SECURITY: Do NOT open a public GitHub issue for a security vulnerability. Public disclosure before a fix is available puts all users at risk.
Report privately via GitHub Security Advisories.
Expected acknowledgment: within 48 hours.
| Data | Where it lives | How it is protected |
|---|---|---|
GitHub PAT (GITPRESERVER_TOKEN) |
.env / container env var |
Passed to subprocesses via env only — never written to disk or logged. See docs/assumptions.md. |
| rclone remote credentials | rclone/rclone.conf |
Mounted read-only (:ro) into the container. Never committed — in .gitignore. |
Encryption passphrase (GITPRESERVER_CRYPT_PASS) |
.env / rclone.conf |
Stored in rclone.conf in obscured form. Raw value must be stored in a password manager. |
| Cloud storage keys (B2, S3, R2, etc.) | rclone/rclone.conf |
Same as above. |
| MEGA / SMB passwords | rclone/rclone.conf |
Stored in rclone obscured form. |
SECURITY: All secrets must be in environment variables or
rclone.conf(itself excluded from version control). Never commit secrets. Rotate immediately if exposed.
.envis in.gitignore. Never force-commit it.rclone/rclone.confis in.gitignore. Never force-commit it.- Use a dedicated PAT with the minimum required scopes — not a personal admin token.
- Set a PAT expiry. Rotate it before it expires. Store the new value in Bitwarden before updating
.env. - If an encryption passphrase is lost, the backup is permanently unrecoverable. There is no key escrow.
The container applies defense-in-depth:
- Runs as a non-root user (
gitpreserver, UID 1000 by default) after a brief entrypoint setup phase. no-new-privileges:true— the workload cannot gain capabilities beyond what the kernel grants at launch.- All Linux capabilities dropped except
CHOWN,FOWNER,SETUID,SETGID— the minimum the entrypoint needs to remap UID/GID at runtime. rclone.confis always mounted read-only.- Tokens are passed to
ghorgandghvia their documented environment variables (GHORG_GITHUB_TOKEN,GH_TOKEN), never as CLI flags (which appear inpsoutput).
See docs/assumptions.md for full rationale.
SECURITY: The web UI on port 6033 has no authentication by default.
- Do not expose port 6033 to the public internet.
- Run it on a private LAN or behind a reverse proxy with HTTP Basic Auth (nginx, Caddy, Traefik).
- The
/configendpoint redacts sensitive env vars (***) but lists their names. Treat it as internal-only.
Run the secret scanner before every release:
# Scan for secrets in git history
docker run --rm -v "$(pwd):/repo" zricethezav/gitleaks:latest detect --source /repoThe CI pipeline runs gitleaks on every push and PR via .github/workflows/lint.yml.
Only the latest release receives security fixes. There is no LTS branch.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |