Tag: security

Trivy, Grype, and Docker Scout go head-to-head on speed, CVE coverage, CI integration, and cost. Pick the right scanner for your home lab or pipeline.

Akismet's licensing terms are increasingly hostile to small sites. Here are 11 spam-protection options — hosted APIs, CAPTCHA widgets, and DIY honeypots — that actually work in 2026.

Authelia is a bouncer. Authentik is the whole security desk. Pick the right self-hosted SSO for your home lab — with working configs, gotchas, and a migration path.

Ran 9 real headless tools against an echo server. Sec-Fetch alone catches almost none of them. Here's what actually leaks, WAF rules that work, and where Anubis fits in.

CrowdSec is the modern fail2ban: community-shared threat intel, scenario collections, and pluggable bouncers. Deploy it with Caddy or Traefik and block millions of bad IPs from day one.

You've been compromised. Now what? A practical incident response playbook for self-hosters who didn't think they'd need one until right now.

CVE-2026-31431 (copy.fail) lets any local user become root on virtually every Linux system since 2017. Here's what it is, why it matters, and how to fix it.

A honeypot sits quietly on your network pretending to be something valuable. When someone touches it, you know you have an intruder. OpenCanary makes this dead simple.

iptables is being phased out. nftables is faster, cleaner, and already the default on modern Linux. Here's how to actually use it without wanting to quit.

Snort invented network intrusion detection. Suricata multi-threaded its way past it. Here's how to set up real IDS/IPS on your home lab and actually understand what it's telling you.

A Software Bill of Materials tells you exactly what's in your software. Syft generates one, Grype scans it for CVEs. Together they're your supply chain paper trail.

Pulling unscanned images onto your server is a gamble. Trivy finds the CVEs. Cosign proves the image hasn't been swapped out. Here's how to add both to your workflow.