We actively support the latest version of cc-docker. Security updates will be provided for:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
If you discover a security vulnerability, please do not open a public issue. Instead, please report it privately:
- Email: Send details to the repository maintainers (check the repository's main page for contact information)
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature if available
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information (optional, but helpful for follow-up questions)
We aim to:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Keep you informed of our progress
- We will work with you to understand and resolve the issue quickly
- We will credit you for the discovery (unless you prefer to remain anonymous)
- We will coordinate public disclosure after a fix is available
When using cc-docker:
- Environment Variables: Never commit
.envfiles or.docker/envfiles containing sensitive information - API Keys: Store API keys securely in environment variables, not in code
- Docker Images: Regularly update base images to get security patches
- Permissions: Review file permissions and container access controls
- Network: Be cautious when using
--network hostmode
- The Docker container runs with
--network hostby default, which shares the host's network stack - The container includes a non-root user
developerwith sudo privileges - Environment variables are passed to the container and may be visible in container inspection
Thank you for helping keep cc-docker secure!