feat(nginx): Make nginx Non-root & Read-only-friendly#13384
Draft
kiblik wants to merge 10000 commits intoDefectDojo:devfrom
Draft
feat(nginx): Make nginx Non-root & Read-only-friendly#13384kiblik wants to merge 10000 commits intoDefectDojo:devfrom
kiblik wants to merge 10000 commits intoDefectDojo:devfrom
Conversation
Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.6 to 45.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/45.0.7/CHANGELOG.rst) - [Commits](pyca/cryptography@45.0.6...45.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-dbbackup](https://github.com/Archmonger/django-dbbackup) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/Archmonger/django-dbbackup/releases) - [Changelog](https://github.com/Archmonger/django-dbbackup/blob/master/CHANGELOG.md) - [Commits](Archmonger/django-dbbackup@4.3.0...5.0.0) --- updated-dependencies: - dependency-name: django-dbbackup dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.20 to 1.40.21. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.20...1.40.21) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.21 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e.json) (DefectDojo#13085) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…efectDojo#13082) * msteams: Use adaptive cards format * update docs * revert webhook scan_added_empty
…/workflows/pr-labeler.yml) (DefectDojo#13102) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…hub/workflows/validate_docs_build.yml) (DefectDojo#13103) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ws/test-helm-chart.yml) (DefectDojo#13107) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…se-stale.yml) (DefectDojo#13108) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.21 to 1.40.23. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.21...1.40.23) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.23 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) * 🎉 Add number of fix_available information to test view * Update dojo/templates/dojo/view_test.html Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
…jo#12900) * test cases: fix caching of system settings * fix tests * fix caching for github * fix caching for github * simplify cache loading * post process only when needed * set tags on (re)import * rebase set tags * reduce save with options * update counts, reduce saves with options * importers: do not save again, but postprocess directly * update counts * optimize hash_code setting * fix counts * set hash code for new findings in reimport * make smaller second save work * make smaller second save work - add no_options * update query counts * improve we_want_async decorator * test performance: force async * fix async stuff in perf test * fix async stuff in perf test * fix async stuff in perf test * update counts * remove logging * perf3b: compute hash_code on first save * fix cve for reimport * ruff * fix no async * Merge remote-tracking branch 'upstream/dev' into perf3-reduce-saves
…0 (.github/workflows/release-3-master-into-dev.yml) (DefectDojo#13111) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…thub/workflows/pr-labeler.yml) (DefectDojo#13113) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.23 to 1.40.24. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.23...1.40.24) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.24 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.12.11 to 0.12.12. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.12.11...0.12.12) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.12.12 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.8.2 to 3.9. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](Python-Markdown/markdown@3.8.2...3.9.0) --- updated-dependencies: - dependency-name: markdown dependency-version: '3.9' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pygithub](https://github.com/pygithub/pygithub) from 2.7.0 to 2.8.1. - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](PyGithub/PyGithub@v2.7.0...v2.8.1) --- updated-dependencies: - dependency-name: pygithub dependency-version: 2.8.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…github/workflows/release-3-master-into-dev.yml) (DefectDojo#13112) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…Dojo#13120) Co-authored-by: Jino Tesauro <jino@defectdojo.com>
* add about_deduplication png * update changelog 2.50 * update changelog 2.50 --------- Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
* semgrep pro: parse sast finding * update docs
* 🐛 Implement Wazuh v4.8 * update unittests * update * fix * fix * fix * update unittests * update * fix unittest * review
….51.0-2.52.0-dev Release: Merge back 2.51.0 into dev from: master-into-dev/2.51.0-2.52.0-dev
Bumps [django-pghistory](https://github.com/AmbitionEng/django-pghistory) from 3.7.0 to 3.8.3. - [Release notes](https://github.com/AmbitionEng/django-pghistory/releases) - [Changelog](https://github.com/AmbitionEng/django-pghistory/blob/main/CHANGELOG.md) - [Commits](AmbitionEng/django-pghistory@3.7.0...3.8.3) --- updated-dependencies: - dependency-name: django-pghistory dependency-version: 3.8.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…pose.yml) (DefectDojo#13325) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps vulners from 2.3.7 to 3.1.1. --- updated-dependencies: - dependency-name: vulners dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [social-auth-app-django](https://github.com/python-social-auth/social-app-django) from 5.4.3 to 5.5.1. - [Release notes](https://github.com/python-social-auth/social-app-django/releases) - [Changelog](https://github.com/python-social-auth/social-app-django/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-app-django@5.4.3...5.5.1) --- updated-dependencies: - dependency-name: social-auth-app-django dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [jira](https://github.com/pycontribs/jira) from 3.8.0 to 3.10.5. - [Release notes](https://github.com/pycontribs/jira/releases) - [Changelog](https://github.com/pycontribs/jira/blob/main/RELEASE.md) - [Commits](pycontribs/jira@3.8.0...3.10.5) --- updated-dependencies: - dependency-name: jira dependency-version: 3.10.5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…workflows/close-stale.yml) (DefectDojo#13349) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… v2.4.0 (.github/workflows/release-x-manual-helm-chart.yml) (DefectDojo#13358) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.44 to 1.40.46. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.44...1.40.46) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.46 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…jo#13210) * fix: add missing resources, securityContext and env entries * chore: docs and schema * fix: missing securityContext for initializer job * fix: add resources to all cloudsql containers * chore: add missing explicit namespace * chore: refactor, split container and pod security context * chore: docs and schema * fix: lint * chore: sort helper * fix: lint and add changes to release notes * chore: trigger CI * chore: move to 2.52, fix pending issues * chore: docs
Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.7.0 to 4.8.0. - [Release notes](https://github.com/python-social-auth/social-core/releases) - [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md) - [Commits](python-social-auth/social-core@4.7.0...4.8.0) --- updated-dependencies: - dependency-name: social-auth-core dependency-version: 4.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* ⬆️ Bump ruff from 0.13.2 to 0.13.3 * bump * fix * Update settings.dist.py * Update requirements-lint.txt
kiblik
force-pushed
the
nginx_readonly
branch
3 times, most recently
from
3352df0 to
f02448f
Compare
Contributor
|
@mtesauro does this fit into your plans for image hardening? |
Contributor
TBH, I was going to start with the DefectDojo/Django containers first as those are the containers where we have the most code / do the most modifications. Changing the UID to under the typical 1000+ is interesting but I don't believe it will cause issues for k8s and it also seems that OpenSift has stopped wanting specific UIDs based on this so this shouldn't hurt those using k8s or compose currently as far as I can tell. |
Contributor
|
I can test this PR out when it's not a draft as well |
Contributor
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Contributor
Author
The current issue with this PR is that as soon as the process tries to modify configs execution fails (because FS is read-only). I'm considering creating a separate PR that will be responsible for generating the final config, which will be on a read-write location. It would combine multiple partial definitions of the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix #11031