Skip to content

dev: hot reloading improvements celery/html/tpl #12714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Maffooch merged 3 commits into from
Jun 30, 2025

add new entrypoint script

fdb714f
Select commit
Loading
Failed to load commit list.
Merged

dev: hot reloading improvements celery/html/tpl #12714

add new entrypoint script
fdb714f
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Jun 28, 2025 in 51s

DryRun Security

Details

General Security Analyzer Findings: 3 detected

⚠️ Overly Permissive File Permissions docker/entrypoint-celery-worker-dev.sh (click for details)
Type Overly Permissive File Permissions
Description The umask 0002 setting grants group write permissions to newly created files, which is less restrictive than typical production security practices. In a shared environment, this could allow unintended file modifications by group members.
Filename docker/entrypoint-celery-worker-dev.sh
CodeLink

django-DefectDojo/docker/entrypoint-celery-worker-dev.sh

Lines 1 to 26 in fdb714f

#!/bin/bash
umask 0002
id
set -e # needed to handle "exit" correctly
. /secret-file-loader.sh
. /reach_database.sh
wait_for_database_to_be_reachable
echo
if [ "${DD_CELERY_WORKER_POOL_TYPE}" = "prefork" ]; then
EXTRA_PARAMS=("--autoscale=${DD_CELERY_WORKER_AUTOSCALE_MAX},${DD_CELERY_WORKER_AUTOSCALE_MIN}"
"--prefetch-multiplier=${DD_CELERY_WORKER_PREFETCH_MULTIPLIER}")
else
EXTRA_PARAMS=()
fi
# do the check with Django stack
python3 manage.py check
# hot reload using watmedo as we don't want to install celery[dev] and have that end up in our production images
watchmedo auto-restart --directory=./ --pattern="*.py;*.tpl" --recursive -- \
celery --app=dojo worker --loglevel="${DD_CELERY_LOG_LEVEL}" --pool="${DD_CELERY_WORKER_POOL_TYPE}" --concurrency="${DD_CELERY_WORKER_CONCURRENCY:-1}" "${EXTRA_PARAMS[@]}"
⚠️ Unnecessary Development Dependency requirements.txt (click for details)
Type Unnecessary Development Dependency
Description The watchdog package is added to requirements without clear separation between development and production dependencies. This could unnecessarily increase the application's dependency attack surface if deployed to production without careful filtering.
Filename requirements.txt
CodeLink

django-DefectDojo/requirements.txt

Lines 76 to 79 in fdb714f

PyYAML==6.0.2
pyopenssl==25.1.0
parameterized==0.9.0
watchdog==6.0.0 # only needed for development, but would require some docker refactoring if we want to exclude it for production images
⚠️ Development Script in Production Image Dockerfile.django-alpine (click for details)
Type Development Script in Production Image
Description The Dockerfile includes a development-specific entrypoint script that could expose unnecessary configuration details or debug features if used in a production environment. This increases the potential attack surface by including non-essential scripts with potentially less secure configurations.
Filename Dockerfile.django-alpine
CodeLink

django-DefectDojo/Dockerfile.django-alpine

Lines 67 to 73 in fdb714f

COPY \
docker/entrypoint-celery-beat.sh \
docker/entrypoint-celery-worker.sh \
docker/entrypoint-celery-worker-dev.sh \
docker/entrypoint-initializer.sh \
docker/entrypoint-first-boot.sh \
docker/entrypoint-uwsgi.sh \
View more details on DryRunSecurity