helm charts: merge master into helm-charts branch#14049
Merged
valentijnscholten merged 10000 commits intoDefectDojo:helm-chartsfrom Feb 4, 2026
Merged
helm charts: merge master into helm-charts branch#14049valentijnscholten merged 10000 commits intoDefectDojo:helm-chartsfrom
valentijnscholten merged 10000 commits intoDefectDojo:helm-chartsfrom
Conversation
Bumps [boto3](https://github.com/boto/boto3) from 1.41.1 to 1.41.4. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.41.1...1.41.4) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.41.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…1 (helm/defectdojo/values.yaml) (DefectDojo#13726) * Update nginx/nginx-prometheus-exporter Docker tag from 1.4.2 to v1.5.1 (helm/defectdojo/values.yaml) * update Helm documentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: kiblik <[email protected]>
* feat(helm): Use Valkey Signed-off-by: kiblik <[email protected]> * apply changes from @fernandezcuesta Signed-off-by: kiblik <[email protected]> * adjustments Signed-off-by: kiblik <[email protected]> --------- Signed-off-by: kiblik <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…efectDojo#13781) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.41.4 to 1.41.5. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.41.4...1.41.5) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.41.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: kiblik <[email protected]>
Remove unnecessary error logging for finding group status.
…hub/workflows/renovate.yaml) (DefectDojo#13788) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…limiting JIRA: add retry/rate limit support
fix: enable uwsgi DD_UWSGI_EXTRA_ARGS passthrough
…-patch-3 Remove left over log statement
Release 2.53.0: Merge Bugfix into Dev
Release: Merge release into master from: release/2.53.0
…efectDojo#13787) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….53.0-2.54.0-dev Release: Merge back 2.53.0 into dev from: master-into-dev/2.53.0-2.54.0-dev
…x/2.53.0-2.54.0-dev Release: Merge back 2.53.0 into bugfix from: master-into-bugfix/2.53.0-2.54.0-dev
…e.json) (DefectDojo#13792) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… v2.5.0 (.github/workflows/release-x-manual-helm-chart.yml) (DefectDojo#13793) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [celery](https://github.com/celery/celery) from 5.5.3 to 5.6.0. - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/main/Changelog.rst) - [Commits](celery/celery@v5.5.3...v5.6.0) --- updated-dependencies: - dependency-name: celery dependency-version: 5.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [django-pghistory](https://github.com/AmbitionEng/django-pghistory) from 3.8.3 to 3.9.0. - [Release notes](https://github.com/AmbitionEng/django-pghistory/releases) - [Changelog](https://github.com/AmbitionEng/django-pghistory/blob/main/CHANGELOG.md) - [Commits](AmbitionEng/django-pghistory@3.8.3...3.9.0) --- updated-dependencies: - dependency-name: django-pghistory dependency-version: 3.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…DefectDojo#13797) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2025.10.1 to 2025.12.1. - [Commits](tfranzel/drf-spectacular-sidecar@2025.10.1...2025.12.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2025.12.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [psycopg[c]](https://github.com/psycopg/psycopg) from 3.2.13 to 3.3.0. - [Changelog](https://github.com/psycopg/psycopg/blob/master/docs/news_pool.rst) - [Commits](psycopg/psycopg@3.2.13...3.3.0) --- updated-dependencies: - dependency-name: psycopg[c] dependency-version: 3.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Member
Author
|
wdyt @kiblik |
🔴 Risk threshold exceeded.This pull request includes repeated sensitive edits to docker/entrypoint-uwsgi.sh and workflow security issues: a JavaScript injection risk in .github/workflows/release-1-create-pr.yml due to insufficient validation of the NEW_BRANCH value, and shell/JavaScript injection risks in .github/workflows/release-3-master-into-dev.yml where unvalidated workflow_dispatch inputs can lead to arbitrary command or code execution with access to the runner and GITHUB_TOKEN.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in docker/entrypoint-uwsgi.sh
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in docker/entrypoint-uwsgi.sh
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
JavaScript Injection in 'actions/github-script' in .github/workflows/release-1-create-pr.yml
| Vulnerability | JavaScript Injection in 'actions/github-script' |
|---|---|
| Description | The 'NEW_BRANCH' environment variable is interpolated directly into a JavaScript string within an 'actions/github-script' block. This variable is derived from the 'release_number' input provided via 'workflow_dispatch'. While there are validation steps using 'grep' to check the format of 'release_number', this validation is insufficient because 'grep' returns a successful exit code if any line in a multiline input matches the pattern. An attacker can provide a multiline input where the first line passes validation and subsequent lines inject a malicious value for 'NEW_BRANCH' into the GITHUB_ENV file. When this value is interpolated into the JavaScript code, it allows for arbitrary code execution in the context of the runner, which has access to the GITHUB_TOKEN. |
django-DefectDojo/.github/workflows/release-1-create-pr.yml
Lines 117 to 118 in b726042
Shell and JavaScript Injection via Release Inputs in .github/workflows/release-3-master-into-dev.yml
| Vulnerability | Shell and JavaScript Injection via Release Inputs |
|---|---|
| Description | The workflow 'release-3-master-into-dev.yml' uses 'workflow_dispatch' inputs 'release_number_new' and 'release_number_dev' directly in shell 'run' steps and 'github-script' blocks without any validation or sanitization. This allows an attacker with permission to trigger the workflow to execute arbitrary shell commands or JavaScript code in the context of the GitHub Actions runner. For example, providing a malicious string like 1.0.0"; touch /tmp/pwned; # as an input can lead to command execution. Similarly, in the 'github-script' step, inputs are interpolated into a JavaScript object literal, allowing for code injection that can exfiltrate secrets or perform unauthorized actions using the provided GITHUB_TOKEN. |
django-DefectDojo/.github/workflows/release-3-master-into-dev.yml
Lines 49 to 52 in b726042
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
valentijnscholten
changed the title
Contributor
|
Are unit tests expected to fail here? |
Member
Author
|
I think because the branching point from master was so old, it doesn't pick up some of the workflows and some of them use old workflow definitions. |
rossops
approved these changes
Jan 26, 2026
kiblik
approved these changes
Jan 28, 2026
Maffooch
requested changes
Jan 28, 2026
Contributor
Maffooch
left a comment
Maffooch
left a comment
There was a problem hiding this comment.
I'll be the last approver on Tuesday morining after the release from monday is out the door
blakeaowens
approved these changes
Feb 2, 2026
valentijnscholten
merged commit 0437ef5
into
DefectDojo:helm-charts
13 of 18 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR merges the
masterbranch into thehelm-chartswhile making sure the helm chart files are all preserved including their history/commits.The reason for this PR being so big is that the
helm-chartdiverted frommasterin 2017. I think it's good to do this merge to make thehelm-chartsbranch more in sync withmaster. Maybe at some point we need to add a step to the release process to this "merge back" after every release (unless we split off the helm-chart into its own repo).With this branch checked out the helm chart files look OK, as well as the history. Also the github workflows now have the current content, which is maybe the prime reason for this PR.
This PR comes intead of #13425 which at the time of writing cannot be viewed on github.com. Maybe it's to big/complex or has too many conflicts?