| Version | Supported |
|---|---|
| 0.9.0 | ✅ |
TorchServe as much as possible relies on automated tools to do security scanning, in particular we support
- Dependency Analysis: Using Dependabot
- Docker Scanning: Using Snyk
- Code Analysis: Using CodeQL
-
TorchServe listens on the following ports
- HTTP -
8080,8081,8082 - gRPC -
7070,7071
These ports are accessible to
localhostby default. The address can be configured by following the guide TorchServe does not prevent users from configuring the address to be0.0.0.0. Please be aware of the security risks if you use0.0.0.0 - HTTP -
-
TorchServe's Docker image is configured to expose the ports
8080,8081,8082,7070,7071to the host by default(https://github.com/pytorch/serve/blob/master/docker/Dockerfile). When these ports are mapped to the host, make sure to uselocalhostor a specific ip address. -
Be sure to validate the authenticity of the
.marfile being used with TorchServe.- A
.marfile being downloaded from the internet from an untrusted source may have malicious code, compromising the integrity of your application - TorchServe executes arbitrary python code packaged in the
marfile. Make sure that you've either audited that the code you're using is safe and/or is from a source that you trust
- A
-
By default TorchServe allows you to register models from all URLs. Make sure to set
allowed_urlsparameter in config.properties to restrict this. You can find more details in the configuration guideuse_env_allowed_urls=trueis required in config.properties to readallowed_urlsfrom environment variable
-
Enable SSL:
TorchServe supports two ways to configure SSL:
- Using a keystore
- Using private-key/certificate files
You can find more details in the configuration guide
If you find a serious vulnerability please report it to [email protected] and [email protected]