Skip to content

feat(helm): Split image locations+tags, allow digest pinning #13370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 16, 2025
Merged

feat(helm): Split image locations+tags, allow digest pinning #13370

merged 1 commit into from
Oct 16, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 7, 2025
edited
Loading

tag and repositoryPrefix fields have been deprecated. Currently, image tags used in containers are derived by default from the appVersion defined in the Chart.
This behavior can be overridden by setting the tag value in images.django and images.nginx.
If fine-tuning is necessary, each container’s image value can also be customized individually (celery.beat.image, celery.worker.image, django.nginx.image, django.uwsgi.image, initializer.image, and dbMigrationChecker.image).
Digest pinning is now supported as well.

@github-actions github-actions bot added the helm label Oct 7, 2025
@kiblik kiblik force-pushed the helm_images_tags_digests branch 11 times, most recently from 30976a7 to bd1b578 Compare October 8, 2025 10:12
@github-actions github-actions bot added the docs label Oct 8, 2025
@kiblik kiblik marked this pull request as ready for review October 8, 2025 10:16
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 8, 2025
edited
Loading

DryRun Security

This pull request leaves image digests unset by default in the Helm chart (values.yaml) so mutable tags are used unless users manually pin digests, and it also uses the 'latest' image tag in the k8s test workflow, both of which create supply-chain and reproducibility risks. Both issues are non-blocking but recommend switching to immutable tags or digests for safer, reproducible deployments and tests.

Lack of Image Digest Pinning by Default in helm/defectdojo/values.yaml
Vulnerability Lack of Image Digest Pinning by Default
Description The Helm chart's default configuration in values.yaml sets the digest field for all container images to an empty string. The chart logic in _helpers.tpl falls back to using mutable tags when the digest is not provided. This creates a supply chain risk, as deployments are not guaranteed to be immutable. If an image tag is overwritten in the registry (e.g., a new 2.52.0-dev image is pushed), subsequent deployments will pull the new, potentially untested or malicious, image. While the chart adds support for digest pinning, it is not used by default, leaving users vulnerable unless they manually configure it.

django-DefectDojo/helm/defectdojo/values.yaml

Lines 36 to 39 in 8ceafd9

digest: ""
nginx:
image:
registry: ""

Insecure Use of 'latest' Image Tag in CI in .github/workflows/k8s-tests.yml
Vulnerability Insecure Use of 'latest' Image Tag in CI
Description The .github/workflows/k8s-tests.yml workflow explicitly sets Docker image tags to 'latest' for both Django and Nginx images. While this workflow appears to be for testing the Helm chart in a Kubernetes environment, using mutable tags like 'latest' introduces non-reproducibility and supply chain risks. A 'latest' image can change at any time, meaning that a test run today might use a different image than a test run tomorrow, even if the workflow definition hasn't changed. This can lead to inconsistent test results, make debugging difficult, and potentially introduce vulnerabilities if a malicious or broken image is pushed as 'latest'. Best practices strongly recommend using immutable tags (e.g., specific version numbers or image digests) to ensure build reproducibility and security, even in test environments.

django-DefectDojo/.github/workflows/k8s-tests.yml

Lines 69 to 76 in 8ceafd9

defectdojo \
./helm/defectdojo \
--set django.ingress.enabled=true \
--set images.django.image.tag=latest \
--set images.nginx.image.tag=latest \
--set imagePullPolicy=Never \
--set initializer.keepSeconds="-1" \
--set redis.enabled=true \

All finding details can be found in the DryRun Security Dashboard.

@kiblik kiblik force-pushed the helm_images_tags_digests branch 2 times, most recently from d81e58a to 0767a9e Compare October 8, 2025 10:26
@valentijnscholten valentijnscholten added this to the 2.52.0 milestone Oct 8, 2025
mtesauro
mtesauro approved these changes Oct 8, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested a review from rossops October 8, 2025 23:32
@github-actions
Copy link
Contributor

github-actions bot commented Oct 11, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the helm_images_tags_digests branch from 0767a9e to 70c766d Compare October 11, 2025 17:24
@github-actions
Copy link
Contributor

github-actions bot commented Oct 11, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 14, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the helm_images_tags_digests branch from 70c766d to f0332bf Compare October 14, 2025 20:18
@github-actions
Copy link
Contributor

github-actions bot commented Oct 14, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the helm_images_tags_digests branch from f0332bf to fa1db7c Compare October 15, 2025 19:41
@github-actions
Copy link
Contributor

github-actions bot commented Oct 15, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the helm_images_tags_digests branch from fa1db7c to e626141 Compare October 16, 2025 11:28
@github-actions
Copy link
Contributor

github-actions bot commented Oct 16, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the helm_images_tags_digests branch from e626141 to 8ceafd9 Compare October 16, 2025 18:51
@github-actions
Copy link
Contributor

github-actions bot commented Oct 16, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik
Copy link
Contributor Author

kiblik commented Oct 16, 2025

@mtesauro / @Maffooch, GHA is failing because of some unrelated issue. Can we merge this PR as it is?

@valentijnscholten valentijnscholten merged commit 6b17b5e into DefectDojo:dev Oct 16, 2025
149 of 150 checks passed
@kiblik kiblik deleted the helm_images_tags_digests branch October 16, 2025 20:41
@kiblik kiblik mentioned this pull request Nov 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees

No one assigned

Labels

docs helm

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @rossops @Maffooch