Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.sonicverse.eu/llms.txt

Use this file to discover all available pages before exploring further.

Reporting a vulnerability

Do not open a public GitHub issue for security vulnerabilities. You can report a vulnerability through any of the following channels:

Web form

Submit a report through the dedicated security page on sonicverse.eu.

Email

Send details directly to security@sonicverse.eu.

GitHub

Use GitHub’s private vulnerability reporting.
Include the following in your report:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Affected version, environment, or commit (if known)
  • Any suggested fix or mitigation
You can expect an acknowledgment within 3 business days and initial triage within 7 days. Critical issues receive a patch within 14 days.

Scope

In scope:
  • Command injection via the status panel API
  • Authentication bypass in the Appwrite integration
  • Container escape via Docker socket exposure
  • Secrets leakage through API responses
  • CORS misconfigurations allowing unauthorized cross-origin access
Out of scope:
  • Issues requiring physical access to the server
  • Denial of service attacks against a specific deployment
  • Social engineering
  • Vulnerabilities in third-party dependencies (report those upstream)

Container hardening

All service containers (Status API, Nginx, Analytics, and Icecast) run as non-root users (UID 1000) by default. This limits the impact of a container escape: processes inside the container do not have root privileges on the host.

Automated code analysis

SonarQube Cloud automatically analyzes pull requests and pushes to main for code quality, security vulnerabilities, and coverage reporting.

Secret scanning

This repository uses TruffleHog to detect accidentally committed secrets and sensitive data. A configuration file is provided at trufflehog.toml in the repository root.

Running TruffleHog locally

Install TruffleHog: 
# macOS
brew install trufflehog

# Linux / CI (latest release binary)
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
Scan the repository against the full git history: 
trufflehog git file://. --config trufflehog.toml
Scan only the current working tree (faster, good for pre-commit checks): 
trufflehog filesystem . --config trufflehog.toml

Running in CI

Add TruffleHog to your GitHub Actions workflow: 
- name: Scan for secrets
  uses: trufflesecurity/trufflehog@main
  with:
    extra_args: --config trufflehog.toml

Supported versions

VersionSupported
LatestYes