torrust
diff --git a/‎docs/issues/250-epic-docker-image-vulnerability-scanning.md‎
Lines changed: 240 additions & 0 deletions b/‎docs/issues/250-epic-docker-image-vulnerability-scanning.md‎
Lines changed: 240 additions & 0 deletions
@@ -0,0 +1,240 @@
+# Implement Automated Docker Image Vulnerability Scanning
+
+**Issue**: #250 (Epic)
+**Parent Epic**: N/A (Independent security initiative)
+**Related**:
+
+- Security best practices
+- CI/CD pipeline improvements
+- Subissue #251: Implement Basic Trivy Scanning Workflow
+- Subissue #252: Implement Dynamic Image Detection for Scanning
+
+## Overview
+
+This epic implements automated vulnerability scanning for all Docker images used in the project using Trivy. The implementation is divided into two phases:
+
+1. **Basic Scanning**: Hardcoded image list with periodic and PR-triggered scans
+2. **Dynamic Scanning**: Automatically detect images from environment configuration
+
+## Problem Statement
+
+Currently, the project uses multiple Docker images without automated vulnerability scanning:
+
+- `docker/provisioned-instance/Dockerfile`
+- `docker/ssh-server/Dockerfile`
+- `templates/docker-compose/docker-compose.yml.tera`
+
+This creates security risks as vulnerabilities in these images go undetected until discovered manually or exploited.
+
+## Container Images in Scope
+
+### Project-Built Images
+
+These images are built from Dockerfiles in this repository:
+
+1. **Provisioned Instance**: `torrust-tracker-deployer/provisioned-instance`
+
+   - Source: `docker/provisioned-instance/Dockerfile`
+   - Purpose: Test container for E2E deployment testing
+
+2. **SSH Server**: `torrust-tracker-deployer/ssh-server`
+   - Source: `docker/ssh-server/Dockerfile`
+   - Purpose: Mock SSH server for integration testing
+
+### Third-Party Images
+
+These images are referenced in Docker Compose templates:
+
+1. **Torrust Tracker**: `torrust/tracker:develop`
+
+   - Purpose: BitTorrent tracker application
+   - Source template: `templates/docker-compose/docker-compose.yml.tera`
+
+2. **MySQL Database**: `mysql:8.0`
+
+   - Purpose: Tracker database backend
+   - Source template: `templates/docker-compose/docker-compose.yml.tera`
+
+3. **Grafana**: `grafana/grafana:11.4.0`
+
+   - Purpose: Metrics visualization dashboard
+   - Source template: `templates/docker-compose/docker-compose.yml.tera`
+
+4. **Prometheus**: `prom/prometheus:v3.0.1`
+   - Purpose: Metrics collection and monitoring
+   - Source template: `templates/docker-compose/docker-compose.yml.tera`
+
+**Total Images**: 6 (2 project-built + 4 third-party)
+
+## Current Vulnerability Status
+
+> **Scan Date**: 2025-12-22
+> **Scanner**: Trivy (latest)
+> **Severity Filter**: HIGH, CRITICAL
+
+### Project-Built Images
+
+#### 1. torrust-tracker-deployer/provisioned-instance:latest
+
+```text
+Status: ✅ CLEAN
+Total: 0 (HIGH: 0, CRITICAL: 0)
+Base OS: Ubuntu 24.04
+Notes: No HIGH or CRITICAL vulnerabilities detected
+```
+
+#### 2. torrust-tracker-deployer/ssh-server:latest
+
+```text
+Status: ✅ CLEAN
+Total: 0 (HIGH: 0, CRITICAL: 0)
+Base OS: Alpine 3.22.2
+Notes: No HIGH or CRITICAL vulnerabilities detected
+```
+
+### Third-Party Images
+
+#### 3. torrust/tracker:develop
+
+```text
+Status: ⚠️ VULNERABILITIES FOUND
+Total: 5 (HIGH: 4, CRITICAL: 1)
+Base OS: Debian 12.11
+
+CRITICAL Vulnerabilities:
+- CVE-2019-1010022 (libc6): glibc stack guard protection bypass
+  Installed: 2.36-9+deb12u10
+  Fixed: Not available
+
+HIGH Vulnerabilities:
+- CVE-2018-20796 (libc6): glibc uncontrolled recursion in check_dst_limits_calc_pos_1
+  Installed: 2.36-9+deb12u10
+  Fixed: Not available
+
+- CVE-2019-1010023 (libc6): glibc running ldd on malicious ELF leads to code execution
+  Installed: 2.36-9+deb12u10
+  Fixed: Not available
+
+- CVE-2019-9192 (libc6): glibc uncontrolled recursion in check_dst_limits_calc_pos_1
+  Installed: 2.36-9+deb12u10
+  Fixed: Not available
+
+- CVE-2023-0286 (libssl3): X.400 address type confusion in X.509 GeneralName
+  Installed: 3.0.16-1~deb12u1
+  Fixed: Not available
+
+⚠️ Action Required: These are known glibc/openssl CVEs without available patches.
+Consider evaluating risk vs. functionality trade-offs.
+```
+
+#### 4. mysql:8.0
+
+```text
+Status: ✅ CLEAN
+Total: 0 (HIGH: 0, CRITICAL: 0)
+Base OS: Oracle Linux 9.5
+Notes: No HIGH or CRITICAL vulnerabilities detected
+Warning: OS version no longer supported by distribution
+```
+
+#### 5. grafana/grafana:11.4.0
+
+```text
+Status: ✅ CLEAN
+Total: 0 (HIGH: 0, CRITICAL: 0)
+Base OS: Alpine 3.20.3
+Notes: No HIGH or CRITICAL vulnerabilities detected
+Warning: OS version no longer supported by distribution
+```
+
+#### 6. prom/prometheus:v3.0.1
+
+```text
+Status: ✅ CLEAN
+Total: 0 (HIGH: 0, CRITICAL: 0)
+Notes: No HIGH or CRITICAL vulnerabilities detected
+Warning: OS not detected (distroless or scratch-based image)
+```
+
+### Summary
+
+- **Clean Images**: 5/6 (83%)
+- **Images with Vulnerabilities**: 1/6 (17%)
+- **Total HIGH Vulnerabilities**: 4
+- **Total CRITICAL Vulnerabilities**: 1
+- **Images Requiring Attention**: torrust/tracker:develop
+
+### Recommended Actions
+
+1. **Immediate**: Document the known vulnerabilities in `torrust/tracker:develop` as accepted risks or plan mitigation
+2. **Short-term**: Implement Phase 1 (basic scanning workflow) to prevent introduction of new vulnerable images
+3. **Medium-term**: Monitor for patches to the identified CVEs in glibc and openssl
+4. **Long-term**: Implement Phase 2 (dynamic detection) for maintainable scanning
+
+## Solution Approach
+
+### Phase 1: Basic Scanning (Subissue 1)
+
+Implement Trivy-based scanning workflow with:
+
+- Hardcoded list of images to scan
+- Scan on PR and push events
+- Periodic scanning (e.g., daily/weekly)
+- Fail build on HIGH/CRITICAL vulnerabilities
+- Generate vulnerability reports
+
+### Phase 2: Dynamic Scanning (Subissue 2)
+
+Make scanning dynamic and maintainable:
+
+- Extract Docker images from environment configuration
+- Store image references in environment data structure
+- Use `show` command to expose image information
+- Update workflow to dynamically detect images
+- Eliminate manual image list maintenance
+
+## Tasks
+
+- [ ] #X - Implement basic Trivy scanning workflow with hardcoded images
+- [ ] #X - Implement dynamic image detection using environment configuration
+
+## Benefits
+
+**Security**:
+
+- Continuous vulnerability monitoring
+- Early detection of security issues
+- Automated security compliance
+
+**Maintainability**:
+
+- No manual image list updates (Phase 2)
+- Consistent scanning across all images
+- Integration with existing environment management
+
+**Development Workflow**:
+
+- Fail fast on vulnerable images
+- Clear security status in PRs
+- Periodic monitoring for new vulnerabilities
+
+## Related Documentation
+
+- GitHub Actions workflows: `.github/workflows/`
+- Docker files: `docker/`
+- Docker Compose template: `templates/docker-compose/docker-compose.yml.tera`
+- Environment show command: `docs/issues/241-implement-environment-show-command.md`
+- Trivy documentation: https://github.com/aquasecurity/trivy
+
+## Timeline
+
+- **Phase 1**: 2-4 hours - Immediate security improvement
+- **Phase 2**: 4-6 hours - Long-term maintainability (depends on #241)
+
+## Success Criteria
+
+- [ ] All Docker images scanned automatically
+- [ ] HIGH/CRITICAL vulnerabilities block builds
+- [ ] Periodic scans detect new vulnerabilities
+- [ ] Dynamic detection eliminates manual maintenance
+- [ ] Documentation updated for security workflow