Tacklebox is published as a Go binary and as a container image on GHCR. Only the latest release is actively supported.
| Version | Status |
|---|---|
| Latest release | ✅ Supported |
| Older releases | ❌ Unsupported — upgrade to latest |
main branch |
Please do not report security vulnerabilities through public GitHub issues.
Instead, report them privately via GitHub Security Advisories:
- Go to the Security tab
- Click Report a vulnerability
- Provide a detailed description of the issue, including steps to reproduce
You can expect:
- Acknowledgment within 48 hours
- Status update within 5 business days
- Resolution timeline based on severity
Tacklebox:
- Is written in Go (memory-safe language)
- Runs with elevated privileges (root required for disk operations)
- Executes
bootc,dracut,sgdisk, and other system tools with validated arguments - Uses BuildKit secret mounts, never environment variables, for sensitive data
- Operates on user-provided images from trusted registries
- GitHub Actions are pinned to commit SHAs
- The Go build is reproducible via
go buildwith pinned toolchain - Container images are built from multi-stage Dockerfiles with minimal surface
- External dependencies are managed via
go.modwith checksum verification
We follow coordinated disclosure:
- Reporter submits vulnerability privately
- We investigate and develop a fix
- Fix is released in a new version
- Advisory is published after release
See ARCHITECTURE.md and README.md for full architecture and usage details.