Merge branch 'dev' into fix/github-sast-dedup

Author: samiat4911

.gitattributes

@@ -0,0 +1,14 @@
+# Normalize line endings to LF
+*.sh     text eol=lf
+*.expect text eol=lf
+*.py     text eol=lf
+*.yml    text eol=lf
+*.yaml   text eol=lf
+*.md     text eol=lf
+
+# Binary files — never touch line endings
+*.png    binary
+*.jpg    binary
+*.gif    binary
+*.ico    binary
+*.pdf    binary

.github/dependabot.yml

@@ -3,7 +3,9 @@ updates:
 - package-ecosystem: pip
   directory: "/"
   schedule:
-    interval: daily
+    interval: weekly
+    day: wednesday
+    time: "08:00"
   open-pull-requests-limit: 10
   target-branch: dev
   ignore:
@@ -16,7 +18,9 @@ updates:
 - package-ecosystem: npm
   directory: "/components"
   schedule:
-    interval: daily
+    interval: weekly
+    day: wednesday
+    time: "08:00"
   open-pull-requests-limit: 10
   target-branch: dev
   ignore:

.github/pull_request_template.md

@@ -25,7 +25,7 @@ This checklist is for your information.
 - [ ] Features/Changes should be submitted against the `dev`.
 - [ ] Bugfixes should be submitted against the `bugfix` branch.
 - [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
-- [ ] Your code is flake8 compliant.
+- [ ] Your code is Ruff compliant (see [ruff.toml](../ruff.toml)).
 - [ ] Your code is python 3.13 compliant.
 - [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
 - [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.

.github/renovate.json

@@ -1,7 +1,9 @@
 {
   "extends": [
-    "config:recommended"
+    "config:recommended",
+    "schedule:weekly"
   ],
+  "schedule": ["* * * * 3"],
   "dependencyDashboard": true,
   "dependencyDashboardApproval": false,
   "baseBranchPatterns": ["dev"],
@@ -16,7 +18,7 @@
     "dojo/components/yarn.lock",
     "dojo/components/package.json"
   ],
-  "ignoreDeps": [],
+  "ignoreDeps": ["gohugoio/hugo"],
   "packageRules": [{
     "matchPackageNames": ["*"],
     "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",

.github/workflows/cancel-outdated-workflow-runs.yml

@@ -15,5 +15,5 @@ jobs:
     steps:
       - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1
         with:
-          workflow_id: 'integration-tests.yml,k8s-testing.yml,unit-tests.yml'
+          workflow_id: 'integration-tests.yml,k8s-tests.yml,unit-tests.yml,validate_docs_build.yml,test-helm-chart.yml,ruff.yml,shellcheck.yml'
           access_token: ${{ github.token }}

.github/workflows/gh-pages.yml

@@ -18,16 +18,16 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.153.4' # renovate: datasource=github-releases depName=gohugoio/hugo
+          hugo-version: '0.153.4'
           extended: true
 
       - name: Setup Node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '24.14.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
+          node-version: '24.14.1' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -42,7 +42,7 @@ jobs:
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
       - name: Install dependencies
         run: cd docs && npm ci

.github/workflows/k8s-tests.yml

@@ -16,9 +16,9 @@ jobs:
           # databases, broker and k8s are independent, so we don't need to test each combination
           # lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
           # are tested (https://kubernetes.io/releases/)
-          - k8s: 'v1.35.2' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
+          - k8s: 'v1.35.3' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
             os: debian
-          - k8s: '1.33.9' # renovate: datasource=custom.endoflife-oldest-maintained depName=kubernetes
+          - k8s: '1.33.10' # renovate: datasource=custom.endoflife-oldest-maintained depName=kubernetes
             os: debian
     steps:
       - name: Checkout

.github/workflows/performance-tests.yml

@@ -0,0 +1,74 @@
+name: Performance Tests
+
+on:
+  workflow_call:
+
+jobs:
+  performance-tests:
+    name: Performance Tests
+    runs-on: ubuntu-latest
+    needs: []
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set-platform
+        run: |
+          echo "PLATFORM=linux-amd64" >> $GITHUB_ENV
+
+      - name: Load images from artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: built-docker-image
+          pattern: built-docker-image-django-alpine-linux-amd64
+          merge-multiple: true
+
+      - name: Load docker images
+        timeout-minutes: 10
+        run: |
+          docker load -i built-docker-image/django-alpine-linux-amd64_img
+          docker images
+
+      - name: Set unit-test mode
+        run: docker/setEnv.sh unit_tests_cicd
+
+      - name: Start Postgres and webhook.endpoint
+        run: docker compose up --no-deps -d postgres webhook.endpoint
+
+      - name: Start uwsgi (idle)
+        timeout-minutes: 5
+        run: |
+          docker compose -f docker-compose.yml -f docker-compose.override.unit_tests_cicd.yml \
+            -f docker/docker-compose.override.performance_tests_cicd.yml \
+            up -d --no-deps uwsgi
+        env:
+          DJANGO_VERSION: alpine
+
+      - name: Run performance tests (auto-update counts)
+        timeout-minutes: 15
+        run: python3 scripts/update_performance_test_counts.py
+
+      - name: Check counts are up to date
+        run: |
+          if ! git diff --quiet unittests/test_importers_performance.py; then
+            echo "Performance test counts are out of date. Fix them by running locally:"
+            echo ""
+            echo "  python3 scripts/update_performance_test_counts.py"
+            echo ""
+            echo "Diff:"
+            git diff unittests/test_importers_performance.py
+            exit 1
+          else
+            echo "Performance test counts are up to date."
+          fi
+
+      - name: Logs
+        if: failure()
+        run: docker compose logs --tail="2500" uwsgi
+
+      - name: Shutdown
+        if: always()
+        run: docker compose down

.github/workflows/release-1-create-pr.yml

@@ -93,7 +93,7 @@ jobs:
           grep -H version helm/defectdojo/Chart.yaml
 
       - name: Run helm-docs
-        uses: losisin/helm-docs-github-action@6f957579ac122ecc167bf515fe84e828686c9a15 # v1.7.1
+        uses: losisin/helm-docs-github-action@2ccf3e77eb70dc80d62f8cc26f15d0a96b75fef4 # v1.8.0
         with:
           chart-search-root: "helm/defectdojo"
 

.github/workflows/release-3-master-into-dev.yml

@@ -81,7 +81,7 @@ jobs:
           yq -i '.annotations."artifacthub.io/changes" = ""' helm/defectdojo/Chart.yaml
 
       - name: Run helm-docs
-        uses: losisin/helm-docs-github-action@6f957579ac122ecc167bf515fe84e828686c9a15 # v1.7.1
+        uses: losisin/helm-docs-github-action@2ccf3e77eb70dc80d62f8cc26f15d0a96b75fef4 # v1.8.0
         with:
           chart-search-root: "helm/defectdojo"
 
@@ -157,7 +157,7 @@ jobs:
           yq -i '.annotations."artifacthub.io/changes" = ""' helm/defectdojo/Chart.yaml
 
       - name: Run helm-docs
-        uses: losisin/helm-docs-github-action@6f957579ac122ecc167bf515fe84e828686c9a15 # v1.7.1
+        uses: losisin/helm-docs-github-action@2ccf3e77eb70dc80d62f8cc26f15d0a96b75fef4 # v1.8.0
         with:
           chart-search-root: "helm/defectdojo"