Skip to content

feat(helm): Add descriptions #13407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 17, 2025
Merged

feat(helm): Add descriptions #13407

merged 2 commits into from
Oct 17, 2025

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 12, 2025
edited
Loading

helm-docs and helm-schema are capable of putting descriptions of the field to related places if they are correctly formatted in a values.yaml file.

@github-actions github-actions bot added the helm label Oct 12, 2025
@kiblik kiblik force-pushed the helm_descriptions branch from d2f0ee5 to 8a96bd2 Compare October 12, 2025 20:55
@github-actions
Copy link
Contributor

github-actions bot commented Oct 14, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the helm_descriptions branch from 8a96bd2 to d0f795e Compare October 14, 2025 20:28
@github-actions
Copy link
Contributor

github-actions bot commented Oct 14, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the helm_descriptions branch from d0f795e to 382c1c8 Compare October 15, 2025 19:43
@github-actions
Copy link
Contributor

github-actions bot commented Oct 15, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik marked this pull request as ready for review October 16, 2025 11:22
@kiblik kiblik force-pushed the helm_descriptions branch from 382c1c8 to c604605 Compare October 16, 2025 11:26
@valentijnscholten valentijnscholten added this to the 2.52.0 milestone Oct 16, 2025
mtesauro
mtesauro approved these changes Oct 16, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro requested a review from rossops October 16, 2025 19:11
@github-actions
Copy link
Contributor

github-actions bot commented Oct 16, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Maffooch
Maffooch approved these changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice! Approving since I trust you'll handle conflicts

@kiblik kiblik force-pushed the helm_descriptions branch from c604605 to cc5cac9 Compare October 17, 2025 06:49
@github-actions
Copy link
Contributor

github-actions bot commented Oct 17, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 17, 2025
edited
Loading

DryRun Security

This pull request introduces a Helm chart option (localsettingspy) that allows arbitrary Python code to be injected into DefectDojo’s local_settings.py via a ConfigMap, enabling an attacker who can modify Helm values to achieve Remote Code Execution because the input is not validated or sanitized. This is a high-risk configuration issue and should be mitigated (e.g., remove/disable arbitrary code injection, validate/sanitize input, or use safer configuration mechanisms).

Insecure Configuration of `localsettingspy` in helm/defectdojo/README.md
Vulnerability Insecure Configuration of localsettingspy
Description The localsettingspy parameter in the Helm chart allows for the injection of arbitrary Python code into the dojo/settings/local_settings.py file. This file is then mounted as a ConfigMap into the DefectDojo application pods. An attacker with permissions to modify Helm values could inject malicious Python code, which would be executed by the DefectDojo application, leading to Remote Code Execution (RCE). The current implementation does not sanitize or validate the input, making it directly exploitable.

django-DefectDojo/helm/defectdojo/README.md

Lines 700 to 763 in 4f0e554

| initializer.affinity | object | `{}` | |
| initializer.annotations | object | `{}` | |
| initializer.automountServiceAccountToken | bool | `false` | |
| initializer.containerSecurityContext | object | `{}` | Container security context for the initializer Job container |
| initializer.extraEnv | list | `[]` | Additional environment variables injected to the initializer job pods. |
| initializer.extraVolumeMounts | list | `[]` | Array of additional volume mount points for the initializer job (init)containers. |
| initializer.extraVolumes | list | `[]` | A list of extra volumes to attach to the initializer job pods. |
| initializer.image.digest | string | `""` | |
| initializer.image.registry | string | `""` | |
| initializer.image.repository | string | `""` | |
| initializer.image.tag | string | `""` | |
| initializer.jobAnnotations | object | `{}` | |
| initializer.keepSeconds | int | `60` | A positive integer will keep this Job and Pod deployed for the specified number of seconds, after which they will be removed. For all other values, the Job and Pod will remain deployed. |
| initializer.labels | object | `{}` | |
| initializer.nodeSelector | object | `{}` | |
| initializer.podSecurityContext | object | `{}` | Pod security context for the initializer Job |
| initializer.resources.limits.cpu | string | `"2000m"` | |
| initializer.resources.limits.memory | string | `"512Mi"` | |
| initializer.resources.requests.cpu | string | `"100m"` | |
| initializer.resources.requests.memory | string | `"256Mi"` | |
| initializer.run | bool | `true` | |
| initializer.staticName | bool | `false` | staticName defines whether name of the job will be the same (e.g., "defectdojo-initializer") or different every time - generated based on current time (e.g., "defectdojo-initializer-2024-11-11-18-57") This might be handy for ArgoCD deployments |
| initializer.tolerations | list | `[]` | |
| localsettingspy | string | `""` | To add code snippet which would extend setting functionality, you might add it here It will be stored as ConfigMap and mounted `dojo/settings/local_settings.py`. For more see: https://documentation.defectdojo.com/getting_started/configuration/ For example: ``` localsettingspy: | INSTALLED_APPS += ( 'debug_toolbar', ) MIDDLEWARE = [ 'debug_toolbar.middleware.DebugToolbarMiddleware', ] + MIDDLEWARE ``` |
| monitoring.enabled | bool | `false` | |
| monitoring.prometheus.containerSecurityContext | object | `{}` | Optional: container security context for nginx prometheus exporter |
| monitoring.prometheus.enabled | bool | `false` | Add the nginx prometheus exporter sidecar |
| monitoring.prometheus.extraEnv | list | `[]` | Optional: additional environment variables injected to the nginx prometheus exporter container |
| monitoring.prometheus.extraVolumeMounts | list | `[]` | Array of additional volume mount points for the nginx prometheus exporter |
| monitoring.prometheus.image.digest | string | `""` | |
| monitoring.prometheus.image.registry | string | `""` | |
| monitoring.prometheus.image.repository | string | `"nginx/nginx-prometheus-exporter"` | |
| monitoring.prometheus.image.tag | string | `"1.4.2"` | |
| monitoring.prometheus.imagePullPolicy | string | `"IfNotPresent"` | |
| monitoring.prometheus.resources | object | `{}` | Optional: add resource requests/limits for the nginx prometheus exporter container |
| networkPolicy | object | `{"annotations":{},"egress":[],"enabled":false,"ingress":[],"ingressExtend":[]}` | Enables application network policy For more info follow https://kubernetes.io/docs/concepts/services-networking/network-policies/ |
| networkPolicy.egress | list | `[]` | ``` egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 443 ``` |
| networkPolicy.ingress | list | `[]` | For more detailed configuration with ports and peers. It will ignore ingressExtend ``` ingress: - from: - podSelector: matchLabels: app.kubernetes.io/instance: defectdojo - podSelector: matchLabels: app.kubernetes.io/instance: defectdojo-prometheus ports: - protocol: TCP port: 8443 ``` |
| networkPolicy.ingressExtend | list | `[]` | if additional labels need to be allowed (e.g. prometheus scraper) ``` ingressExtend: - podSelector: matchLabels: app.kubernetes.io/instance: defectdojo-prometheus ``` |
| podLabels | object | `{}` | Additional labels to add to the pods: ``` podLabels: key: value ``` |
| postgresServer | string | `nil` | To use an external PostgreSQL instance (like CloudSQL), set `postgresql.enabled` to false, set items in `postgresql.auth` part for authentication, and set the address here: |
| postgresql | object | `{"architecture":"standalone","auth":{"database":"defectdojo","existingSecret":"defectdojo-postgresql-specific","password":"","secretKeys":{"adminPasswordKey":"postgresql-postgres-password","replicationPasswordKey":"postgresql-replication-password","userPasswordKey":"postgresql-password"},"username":"defectdojo"},"enabled":true,"primary":{"affinity":{},"containerSecurityContext":{"enabled":true,"runAsUser":1001},"name":"primary","nodeSelector":{},"persistence":{"enabled":true},"podSecurityContext":{"enabled":true,"fsGroup":1001},"service":{"ports":{"postgresql":5432}}},"shmVolume":{"chmod":{"enabled":false}},"volumePermissions":{"containerSecurityContext":{"runAsUser":1001},"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/postgresql |
| postgresql.enabled | bool | `true` | To use an external instance, switch enabled to `false` and set the address in `postgresServer` below |
| postgresql.primary.containerSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
| postgresql.primary.containerSecurityContext.runAsUser | int | `1001` | runAsUser specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
| postgresql.primary.podSecurityContext.enabled | bool | `true` | Default is true for K8s. Enabled needs to false for OpenShift restricted SCC and true for anyuid SCC |
| postgresql.primary.podSecurityContext.fsGroup | int | `1001` | fsGroup specification below is not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. |
| postgresql.volumePermissions.containerSecurityContext | object | `{"runAsUser":1001}` | if using restricted SCC set runAsUser: "auto" and if running under anyuid SCC - runAsUser needs to match the line above |
| redis | object | `{"architecture":"standalone","auth":{"existingSecret":"defectdojo-redis-specific","existingSecretPasswordKey":"redis-password","password":""},"enabled":true,"sentinel":{"enabled":false},"tls":{"enabled":false}}` | For more advance options check the bitnami chart documentation: https://github.com/bitnami/charts/tree/main/bitnami/redis |
| redis.enabled | bool | `true` | To use an external instance, switch enabled to `false`` and set the address in `redisServer` below |
| redis.tls.enabled | bool | `false` | If TLS is enabled, the Redis broker will use the redis:// and optionally mount the certificates from an existing secret. |
| redisParams | string | `""` | Parameters attached to the redis connection string, defaults to "ssl_cert_reqs=optional" if `redis.tls.enabled` |
| redisServer | string | `nil` | To use an external Redis instance, set `redis.enabled` to false and set the address here: |
| revisionHistoryLimit | int | `10` | Allow overriding of revisionHistoryLimit across all deployments. |
| secrets.annotations | object | `{}` | Add annotations for secret resources |
| securityContext | object | `{"containerSecurityContext":{"runAsNonRoot":true},"enabled":true,"podSecurityContext":{"runAsNonRoot":true}}` | Security context settings |
| serviceAccount.annotations | object | `{}` | Optional additional annotations to add to the DefectDojo's Service Account. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.labels | object | `{}` | Optional additional labels to add to the DefectDojo's Service Account. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| siteUrl | string | `""` | The full URL to your defectdojo instance, depends on the domain where DD is deployed, it also affects links in Jira. Use syntax: `siteUrl: 'https://<yourdomain>'` |
| tests.unitTests.automountServiceAccountToken | bool | `false` | |
| tests.unitTests.image.digest | string | `""` | |
| tests.unitTests.image.registry | string | `""` | |

All finding details can be found in the DryRun Security Dashboard.

@mtesauro mtesauro merged commit 47ac933 into DefectDojo:dev Oct 17, 2025
149 checks passed
@kiblik kiblik deleted the helm_descriptions branch October 18, 2025 08:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees

No one assigned

Labels

helm

Projects

None yet

Milestone

2.52.0

Development

Successfully merging this pull request may close these issues.

5 participants

@kiblik @mtesauro @valentijnscholten @rossops @Maffooch