If you discover a security vulnerability in this project, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email: support@ictsolutions.net

Include:

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact

We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.

This project implements the following security practices:

• Non-root container — runs as user duo (UID/GID 35505)
• Vulnerability scanning — Trivy on every build, results in GitHub Security tab
• SBOM generation — SPDX format for supply chain transparency
• Build provenance — attested via GitHub Attestations
• Dependency updates — Dependabot monitors Docker base image and GitHub Actions
• Secret handling — supports _FILE suffix pattern for Docker secrets; never logs plaintext credentials
• Minimal base image — build dependencies are not carried into the final layer

We follow coordinated vulnerability disclosure. We ask that you give us reasonable time to address the issue before public disclosure.