| Version | Supported |
|---|---|
| 1.16.x | ✅ |
| 1.15.x | ✅ |
| 1.14.x | ✅ |
| < 1.14 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities by emailing:
Or use GitHub's private vulnerability reporting:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
Please include the following in your report:
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity
- Steps to Reproduce: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected
- Possible Fix: If you have suggestions for fixing the issue
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days for critical issues
- Acknowledgment: We'll confirm receipt of your report
- Investigation: We'll investigate and validate the issue
- Updates: We'll keep you informed of our progress
- Fix: We'll develop and test a fix
- Disclosure: We'll coordinate disclosure timing with you
- Credit: We'll credit you in the release notes (unless you prefer anonymity)
When using this platform:
- Change default passwords immediately after first login
- Use strong, unique passwords for each service
- Store secrets in environment variables, not in code
- Run the platform on a trusted network
- Use a firewall to restrict access to service ports
- Consider using a VPN for remote access
- Keep Docker Desktop updated
- Don't expose Docker socket unnecessarily
- Use the principle of least privilege
- Rotate API tokens regularly
- Use minimal required permissions
- Never commit tokens to version control
Change these immediately after installation:
| Service | Default Username | Default Password |
|---|---|---|
| Gitea | localadmin |
admin123 |
| SonarQube | admin |
admin |
| Dependency-Track | admin |
admin |
This platform includes security scanning tools:
- Trivy: Vulnerability scanning for containers and dependencies
- SonarQube: Static Application Security Testing (SAST)
- Dependency-Track: Software Composition Analysis (SCA)
Use these tools to scan your own projects for vulnerabilities.
We thank the security researchers who help keep this project secure.
No vulnerabilities have been reported yet.