Teploy

Security

Open source, no phone-home

The Teploy tools run on your machines and servers, with code you can audit. There's no Teploy-operated control plane to compromise, no agent reporting back to us, and no credentials being relayed through a third-party service. This page covers how the tools are built and how to report security issues.

Source-available

MIT / AGPL on GitHub — read the code, build it yourself.

No telemetry

Binaries don't ping a Teploy server. Ever.

Local credentials

SSH keys, registry tokens, env vars — all stay on your machine.

Reproducible builds

GitHub Actions builds the releases. SHA256 published with every tag.

How the CLI handles credentials

  • SSH: the CLI uses your local SSH agent and ~/.ssh keys. Connections go directly from your machine to your server. Nothing routes through teploy.com.
  • Registry credentials: Docker registry logins are written to ~/.teploy/registry.yml on your machine, with file permissions 0600.
  • Secrets: encrypted secrets in teploy.secrets.yml use age (X25519) with keys you control. The CLI never has plaintext you didn't give it.
  • State files: deploy state lives at /deployments/<app>/ on your server. The CLI and Dash both read and write the same files — no separate database, no out-of-band channel.

Build & supply chain

  • Releases are built by GitHub Actions from a tagged commit on the public repo.
  • Every release ships with SHA256 checksums and, where applicable, signed Homebrew formulae.
  • Dependencies are pinned in go.mod / go.sum and reviewed before bumps.
  • Anyone can rebuild the binary from source and compare digests.

What's on your end

Because there's no managed Teploy service, your security posture is largely about how you run the tools and operate your servers. The basics that matter most:

  • Use SSH keys, not passwords. Disable password auth on your servers.
  • Keep your server OS patched. The CLI doesn't install or run an agent that could become an attack surface, but the SSH/Docker/Caddy stack on the server still needs updates.
  • Lock down the Caddy admin API (default: bound to localhost only — leave it that way).
  • Don't expose Dash standalone (teploy ui --serve) to the public internet without an auth proxy in front of it.
  • Store age keys for encrypted secrets somewhere you'd store SSH keys — not in the repo.

Reporting a vulnerability

If you find a security issue in any Teploy binary or in this website, please report it privately first:

  • Email contact@teploy.com with details and reproduction steps.
  • Don't open a public GitHub issue for security bugs until a fix is shipped.
  • We'll acknowledge within a couple of business days and work with you on a coordinated disclosure timeline.
  • Good-faith research is welcome. We won't pursue legal action for testing against your own infrastructure or for finding bugs in published binaries.

There's no bug bounty program right now — this is a small project. We'll credit reporters in release notes where appropriate.