maintenance: Add note about postgresql18 path change to v2.51 upgrade notes.#13496
Closed
pageinsec wants to merge 76 commits intoDefectDojo:bugfixfrom
Closed
maintenance: Add note about postgresql18 path change to v2.51 upgrade notes.#13496pageinsec wants to merge 76 commits intoDefectDojo:bugfixfrom
pageinsec wants to merge 76 commits intoDefectDojo:bugfixfrom
Conversation
….51.0-2.52.0-dev Release: Merge back 2.51.0 into dev from: master-into-dev/2.51.0-2.52.0-dev
Bumps [django-pghistory](https://github.com/AmbitionEng/django-pghistory) from 3.7.0 to 3.8.3. - [Release notes](https://github.com/AmbitionEng/django-pghistory/releases) - [Changelog](https://github.com/AmbitionEng/django-pghistory/blob/main/CHANGELOG.md) - [Commits](AmbitionEng/django-pghistory@3.7.0...3.8.3) --- updated-dependencies: - dependency-name: django-pghistory dependency-version: 3.8.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…pose.yml) (DefectDojo#13325) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps vulners from 2.3.7 to 3.1.1. --- updated-dependencies: - dependency-name: vulners dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [social-auth-app-django](https://github.com/python-social-auth/social-app-django) from 5.4.3 to 5.5.1. - [Release notes](https://github.com/python-social-auth/social-app-django/releases) - [Changelog](https://github.com/python-social-auth/social-app-django/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-app-django@5.4.3...5.5.1) --- updated-dependencies: - dependency-name: social-auth-app-django dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [jira](https://github.com/pycontribs/jira) from 3.8.0 to 3.10.5. - [Release notes](https://github.com/pycontribs/jira/releases) - [Changelog](https://github.com/pycontribs/jira/blob/main/RELEASE.md) - [Commits](pycontribs/jira@3.8.0...3.10.5) --- updated-dependencies: - dependency-name: jira dependency-version: 3.10.5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…workflows/close-stale.yml) (DefectDojo#13349) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… v2.4.0 (.github/workflows/release-x-manual-helm-chart.yml) (DefectDojo#13358) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.44 to 1.40.46. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.44...1.40.46) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.46 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…jo#13210) * fix: add missing resources, securityContext and env entries * chore: docs and schema * fix: missing securityContext for initializer job * fix: add resources to all cloudsql containers * chore: add missing explicit namespace * chore: refactor, split container and pod security context * chore: docs and schema * fix: lint * chore: sort helper * fix: lint and add changes to release notes * chore: trigger CI * chore: move to 2.52, fix pending issues * chore: docs
Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.7.0 to 4.8.0. - [Release notes](https://github.com/python-social-auth/social-core/releases) - [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-core@4.7.0...4.8.0) --- updated-dependencies: - dependency-name: social-auth-core dependency-version: 4.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* ⬆️ Bump ruff from 0.13.2 to 0.13.3 * bump * fix * Update settings.dist.py * Update requirements-lint.txt
…fectDojo#13396) Bumps [datatables.net-colreorder](https://github.com/DataTables/Dist-DataTables-ColReorder) from 2.1.1 to 2.1.2. - [Release notes](https://github.com/DataTables/Dist-DataTables-ColReorder/releases) - [Commits](DataTables/Dist-DataTables-ColReorder@2.1.1...2.1.2) --- updated-dependencies: - dependency-name: datatables.net-colreorder dependency-version: 2.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.46 to 1.40.49. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.46...1.40.49) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.49 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.8.0 to 4.8.1. - [Release notes](https://github.com/python-social-auth/social-core/releases) - [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-core@4.8.0...4.8.1) --- updated-dependencies: - dependency-name: social-auth-core dependency-version: 4.8.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…v (docker-compose.yml) (DefectDojo#13386) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…8.0-alpine (docker-compose.yml) (DefectDojo#13385) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…/package.json) (DefectDojo#13382) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…rkflows/test-helm-chart.yml) (DefectDojo#13374) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [social-auth-app-django](https://github.com/python-social-auth/social-app-django) from 5.5.1 to 5.6.0. - [Release notes](https://github.com/python-social-auth/social-app-django/releases) - [Changelog](https://github.com/python-social-auth/social-app-django/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-app-django@5.5.1...5.6.0) --- updated-dependencies: - dependency-name: social-auth-app-django dependency-version: 5.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 6.4.0 to 6.5.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](python-gitlab/python-gitlab@v6.4.0...v6.5.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-version: 6.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.54 to 1.40.55. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.54...1.40.55) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.55 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….51.2-2.52.0-dev Release: Merge back 2.51.2 into dev from: master-into-dev/2.51.2-2.52.0-dev
valentijnscholten
approved these changes
Oct 22, 2025
Member
|
Thanks @pageinsec , scheduled to be merged as part of Mondays release. |
Member
|
Oh wait, @pageinsec can you base it against |
Contributor
Author
Should be able to - let me check. May require an update and lose some comments. |
github-actions
Bot
added
docker
settings_changes
Contributor
Author
|
Ugh, that got ugly. Going to make a new branch and PR against that branch. |
🔴 Risk threshold exceeded.This pull request contains two findings: the CI workflow (.github/workflows/k8s-tests.yml) pins Django and Nginx images to the mutable "latest" tag which can cause non-reproducible or vulnerable test runs, and a sensitive edit was detected on dojo/apps.py (with sensitive-path handling configurable in .dryrunsecurity.yaml).
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Insecure Use of 'latest' Image Tag in .github/workflows/k8s-tests.yml
| Vulnerability | Insecure Use of 'latest' Image Tag |
|---|---|
| Description | The .github/workflows/k8s-tests.yml workflow explicitly sets images.django.image.tag=latest and images.nginx.image.tag=latest for the Helm deployment. While this workflow is for testing Kubernetes deployments, using the latest tag for container images is generally insecure and problematic. The latest tag is mutable, meaning the underlying image can change without any modification to the workflow file. This can lead to non-reproducible test runs, flaky tests, and the introduction of unexpected breaking changes or even new vulnerabilities into the test environment without explicit awareness or auditing. Although it's a test workflow, inconsistent test environments can undermine the reliability and value of the tests. |
django-DefectDojo/.github/workflows/k8s-tests.yml
Lines 72 to 73 in 14d8d68
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Added note about postgres18 path to OS v2.51 upgrade notes.