feat: add support for Ntfy notification provider

.github/workflows/docker-build.yml

@@ -23,7 +23,7 @@ name: Docker Build, Publish & Test
 on:
   pull_request:
   push:
-    branches: [main]
+    branches: [main, development]
   workflow_dispatch:
   workflow_run:
     workflows: ["Docker Lint"]
@@ -42,7 +42,7 @@ env:
   TRIGGER_HEAD_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
   TRIGGER_REF: ${{ github.event_name == 'workflow_run' && format('refs/heads/{0}', github.event.workflow_run.head_branch) || github.ref }}
   TRIGGER_HEAD_REF: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.head_ref }}
-  TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && join(github.event.workflow_run.pull_requests.*.number, '') || github.event.pull_request.number }}
+  TRIGGER_PR_NUMBER: ${{ github.event_name == 'workflow_run' && join(github.event.workflow_run.pull_requests.*.number, '') || format('{0}', github.event.pull_request.number) }}
   TRIGGER_ACTOR: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.actor.login || github.actor }}
 
 jobs:

.grype.yaml

@@ -4,83 +4,6 @@
 # Documentation: https://github.com/anchore/grype#specifying-matches-to-ignore
 
 ignore:
-  # GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
-  # Severity: HIGH (CVSS 8.1)
-  # Package: github.com/slackhq/nebula v1.9.7 (embedded in /usr/bin/caddy)
-  # Status: Cannot upgrade — smallstep/certificates v0.30.0-rc2 still pins nebula v1.9.x
-  #
-  # Vulnerability Details:
-  # - ECDSA signature malleability allows bypassing certificate blocklists
-  # - Attacker can forge alternate valid P256 ECDSA signatures for revoked
-  #   certificates (CVSSv3: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
-  # - Only affects configurations using Nebula-based certificate authorities
-  #   (non-default and uncommon in Charon deployments)
-  #
-  # Root Cause (Compile-Time Dependency Lock):
-  # - Caddy is built with caddy-security plugin, which transitively requires
-  #   github.com/smallstep/certificates. That package pins nebula v1.9.x.
-  # - Checked: smallstep/certificates v0.27.5 → v0.30.0-rc2 all require nebula v1.9.4–v1.9.7.
-  #   The nebula v1.10 API removal breaks compilation in the
-  #   authority/provisioner package; xcaddy build fails with upgrade attempted.
-  # - Dockerfile caddy-builder stage pins nebula@v1.9.7 (Renovate tracked) with
-  #   an inline comment explaining the constraint (Dockerfile line 247).
-  # - Fix path: once smallstep/certificates releases a version requiring
-  #   nebula v1.10+, remove the pin and this suppression simultaneously.
-  #
-  # Risk Assessment: ACCEPTED (Low exploitability in Charon context)
-  # - Charon uses standard ACME/Let's Encrypt TLS; Nebula VPN PKI is not
-  #   enabled by default and rarely configured in Charon deployments.
-  # - Exploiting this requires a valid certificate sharing the same issuer as
-  #   a revoked one — an uncommon and targeted attack scenario.
-  # - Container-level isolation reduces the attack surface further.
-  #
-  # Mitigation (active while suppression is in effect):
-  # - Monitor smallstep/certificates releases at https://github.com/smallstep/certificates/releases
-  # - Weekly CI security rebuild flags any new CVEs in the full image.
-  # - Renovate annotation in Dockerfile (datasource=go depName=github.com/slackhq/nebula)
-  #   will surface the pin for review when xcaddy build becomes compatible.
-  #
-  # Review:
-  # - Reviewed 2026-02-19: smallstep/certificates latest stable remains v0.27.5;
-  #   no release requiring nebula v1.10+ has shipped. Suppression extended 14 days.
-  # - Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
-  # - Next review: 2026-04-12. Remove suppression immediately once upstream fixes.
-  #
-  # Removal Criteria:
-  # - smallstep/certificates releases a stable version requiring nebula v1.10+
-  # - Update Dockerfile caddy-builder patch to use the new versions
-  # - Rebuild image, run security scan, confirm suppression no longer needed
-  # - Remove both this entry and the corresponding .trivyignore entry
-  #
-  # References:
-  # - GHSA: https://github.com/advisories/GHSA-69x3-g4r3-p962
-  # - CVE-2026-25793: https://nvd.nist.gov/vuln/detail/CVE-2026-25793
-  # - smallstep/certificates: https://github.com/smallstep/certificates/releases
-  # - Dockerfile pin: caddy-builder stage, line ~247 (go get nebula@v1.9.7)
-  - vulnerability: GHSA-69x3-g4r3-p962
-    package:
-      name: github.com/slackhq/nebula
-      version: "v1.9.7"
-      type: go-module
-    reason: |
-      HIGH — ECDSA signature malleability in nebula v1.9.7 embedded in /usr/bin/caddy.
-      Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-03-13)
-      still requires nebula v1.9.x (verified across v0.27.5–v0.30.0-rc2). Charon does
-      not use Nebula VPN PKI by default. Risk accepted pending upstream smallstep fix.
-      Reviewed 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
-    expiry: "2026-04-12"  # Re-evaluated 2026-03-13: smallstep/certificates stable still v0.27.5, extended 30 days.
-
-    # Action items when this suppression expires:
-    # 1. Check smallstep/certificates releases: https://github.com/smallstep/certificates/releases
-    # 2. If a stable version requires nebula v1.10+:
-    #    a. Update Dockerfile caddy-builder: remove the `go get nebula@v1.9.7` pin
-    #    b. Optionally bump smallstep/certificates to the new version
-    #    c. Rebuild Docker image and verify no compile failures
-    #    d. Re-run local security-scan-docker-image and confirm clean result
-    #    e. Remove this suppression entry
-    # 3. If no fix yet: Extend expiry by 14 days and document justification
-    # 4. If extended 3+ times: Open upstream issue on smallstep/certificates
-
   # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade
   # Severity: HIGH (CVSS 7.5)
   # Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 (Alpine apk)
@@ -153,161 +76,6 @@ ignore:
       Risk accepted pending Alpine upstream patch.
     expiry: "2026-04-18"  # Initial 30-day review period. See libcrypto3 entry above for action items.
 
-  # CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash
-  # Severity: CRITICAL (CVSS 9.1)
-  # Package: google.golang.org/grpc v1.74.2 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
-  # Status: Fix available at v1.79.3 — waiting on CrowdSec upstream to release with patched grpc
-  #
-  # Vulnerability Details:
-  # - gRPC-Go server path-based authorization (grpc/authz) fails to match deny rules when
-  #   the HTTP/2 :path pseudo-header is missing its leading slash (e.g., "Service/Method"
-  #   instead of "/Service/Method"), allowing a fallback allow-rule to grant access instead.
-  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
-  #
-  # Root Cause (Third-Party Binary):
-  # - Charon's own grpc dependency is patched to v1.79.3 (updated 2026-03-19).
-  # - CrowdSec ships grpc v1.74.2 compiled into its binary; Charon has no control over this.
-  # - This is a server-side vulnerability. CrowdSec uses grpc as a server; Charon uses it
-  #   only as a client (via the Docker SDK). CrowdSec's internal grpc server is not exposed
-  #   to external traffic in a standard Charon deployment.
-  # - Fix path: once CrowdSec releases a version built with grpc >= v1.79.3, rebuild the
-  #   Docker image (Renovate tracks the CrowdSec version) and remove this suppression.
-  #
-  # Risk Assessment: ACCEPTED (Constrained exploitability in Charon context)
-  # - The vulnerable code path requires an attacker to reach CrowdSec's internal grpc server,
-  #   which is bound to localhost/internal interfaces in the Charon container network.
-  # - Container-level isolation (no exposed grpc port) significantly limits exposure.
-  # - Charon does not configure grpc/authz deny rules on CrowdSec's server.
-  #
-  # Mitigation (active while suppression is in effect):
-  # - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
-  # - Weekly CI security rebuild flags the moment a fixed CrowdSec image ships.
-  #
-  # Review:
-  # - Reviewed 2026-03-19 (initial suppression): grpc v1.79.3 fix exists; CrowdSec has not
-  #   yet shipped an updated release. Suppression set for 14-day review given fix availability.
-  # - Next review: 2026-04-02. Remove suppression once CrowdSec ships with grpc >= v1.79.3.
-  #
-  # Removal Criteria:
-  # - CrowdSec releases a version built with google.golang.org/grpc >= v1.79.3
-  # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
-  # - Remove this entry and the corresponding .trivyignore entry simultaneously
-  #
-  # References:
-  # - GHSA-p77j-4mvh-x3m3: https://github.com/advisories/GHSA-p77j-4mvh-x3m3
-  # - CVE-2026-33186: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
-  # - grpc fix (v1.79.3): https://github.com/grpc/grpc-go/releases/tag/v1.79.3
-  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
-  - vulnerability: CVE-2026-33186
-    package:
-      name: google.golang.org/grpc
-      version: "v1.74.2"
-      type: go-module
-    reason: |
-      CRITICAL — gRPC-Go authorization bypass in grpc v1.74.2 embedded in /usr/local/bin/crowdsec
-      and /usr/local/bin/cscli. Fix available at v1.79.3 (Charon's own dep is patched); waiting
-      on CrowdSec upstream to release with patched grpc. CrowdSec's grpc server is not exposed
-      externally in a standard Charon deployment. Risk accepted pending CrowdSec upstream fix.
-      Reviewed 2026-03-19: CrowdSec has not yet released with grpc >= v1.79.3.
-    expiry: "2026-04-02"  # 14-day review: fix exists at v1.79.3; check CrowdSec releases.
-
-    # Action items when this suppression expires:
-    # 1. Check CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
-    # 2. If CrowdSec ships with grpc >= v1.79.3:
-    #    a. Renovate should auto-PR the new CrowdSec version in the Dockerfile
-    #    b. Merge the Renovate PR, rebuild Docker image
-    #    c. Run local security-scan-docker-image and confirm grpc v1.74.2 is gone
-    #    d. Remove this suppression entry and the corresponding .trivyignore entry
-    # 3. If no fix yet: Extend expiry by 14 days and document justification
-    # 4. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec
-
-  # CVE-2026-33186 (Caddy) — see full justification in the CrowdSec entry above
-  # Package: google.golang.org/grpc v1.79.1 (embedded in /usr/bin/caddy)
-  # Status: Fix available at v1.79.3 — waiting on a new Caddy release built with patched grpc
-  - vulnerability: CVE-2026-33186
-    package:
-      name: google.golang.org/grpc
-      version: "v1.79.1"
-      type: go-module
-    reason: |
-      CRITICAL — gRPC-Go authorization bypass in grpc v1.79.1 embedded in /usr/bin/caddy.
-      Fix available at v1.79.3; waiting on Caddy upstream to release a build with patched grpc.
-      Caddy's grpc server is not exposed externally in a standard Charon deployment.
-      Risk accepted pending Caddy upstream fix. Reviewed 2026-03-19: no Caddy release with grpc >= v1.79.3 yet.
-    expiry: "2026-04-02"  # 14-day review: fix exists at v1.79.3; check Caddy releases.
-
-    # Action items when this suppression expires:
-    # 1. Check Caddy releases: https://github.com/caddyserver/caddy/releases
-    #    (or the custom caddy-builder in the Dockerfile for caddy-security plugin)
-    # 2. If a new Caddy build ships with grpc >= v1.79.3:
-    #    a. Update the Caddy version pin in the Dockerfile caddy-builder stage
-    #    b. Rebuild Docker image and run local security-scan-docker-image
-    #    c. Remove this suppression entry and the corresponding .trivyignore entry
-    # 3. If no fix yet: Extend expiry by 14 days and document justification
-    # 4. If extended 3+ times: Open an issue on caddyserver/caddy
-
-  # GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
-  # Severity: HIGH (CVSS 7.5)
-  # Package: github.com/russellhaering/goxmldsig v1.5.0 (embedded in /usr/bin/caddy)
-  # Status: Fix available at v1.6.0 — waiting on a new Caddy release built with patched goxmldsig
-  #
-  # Vulnerability Details:
-  # - Loop variable capture in validateSignature causes the signature reference to always
-  #   point to the last element in SignedInfo.References; an attacker can substitute signed
-  #   element content and bypass XML signature integrity validation (CWE-347, CWE-682).
-  # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
-  #
-  # Root Cause (Third-Party Binary):
-  # - Charon does not use goxmldsig directly. The package is compiled into /usr/bin/caddy
-  #   via the caddy-security plugin's SAML/SSO support.
-  # - Fix path: once Caddy (or the caddy-security plugin) releases a build with
-  #   goxmldsig >= v1.6.0, rebuild the Docker image and remove this suppression.
-  #
-  # Risk Assessment: ACCEPTED (Low exploitability in default Charon context)
-  # - The vulnerability only affects SAML/XML signature validation workflows.
-  # - Charon does not enable or configure SAML-based SSO in its default setup.
-  # - Exploiting this requires an active SAML integration, which is non-default.
-  #
-  # Mitigation (active while suppression is in effect):
-  # - Monitor caddy-security plugin releases: https://github.com/greenpau/caddy-security/releases
-  # - Monitor Caddy releases: https://github.com/caddyserver/caddy/releases
-  # - Weekly CI security rebuild flags the moment a fixed image ships.
-  #
-  # Review:
-  # - Reviewed 2026-03-19 (initial suppression): goxmldsig v1.6.0 fix exists; Caddy has not
-  #   yet shipped with the updated dep. Set 14-day review given fix availability.
-  # - Next review: 2026-04-02. Remove suppression once Caddy ships with goxmldsig >= v1.6.0.
-  #
-  # Removal Criteria:
-  # - Caddy (or caddy-security plugin) releases a build with goxmldsig >= v1.6.0
-  # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
-  # - Remove this entry and the corresponding .trivyignore entry simultaneously
-  #
-  # References:
-  # - GHSA-479m-364c-43vc: https://github.com/advisories/GHSA-479m-364c-43vc
-  # - goxmldsig v1.6.0 fix: https://github.com/russellhaering/goxmldsig/releases/tag/v1.6.0
-  # - caddy-security plugin: https://github.com/greenpau/caddy-security/releases
-  - vulnerability: GHSA-479m-364c-43vc
-    package:
-      name: github.com/russellhaering/goxmldsig
-      version: "v1.5.0"
-      type: go-module
-    reason: |
-      HIGH — XML signature validation bypass in goxmldsig v1.5.0 embedded in /usr/bin/caddy.
-      Fix available at v1.6.0; waiting on Caddy upstream to release a build with patched goxmldsig.
-      Charon does not configure SAML-based SSO by default; the vulnerable XML signature path
-      is not reachable in a standard deployment. Risk accepted pending Caddy upstream fix.
-      Reviewed 2026-03-19: no Caddy release with goxmldsig >= v1.6.0 yet.
-    expiry: "2026-04-02"  # 14-day review: fix exists at v1.6.0; check Caddy/caddy-security releases.
-
-    # Action items when this suppression expires:
-    # 1. Check caddy-security releases: https://github.com/greenpau/caddy-security/releases
-    # 2. If a new build ships with goxmldsig >= v1.6.0:
-    #    a. Update the Caddy version pin in the Dockerfile caddy-builder stage if needed
-    #    b. Rebuild Docker image and run local security-scan-docker-image
-    #    c. Remove this suppression entry and the corresponding .trivyignore entry
-    # 3. If no fix yet: Extend expiry by 14 days and document justification
-
   # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
   # Severity: HIGH (CVSS 7.5)
   # Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)

CHANGELOG.md

@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- **Notifications:** Added Ntfy notification provider with support for self-hosted and cloud instances, optional Bearer token authentication, and JSON template customization
+
 - **Certificate Deletion**: Clean up expired and unused certificates directly from the Certificates page
   - Expired Let's Encrypt certificates not attached to any proxy host can now be deleted
   - Custom and staging certificates remain deletable when not in use
@@ -55,6 +57,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **Notifications:** Fixed Pushover token-clearing bug where tokens were silently stripped on provider create/update
 - **TCP Monitor Creation**: Fixed misleading form UX that caused silent HTTP 500 errors when creating TCP monitors
   - Corrected URL placeholder to show `host:port` format instead of the incorrect `tcp://host:port` prefix
   - Added dynamic per-type placeholder and helper text (HTTP monitors show a full URL example; TCP monitors show `host:port`)

Dockerfile

@@ -43,7 +43,7 @@ ARG CADDY_CANDIDATE_VERSION=2.11.2
 ARG CADDY_USE_CANDIDATE=0
 ARG CADDY_PATCH_SCENARIO=B
 # renovate: datasource=go depName=github.com/greenpau/caddy-security
-ARG CADDY_SECURITY_VERSION=1.1.50
+ARG CADDY_SECURITY_VERSION=1.1.51
 # renovate: datasource=go depName=github.com/corazawaf/coraza-caddy
 ARG CORAZA_CADDY_VERSION=2.2.0
 ## When an official caddy image tag isn't available on the host, use a