This is a Docker image that runs obsidian-headless
(the ob CLI) under s6-overlay
to continuously sync an Obsidian vault. The attack surface this repository owns:
- The Dockerfile — base image, the
obsidian-headlessinstall, user/UID setup, and build-time ownership of the vault and config directories - s6-overlay init/service scripts (
rootfs/) — the auth check,ob login,ob sync-setup/sync-config, and the supervisedob sync --continuous - Credential handling —
OBSIDIAN_AUTH_TOKENandVAULT_PASSWORDare passed via environment/.env, never baked into the image - CI/CD workflows — GitHub Actions that build and publish the image to GHCR
The ob binary itself is proprietary, closed-source software by Obsidian
(Dynalist Inc.); vulnerabilities in the CLI should be reported to Obsidian.
- Gitleaks — secret detection over full history on every PR and push to main
- Trivy — image vulnerability scan: PR-built images on every PR (fixable CRITICAL/HIGH findings block the merge), and the published GHCR image on pushes to main and weekly. Findings report to the Security tab
- OpenSSF Scorecard — supply-chain posture analysis, weekly and on pushes to main
- Dependabot — weekly updates for GitHub Actions and the Docker base image
Base-image CVEs surfaced by Trivy are handled through base-image and package
updates (the image runs apk upgrade at build time). A report is still welcome
if you've found a specific exploit path.
Please report security issues through GitHub's private vulnerability reporting rather than opening a public issue.
Please include:
- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The potential impact
You should receive an acknowledgment within 48 hours, and I'll coordinate a fix before any public disclosure.
Only the latest released image tag is actively maintained. Please upgrade before reporting.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |