chore: [#432] upgrade Caddy to 2.11.2 and document CVE analysis

[josecelano]

Summary

Upgrades Caddy from 2.10.2 to 2.11.2 (latest as of 2026-04-14). Meaningful reduction in vulnerabilities but 2 CRITICAL CVEs remain in upstream binary dependencies — issue left open for revisit.

Related to #432

Changes

• templates/docker-compose/docker-compose.yml.tera: bump Caddy tag 2.10.2 → 2.11.2
• .github/workflows/docker-security-scan.yml: update scan matrix and example comment
• docs/security/docker/scans/caddy.md: update header, current status, add Apr 15 scan history entry
• docs/security/docker/scans/README.md: update Caddy row
• docs/issues/432-caddy-cves.md: fill in Outcome section, check steps
• project-words.txt: add SCEP

Scan Results

Version Comparison

Version	HIGH	CRITICAL
2.10	18	6
2.10.2	14	4
2.11.2	10	2

Remaining CRITICAL CVEs in 2.11.2 (upstream binary, cannot be fixed without a Caddy release)

CVE	Library	Fix	Notes
CVE-2026-30836	smallstep/certificates	0.30.0	Unauthenticated SCEP cert issuance
CVE-2026-33186	google.golang.org/grpc	1.79.3	Authorization bypass via HTTP/2 path ⚠️ network-accessible

Issue #432 left open — will revisit when Caddy ships updated grpc-go (≥1.79.3) and smallstep/certificates (≥0.30.0).

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[josecelano]

ACK 36fd5c3