Security Policy
We take the security of php-ci seriously. Because the image is used in CI/CD pipelines that often hold credentials, we appreciate responsible disclosure.
Supported versions
Security updates are provided for the actively maintained image lines:
| Image line | Supported |
|---|---|
:8.4 | Supported |
:8.3 | Supported |
:8.2 | Security fixes |
:8.1 | Best-effort; upgrade recommended |
The underlying PHP runtime's own support window also applies — see the PHP version pages.
Reporting a vulnerability
Please do not open a public issue for security problems.
Use GitHub's private vulnerability reporting:
- Go to the Security tab of the repository.
- Click Report a vulnerability.
- Provide:
- A description of the issue and its impact.
- The affected image tag(s).
- Steps to reproduce, ideally with a minimal
docker runcommand. - Any suggested remediation.
If you cannot use GitHub's reporting flow, open a minimal issue asking a maintainer to contact you privately — without disclosing the vulnerability details.
What to expect
- Acknowledgement within 3 business days.
- Assessment & triage within 7 business days, including a severity rating.
- Fix & release as quickly as practical for the affected tags, with a note in the Changelog and on the blog.
- Credit to the reporter in the release notes, unless you prefer to remain anonymous.
Scope
In scope:
- Vulnerabilities introduced by the image build (misconfiguration, exposed secrets, unnecessary privileges).
- Outdated bundled tools shipping known, exploitable CVEs.
Out of scope:
- Vulnerabilities in your own application code or dependencies.
- Issues already fixed upstream in PHP or the base OS that are resolved by a
routine
docker pullof the rebuilt tag.
Hardening tips for users
- Pin images by digest for reproducible, auditable builds.
- Never bake secrets into images; inject them via CI environment variables.
- Regularly
docker pullactive tags to absorb upstream security rebuilds.