Back to Dashboard

Trust posture

πŸ“‹ SBOM ATTESTEDπŸ›‘ TRIVY: 14 CRITICAL (advisory) Β· SCANNED 2026-07-10πŸ— AMD64 + ARM64 πŸ”— 1/1 deps tracked daily πŸ” REPRODUCE THESE CHECKS LOCALLY
PULLS 5.4K
STARS 0
COVERAGE 4 variants Β· amd64+arm64

VERIFIABLE TRUST ARTIFACTS

Provenance

Build commit
ed67d41
Build digest
sha256:493ed5018cf0fc0796d5a560250b486e1b25739af88cce11c33536ffbf0f1bd9
Index digest
sha256:358d22b5449f8cb6983c7e1ecff56acc42c8214f4b60e54f67b5c7c34df024b4
Manifest digest (amd64)
sha256:b1fe90795c1200d300e9333908bc0e95377b4b0a6cc52156045c29a1b7d81454
Manifest digest (arm64)
sha256:385fb42e9092768be194b2635931df6936c7e963dd158c0b06bbf6d385da8924
SBOM attestation
34817681…
Trivy last scan
2026-07-10 20:42 UTC
Base image
Verify
gh attestation verify oci://ghcr.io/oorabona/web-shell:1.7.7 --owner oorabona guide β†’

Security scan results

Trivy Β· last scan 2026-07-10

Last scan: (advisory mode β€” Trivy runs continue-on-error in CI; we surface findings, we do not block builds on them).

14Critical
108High
199Medium
190Low
33Info

Top advisories (upstream, advisory)

  • CVE-2026-58470 (NOTE) β€” web-shell β€” GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer ...
  • CVE-2026-58469 (NOTE) β€” web-shell β€” GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buff ...
  • CVE-2026-58472 (ERROR) β€” web-shell β€” GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buff ...
  • CVE-2026-58471 (ERROR) β€” web-shell β€” wget: GNU Wget: Heap buffer overflow via server-supplied filename leads to memory corruption
  • CVE-2026-7017 (NOTE) β€” web-shell β€” HTTP::Tiny versions before 0.095 for Perl forward credential headers t ...

β†’ Full report via gh api β€” see Verify Images.

Explore

Available variants

TagSize (amd64) Build status
1.7.7 default134.3MB OK
1.7.7-alpine27.6MB OK
1.7.7-ubuntu78.9MB OK
1.7.7-rocky116.6MB OK
Build lineagesha256:
Build Lineage
Build Digest sha256:493ed5018cf0fc0796d5a560250b486e1b25739af88cce11c33536ffbf0f1bd9
Base Image
ALPINE_BASE alpine
ROCKY_BASE rockylinux
TTYD_VERSION 1.7.7
UBUNTU_BASE ubuntu
Package summary n/a β€” runtime parsed
Recent changes n/a β€” runtime parsed
Build history n/a β€” runtime fetched
Dependency health all up to date

Dependency Health

all up to date
1/1 dependencies monitored
Up-to-date dependencies
TTYD_VERSION 1.7.7

Documentation

README

Web Shell

Docker Hub GHCR Build

Secure browser-based terminal built on our Debian base image with ttyd for web terminal access. Includes common DevOps and hosting tools, optional SSH server, and flexible authentication options.

Verify this image

Every build ships a Sigstore-signed SBOM and a full Trivy scan β€” verify them yourself, no login required:

gh attestation verify oci://ghcr.io/oorabona/web-shell:latest --owner oorabona

Full walkthrough (SBOM payload, Trivy findings, multi-arch manifest inspection, upstream dependency tracking) β†’ https://oorabona.github.io/docker-containers/verify-images/

Quick Start

# Pull the image
docker pull ghcr.io/oorabona/web-shell:latest

# Run with default settings (web terminal on port 7681)
docker run -d --name web-shell -p 7681:7681 ghcr.io/oorabona/web-shell:latest

# Open in browser
# http://localhost:7681

# Run with password and SSH enabled
docker run -d --name web-shell \
  -p 7681:7681 -p 2222:2222 \
  -e SHELL_PASSWORD=mysecretpass \
  -e ENABLE_SSH=true \
  ghcr.io/oorabona/web-shell:latest

Build

# Build with latest upstream ttyd version
./make build web-shell

# Build with specific ttyd version
./make build web-shell 1.7.7

Build Args

Arg Default Description
VERSION latest Full version tag (set by build system)
TTYD_VERSION 1.7.7 ttyd release version
DEBIAN_TAG trixie Debian base image tag
SHELL_USER debian Default shell user (build-time)

Environment Variables

Variable Default Description
SHELL_USER debian User for terminal sessions
SHELL_PASSWORD (locked) Set user password at runtime (required for SSH/sudo)
TTYD_PORT 7681 Web terminal listen port
ENABLE_SSH false Start SSH daemon on port 2222
SSH_PUBLIC_KEY (none) Import SSH authorized key
TTYD_CREDENTIAL (none) Basic auth in user:password format
TTYD_SSL_CERT (none) Path to TLS certificate (enables HTTPS)
TTYD_SSL_KEY (none) Path to TLS private key
TTYD_AUTH_HEADER (none) Auth header for reverse proxy integration

Ports

Port Service
7681 ttyd web terminal (WebSocket-based)
2222 SSH server (when ENABLE_SSH=true)

Included Tools

Category Tools
Editors vim-tiny, nano
File management tree, file, less, findutils
Network curl, wget, dnsutils, iputils-ping, net-tools
Process management htop, procps
Data tools jq
Version control git
Archives bzip2, xz-utils, unzip, zip
Remote access openssh-server

Authentication

No Authentication (default)

Anyone with network access can use the terminal. Suitable for local development or behind a trusted reverse proxy.

Basic Auth (ttyd built-in)

docker run -d -p 7681:7681 \
  -e TTYD_CREDENTIAL="admin:secretpass" \
  ghcr.io/oorabona/web-shell:latest

TLS Encryption

docker run -d -p 7681:7681 \
  -v /path/to/cert.pem:/certs/cert.pem:ro \
  -v /path/to/key.pem:/certs/key.pem:ro \
  -e TTYD_SSL_CERT=/certs/cert.pem \
  -e TTYD_SSL_KEY=/certs/key.pem \
  ghcr.io/oorabona/web-shell:latest

Reverse Proxy Auth Header

For integration with authentication proxies (OAuth2 Proxy, Authelia, etc.):

docker run -d -p 7681:7681 \
  -e TTYD_AUTH_HEADER="X-Forwarded-User" \
  ghcr.io/oorabona/web-shell:latest

SSH Access

docker run -d -p 7681:7681 -p 2222:2222 \
  -e ENABLE_SSH=true \
  -e SSH_PUBLIC_KEY="ssh-ed25519 AAAA... user@host" \
  ghcr.io/oorabona/web-shell:latest

# Connect via SSH
ssh -p 2222 debian@localhost

Health Check

Built-in health check via ttyd token endpoint:

GET http://localhost:7681/token β†’ {"token": "..."}

Hosting Use Case

Web Shell is designed as a building block for web hosting platforms, providing browser-based terminal access to container environments. Combined with other containers from this project:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Client Browser                                          β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
β”‚  β”‚ Web App   β”‚  β”‚ phpMyAdmin β”‚  β”‚ Web Terminal      β”‚    β”‚
β”‚  β”‚ :80/:443  β”‚  β”‚ :8080      β”‚  β”‚ :7681 (ttyd)     β”‚    β”‚
β”‚  β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
         β”‚               β”‚                β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  β”Œβ”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
β”‚  β”‚ OpenResty β”‚  β”‚ PHP-FPM    β”‚  β”‚ Web Shell         β”‚    β”‚
β”‚  β”‚ (proxy)   β”‚  β”‚ WordPress  β”‚  β”‚ (tools + shell)   β”‚    β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                           β”‚
β”‚  β”‚ PostgreSQLβ”‚  β”‚ Vector     β”‚                           β”‚
β”‚  β”‚ (database)β”‚  β”‚ (logs)     β”‚                           β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                           β”‚
β”‚  Docker Host                                             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Security Considerations

  • Runs as root for chpasswd and sshd, but ttyd spawns shells as the configured SHELL_USER
  • No default password β€” set SHELL_PASSWORD at runtime (account is locked without it)
  • SSH listens on port 2222 (non-standard) with root login disabled
  • For production: use TTYD_CREDENTIAL or place behind an auth reverse proxy
  • Mount TLS certificates for encrypted connections
  • The --writable flag enables terminal input β€” remove for read-only sessions

Dependencies

Component Version Source Monitoring
ttyd 1.7.7 GitHub upstream-monitor
Debian (base) trixie ghcr.io/oorabona/debian upstream