This page documents the security monitoring and remediation systems set up as of 24 May 2026.
The dashboard at security.veripath.co.uk/dashboard/ is the central status board for security operations.
A floating blue button opens the Security Operations Agent in an iframe. Click Ask next to any image with criticals to have the agent analyse it. The agent knows the full operational plan, can read scan results, and provides step-by-step remediation guidance.
| Component | Schedule | Mechanism |
|---|---|---|
| Trivy image scans | Sunday 3am | /opt/security-scanner-scripts/scan_trivy_weekly.sh |
| Scan analysis | After each scan | /opt/security-scanner-scripts/analyze_scans.py → /tmp/scan-analysis.json |
| Watchtower auto-updates | Daily | Auto-updates containers when upstream images are rebuilt |
| Dashboard data | Live | Reads latest scan files from /tmp/trivy-scans/ |
The analysis script classifies each image as:
docker pull <image>:<newer-tag>
docker stop <container>
docker rename <container> <container>_old
docker run -d ... <image>:<newer-tag> # same mounts, network, restart
# verify, then keep old container 48h for rollback
FROM <image>:<tag>
RUN apt-get update && apt-get upgrade -y
Build and deploy as above. Switch back to the official image when it catches up.
| Image | Change | Criticals before | Criticals after |
|---|---|---|---|
| nginx:1.25 | → nginx:stable (1.30.2) | 21 | 0 |
| directus:11.6.1 | → directus:latest (11.17.4) | 17 | 2 |
| Keycloak client baseUrl | /oidc/authenticate/ → /login |
— | Fixed 400 error |
| nginx callback redirect | Added $is_args$args |
— | Fixed OIDC callback |
| X-Frame-Options | Removed for /integrations/ paths |
— | Enabled agent chat iframe |
| Django SameSite | Set to None; Secure |
— | Enabled cross-origin agent auth |
The Data Security Agent (ID 4) was repurposed as the Security Operations Agent. It is embedded in the dashboard and has a system prompt encoding:
Access it at gp.veripath.co.uk/integrations/agents/chat/embed/?agent_id=4 or via the blue chat button on the dashboard.
| Image | Criticals | Status |
|---|---|---|
| nginx:stable | 0 | ✅ Clean |
| keycloak:26.6.1 | 0 | ✅ Clean |
| redis:7-alpine | 0 | ✅ Clean |
| valkey:7.2-alpine | 0 | ✅ Clean |
| directus:latest | 2 | ⏳ Upstream (gosu CVE) |
| postgres:15-alpine | 1 | ⏳ Upstream (gosu CVE) |
| postgres:15 | 3 | ⏳ Upstream (GnuTLS + gosu) |
| defectdojo-django:latest | 13 | 🔴 Actionable (bind9 + GnuTLS) |
| wiki:latest | 10 | 🔴 Actionable (npm deps + GnuTLS) |
| roundcube:latest | 9 | 🔴 Actionable (python + GnuTLS) |
| forgejo:14.0 | 5 | 🔴 Actionable (OpenSSL + pgx + GnuTLS) |