docs: refine security priority level docs after review

josecelano · josecelano · commit 4fe8246cc1ce · 2026-04-15T13:27:37.000+01:00
diff --git a/docs/research/caddy-tls-proxy-evaluation/security-scan.md b/docs/research/caddy-tls-proxy-evaluation/security-scan.md
@@ -28,15 +28,13 @@
 ### HIGH Severity
 
 1. **CVE-2025-59530** - Crash in github.com/quic-go/quic-go
-
    - **Component**: `github.com/quic-go/quic-go`
    - **Installed Version**: v0.54.0
    - **Fixed Version**: 0.49.1, 0.54.1
    - **Description**: quic-go Crash Due to Premature HANDSHAKE_DONE Frame
    - **Reference**: https://avd.aquasec.com/nvd/cve-2025-59530
 
 2. **CVE-2025-58183** - Unbounded allocation in Go stdlib
-
    - **Component**: `stdlib`
    - **Installed Version**: v1.25.0
    - **Fixed Version**: 1.24.8, 1.25.2
@@ -55,13 +53,11 @@
 ### Risk Assessment
 
 1. **CVE-2025-44005 (CRITICAL)**:
-
    - **Impact**: Authorization bypass in certificate creation
    - **Mitigation**: This affects the `smallstep/certificates` library, which is used by Caddy for certificate management
    - **Action Required**: Monitor for Caddy v2.11 release with updated dependencies
 
 2. **CVE-2025-59530 (HIGH)**:
-
    - **Impact**: QUIC protocol crash vulnerability
    - **Mitigation**: Affects HTTP/3 (QUIC) support; HTTP/2 and HTTP/1.1 not affected
    - **Action Required**: Monitor for Caddy release with patched QUIC library
@@ -106,12 +102,10 @@ Caddy's vulnerability count is within normal range for Go-based proxies.
 When Caddy is officially integrated into the deployer (new issue), the following workflow updates will be required:
 
 1. **Update `.github/workflows/docker-security-scan.yml`**:
-
    - Add `caddy:2.10` (or latest version) to the third-party images matrix
    - This ensures automated security scanning in CI/CD pipeline
 
 2. **Add to security scan documentation**:
-
    - Create `docs/security/production/scans/caddy.md` with scan history
    - Update summary table in `docs/security/production/scans/README.md`
 
diff --git a/docs/security/README.md b/docs/security/README.md
@@ -86,10 +86,10 @@ Docker images and other artifacts used only in automated tests or local developm
 
 ## Scan Tooling
 
-| Tool | Purpose | Run Command |
-| ---- | ------- | ----------- |
-| Trivy | Docker image CVE scanning | `trivy image --severity HIGH,CRITICAL <image>` |
-| cargo-audit | Rust dependency audits | `cargo audit` |
+| Tool        | Purpose                   | Run Command                                    |
+| ----------- | ------------------------- | ---------------------------------------------- |
+| Trivy       | Docker image CVE scanning | `trivy image --severity HIGH,CRITICAL <image>` |
+| cargo-audit | Rust dependency audits    | `cargo audit`                                  |
 
 ## Current Security Status
 
diff --git a/docs/security/deployer/docker/scans/README.md b/docs/security/deployer/docker/scans/README.md
@@ -7,8 +7,8 @@ For production image scans, see [`../../../production/scans/`](../../../producti
 
 ## Current Status Summary
 
-| Image                      | Version | HIGH | CRITICAL | Status                                  | Last Scan    | Details                             |
-| -------------------------- | ------- | ---- | -------- | --------------------------------------- | ------------ | ----------------------------------- |
+| Image                      | Version | HIGH | CRITICAL | Status                                 | Last Scan    | Details                             |
+| -------------------------- | ------- | ---- | -------- | -------------------------------------- | ------------ | ----------------------------------- |
 | `torrust/tracker-deployer` | trixie  | 46   | 1        | ⚠️ CRITICAL blocked (OpenTofu grpc-go) | Apr 15, 2026 | [View](torrust-tracker-deployer.md) |
 
 ## Scan Archives
diff --git a/docs/security/production/README.md b/docs/security/production/README.md
@@ -5,12 +5,12 @@ These are [Priority 1](../README.md) — the highest-risk surface because they r
 
 ## Images Covered
 
-| Image | Role |
-| ----- | ---- |
-| `caddy` | TLS termination proxy — public-facing |
-| `prom/prometheus` | Metrics collection |
-| `grafana/grafana` | Metrics dashboards |
-| `mysql` | Tracker database |
+| Image                    | Role                                                                |
+| ------------------------ | ------------------------------------------------------------------- |
+| `caddy`                  | TLS termination proxy — public-facing                               |
+| `prom/prometheus`        | Metrics collection                                                  |
+| `grafana/grafana`        | Metrics dashboards                                                  |
+| `mysql`                  | Tracker database                                                    |
 | `torrust/tracker-backup` | Backup service — runs on a schedule inside the deployed environment |
 
 ## Scanning with Trivy
diff --git a/docs/security/production/scans/README.md b/docs/security/production/scans/README.md
@@ -4,13 +4,13 @@ Historical security scan results for Docker images deployed to production by the
 
 ## Current Status Summary
 
-| Image              | Version | HIGH | CRITICAL | Status                                   | Last Scan    | Details                                                                    |
-| ------------------ | ------- | ---- | -------- | ---------------------------------------- | ------------ | -------------------------------------------------------------------------- |
-| `caddy`            | 2.11.2  | 10   | 2        | ⚠️ CRITICAL pending upstream              | Apr 15, 2026 | [View](caddy.md)                                                           |
-| `prom/prometheus`  | v3.11.2 | 4    | 0        | ✅ Remediated                            | Apr 14, 2026 | [View](prometheus.md)                                                      |
-| `grafana/grafana`  | 12.4.2  | 4    | 0        | ⚠️ Accepted risk (OS `<no-dsa>`)          | Apr 8, 2026  | [View](grafana.md)                                                         |
-| `mysql`            | 8.4     | 9    | 1        | ⚠️ Accepted risk (gosu/mysqlsh, not core) | Apr 15, 2026 | [View](mysql.md)                                                           |
-| `torrust/tracker-backup` | trixie | 6  | 0        | ⚠️ Accepted risk (Debian `<no-dsa>`)    | Apr 15, 2026 | [View](torrust-tracker-backup.md)                                          |
+| Image                    | Version | HIGH | CRITICAL | Status                                    | Last Scan    | Details                           |
+| ------------------------ | ------- | ---- | -------- | ----------------------------------------- | ------------ | --------------------------------- |
+| `caddy`                  | 2.11.2  | 10   | 2        | ⚠️ CRITICAL pending upstream              | Apr 15, 2026 | [View](caddy.md)                  |
+| `prom/prometheus`        | v3.11.2 | 4    | 0        | ✅ Remediated                             | Apr 14, 2026 | [View](prometheus.md)             |
+| `grafana/grafana`        | 12.4.2  | 4    | 0        | ⚠️ Accepted risk (OS `<no-dsa>`)          | Apr 8, 2026  | [View](grafana.md)                |
+| `mysql`                  | 8.4     | 9    | 1        | ⚠️ Accepted risk (gosu/mysqlsh, not core) | Apr 15, 2026 | [View](mysql.md)                  |
+| `torrust/tracker-backup` | trixie  | 6    | 0        | ⚠️ Accepted risk (Debian `<no-dsa>`)      | Apr 15, 2026 | [View](torrust-tracker-backup.md) |
 
 ## Scanning Instructions
 
diff --git a/docs/security/testing/scans/README.md b/docs/security/testing/scans/README.md
@@ -5,10 +5,10 @@ These are [Priority 4](../../README.md) images — they never run in production.
 
 ## Current Status Summary
 
-| Image                                  | Version | HIGH | CRITICAL | Status                    | Last Scan   | Details                                                         |
-| -------------------------------------- | ------- | ---- | -------- | ------------------------- | ----------- | --------------------------------------------------------------- |
-| `torrust/tracker-ssh-server`           | 3.23.3  | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026 | [View](torrust-ssh-server.md)                                   |
-| `torrust/tracker-provisioned-instance` | 24.04   | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026 | [View](torrust-tracker-provisioned-instance.md)                 |
+| Image                                  | Version | HIGH | CRITICAL | Status                    | Last Scan   | Details                                         |
+| -------------------------------------- | ------- | ---- | -------- | ------------------------- | ----------- | ----------------------------------------------- |
+| `torrust/tracker-ssh-server`           | 3.23.3  | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026 | [View](torrust-ssh-server.md)                   |
+| `torrust/tracker-provisioned-instance` | 24.04   | 0    | 0        | ✅ Remediated (vuln scan) | Apr 8, 2026 | [View](torrust-tracker-provisioned-instance.md) |
 
 ## Scan Archives
 
