities
  • Tracking affecting vulnerabilities with remediation plans

Documents:


Priority 3 — Build Chain Security (Standard)

The build-time images (chef, tester, gcc stages in the Containerfile) are a lower-risk surface because:

  • They run only during CI/CD or local builds
  • They are not exposed to the internet
  • They produce the final artifact but are not deployed themselves

This priority increases if the build images are ever used in a long-running service.

Scope:

  • Base build images: rust:trixie, rust:slim-trixie, gcc:trixie
  • Rust dependency vulnerabilities (cargo audit / RustSec)
  • CI/CD pipeline security

Scan Tooling

Tool Purpose Run Command
Trivy Docker image CVE scanning trivy image --severity HIGH,CRITICAL <image>

Current Security Status

Production Image

See docker/scans/README.md for the latest status of the production release stage image.

Vulnerability Analysis

See analysis/README.md for cataloged vulnerability evaluations.

Non-affecting CVE catalog: analysis/non-affecting/ — per-CVE files documenting why each vulnerability does not affect the tracker and what conditions would change the verdict.

Related Documentation