Skip to content

fix: add missing resources, securityContext and env entries #13210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Maffooch merged 18 commits into from
Oct 7, 2025

chore: docs

73aa3c4
Select commit
Loading
Failed to load commit list.
Merged

fix: add missing resources, securityContext and env entries #13210

chore: docs
73aa3c4
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Oct 7, 2025 in 3m 30s

DryRun Security

Details

General Security Analyzer Findings: 1 detected

⚠️ Arbitrary Content Injection (RCE) helm/defectdojo/templates/configmap-local-settings-py.yaml (click for details)
Type Arbitrary Content Injection (RCE)
Description The Helm chart allows arbitrary content from .Values.localsettingspy to be directly injected into a ConfigMap named {{ $fullName }}-localsettingspy. This ConfigMap is then mounted as /app/dojo/settings/local_settings.py in the celery-beat, celery-worker, and django application containers. In Django applications, local_settings.py is typically imported and executed as Python code during application startup. An attacker with permissions to set Helm values can inject malicious Python code into .Values.localsettingspy, which will be executed by the application, leading to Remote Code Execution (RCE).
Filename helm/defectdojo/templates/configmap-local-settings-py.yaml
CodeLink

django-DefectDojo/helm/defectdojo/templates/configmap-local-settings-py.yaml

Line 24 in 73aa3c4

{{ toYaml .Values.localsettingspy | indent 4 }}
View more details on DryRunSecurity