Skip to content

feat(helm): Split image locations+tags, allow digest pinning #13370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
valentijnscholten merged 1 commit into from
Oct 16, 2025

feat(helm): Split image locations+tags, allow digest pinning

8ceafd9
Select commit
Loading
Failed to load commit list.
Merged

feat(helm): Split image locations+tags, allow digest pinning #13370

feat(helm): Split image locations+tags, allow digest pinning
8ceafd9
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Oct 16, 2025 in 1m 32s

DryRun Security

Details

General Security Analyzer Findings: 2 detected

⚠️ Lack of Image Digest Pinning by Default helm/defectdojo/values.yaml (click for details)
Type Lack of Image Digest Pinning by Default
Description The Helm chart's default configuration in values.yaml sets the digest field for all container images to an empty string. The chart logic in _helpers.tpl falls back to using mutable tags when the digest is not provided. This creates a supply chain risk, as deployments are not guaranteed to be immutable. If an image tag is overwritten in the registry (e.g., a new 2.52.0-dev image is pushed), subsequent deployments will pull the new, potentially untested or malicious, image. While the chart adds support for digest pinning, it is not used by default, leaving users vulnerable unless they manually configure it.
Filename helm/defectdojo/values.yaml
CodeLink

django-DefectDojo/helm/defectdojo/values.yaml

Lines 36 to 39 in 8ceafd9

digest: ""
nginx:
image:
registry: ""
⚠️ Insecure Use of 'latest' Image Tag in CI .github/workflows/k8s-tests.yml (click for details)
Type Insecure Use of 'latest' Image Tag in CI
Description The .github/workflows/k8s-tests.yml workflow explicitly sets Docker image tags to 'latest' for both Django and Nginx images. While this workflow appears to be for testing the Helm chart in a Kubernetes environment, using mutable tags like 'latest' introduces non-reproducibility and supply chain risks. A 'latest' image can change at any time, meaning that a test run today might use a different image than a test run tomorrow, even if the workflow definition hasn't changed. This can lead to inconsistent test results, make debugging difficult, and potentially introduce vulnerabilities if a malicious or broken image is pushed as 'latest'. Best practices strongly recommend using immutable tags (e.g., specific version numbers or image digests) to ensure build reproducibility and security, even in test environments.
Filename .github/workflows/k8s-tests.yml
CodeLink

django-DefectDojo/.github/workflows/k8s-tests.yml

Lines 69 to 76 in 8ceafd9

defectdojo \
./helm/defectdojo \
--set django.ingress.enabled=true \
--set images.django.image.tag=latest \
--set images.nginx.image.tag=latest \
--set imagePullPolicy=Never \
--set initializer.keepSeconds="-1" \
--set redis.enabled=true \
View more details on DryRunSecurity