Please do not open a public issue for security problems.
Report vulnerabilities privately via GitHub's Report a vulnerability form (repository Security tab → Report a vulnerability). This opens a private advisory visible only to the maintainers and you.
Please include:
- affected component (Zitadel wrapper, login, provisioner, directory-sync, database-backup, Terraform, compose) and version/tag,
- a description and, if possible, a minimal reproduction,
- the impact you observed or expect.
We aim to acknowledge a report within 5 business days and to agree on a disclosure timeline with you. Please give us a reasonable window to ship a fix before any public disclosure.
This repository is a deployment/orchestration stack around
Zitadel. Vulnerabilities in Zitadel itself should be
reported to the Zitadel project;
issues in the login base image belong to the ep-zitadel repository. Report here
anything in this repo's configuration, Terraform, container wrappers, sidecar
code (directory-sync, database-backup), or CI/CD.
Security fixes target the latest released tag on the default branch. Older tags are not maintained — pin to a current release.
This repository is secret-free by design: all credentials are injected at
runtime via environment variables (.env, git-ignored). If you believe a secret
was committed, report it privately as above so we can rotate and remediate.