feat: [#272] add Caddy to Docker security scan workflow

- Add caddy:2.10 to third-party images matrix in CI
- Add SARIF upload step for Caddy vulnerability scanning
- Create security scan documentation for Caddy image
- Document 4 known vulnerabilities (3 HIGH, 1 CRITICAL) in Go dependencies

Author: josecelano

.github/workflows/docker-security-scan.yml

@@ -107,6 +107,7 @@ jobs:
           - mysql:8.0
           - grafana/grafana:11.4.0
           - prom/prometheus:v3.0.1
+          - caddy:2.10
 
     steps:
       - name: Display vulnerabilities (table format)
@@ -219,3 +220,11 @@ jobs:
           sarif_file: sarif-third-party-prom-prometheus-v3.0.1-${{ github.run_id }}/trivy.sarif
           category: docker-third-party-prom-prometheus-v3.0.1
         continue-on-error: true
+
+      - name: Upload third-party caddy SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: sarif-third-party-caddy-2.10-${{ github.run_id }}/trivy.sarif
+          category: docker-third-party-caddy-2.10
+        continue-on-error: true

docs/issues/272-add-https-support-with-caddy.md

@@ -676,11 +676,11 @@ Add link to HTTPS setup guide.
 
 ### Phase 4: Security Workflow Updates (1 hour)
 
-- [ ] Add `caddy:2.10` to security scan workflow matrix
-- [ ] Add SARIF upload step for Caddy scan results
-- [ ] Update `docs/security/docker/scans/README.md` with Caddy entry
-- [ ] Run security scan locally to verify configuration
-- [ ] Document vulnerability assessment (reference [docs/research/caddy-tls-proxy-evaluation/security-scan.md](../research/caddy-tls-proxy-evaluation/security-scan.md))
+- [x] Add `caddy:2.10` to security scan workflow matrix
+- [x] Add SARIF upload step for Caddy scan results
+- [x] Update `docs/security/docker/scans/README.md` with Caddy entry
+- [x] Run security scan locally to verify configuration
+- [x] Document vulnerability assessment (reference [docs/research/caddy-tls-proxy-evaluation/security-scan.md](../research/caddy-tls-proxy-evaluation/security-scan.md))
 
 ### Phase 5: Documentation (4-5 hours)
 

docs/security/docker/scans/README.md

@@ -7,17 +7,19 @@ This directory contains historical security scan results for Docker images used
 | Image                      | Version | HIGH | CRITICAL | Status       | Last Scan    | Details                             |
 | -------------------------- | ------- | ---- | -------- | ------------ | ------------ | ----------------------------------- |
 | `torrust/tracker-deployer` | latest  | 25   | 7        | ⚠️ Monitored | Jan 10, 2026 | [View](torrust-tracker-deployer.md) |
+| `caddy`                    | 2.10    | 3    | 1        | ⚠️ Monitored | Jan 13, 2026 | [View](caddy.md)                    |
 | `prom/prometheus`          | v3.5.0  | 0    | 0        | ✅ SECURE    | Dec 29, 2025 | [View](prometheus.md)               |
 | `grafana/grafana`          | 12.3.1  | 0    | 0        | ✅ SECURE    | Dec 29, 2025 | [View](grafana.md)                  |
 | `mysql`                    | 8.4     | 0    | 0        | ✅ SECURE    | Dec 29, 2025 | [View](mysql.md)                    |
 
-**Overall Status**: ⚠️ Deployer image has upstream Debian vulnerabilities (no fixes available yet). All other images secure.
+**Overall Status**: ⚠️ Deployer and Caddy images have upstream vulnerabilities (fixes available, monitoring for releases).
 
 ## Scan Archives
 
 Each file contains the complete scan history for a service:
 
 - [torrust-tracker-deployer.md](torrust-tracker-deployer.md) - The deployer Docker image
+- [caddy.md](caddy.md) - Caddy TLS termination proxy
 - [prometheus.md](prometheus.md) - Prometheus monitoring
 - [grafana.md](grafana.md) - Grafana dashboards
 - [mysql.md](mysql.md) - MySQL database

docs/security/docker/scans/caddy.md

@@ -0,0 +1,68 @@
+# Caddy Security Scan History
+
+**Image**: `caddy:2.10`
+**Purpose**: TLS termination proxy for HTTPS support
+**Documentation**: [Caddy TLS Proxy Evaluation](../../research/caddy-tls-proxy-evaluation/README.md)
+
+## Current Status
+
+| Version | HIGH | CRITICAL | Status       | Scan Date    |
+| ------- | ---- | -------- | ------------ | ------------ |
+| 2.10    | 3    | 1        | ⚠️ Monitored | Jan 13, 2026 |
+
+**Deployment Status**: ✅ Safe to deploy with monitoring
+
+## Vulnerability Summary
+
+The Caddy 2.10 image has:
+
+- **Alpine base image**: Clean (0 vulnerabilities)
+- **Caddy binary (Go)**: 4 vulnerabilities in dependencies (not Caddy core)
+
+All vulnerabilities have fixed versions available upstream and are expected to be resolved in the next Caddy release.
+
+## Scan History
+
+### January 13, 2026 - caddy:2.10
+
+**Scanner**: Trivy v0.68
+
+| Target                     | Type     | HIGH | CRITICAL |
+| -------------------------- | -------- | ---- | -------- |
+| caddy:2.10 (alpine 3.22.2) | alpine   | 0    | 0        |
+| usr/bin/caddy              | gobinary | 3    | 1        |
+
+**Vulnerabilities Found**:
+
+| CVE            | Severity | Component                         | Fixed Version   |
+| -------------- | -------- | --------------------------------- | --------------- |
+| CVE-2025-44005 | CRITICAL | github.com/smallstep/certificates | 0.29.0          |
+| CVE-2025-59530 | HIGH     | github.com/quic-go/quic-go        | 0.49.1, 0.54.1  |
+| CVE-2025-58183 | HIGH     | stdlib (archive/tar)              | 1.24.8, 1.25.2  |
+| CVE-2025-61729 | HIGH     | stdlib (crypto/x509)              | 1.24.11, 1.25.5 |
+
+**Risk Assessment**:
+
+1. **CVE-2025-44005**: Authorization bypass in certificate creation (smallstep library)
+2. **CVE-2025-59530**: QUIC protocol crash (affects HTTP/3 only)
+3. **CVE-2025-58183**: Unbounded allocation in tar parsing
+4. **CVE-2025-61729**: Resource consumption in x509 certificate validation
+
+**Recommendation**: Deploy with monitoring. Update to patched version when Caddy v2.11 releases.
+
+## Related Documentation
+
+- [Full Security Analysis](../../../research/caddy-tls-proxy-evaluation/security-scan.md)
+- [Caddy Evaluation Summary](../../../research/caddy-tls-proxy-evaluation/README.md)
+- [HTTPS Implementation](../../../issues/272-add-https-support-with-caddy.md)
+
+## How to Rescan
+
+```bash
+trivy image --severity HIGH,CRITICAL caddy:2.10
+```
+
+## Security Advisories
+
+- **Caddy**: <https://github.com/caddyserver/caddy/security/advisories>
+- **Alpine Linux**: <https://secdb.alpinelinux.org/>

project-words.txt

@@ -45,6 +45,7 @@ QUIC
 RAII
 RUSTDOCFLAGS
 Repomix
+Rescan
 Rustdoc
 SARIF
 SCRIPTDIR