Skip to content

feat(helm): Use Valkey #13408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mtesauro merged 3 commits into from
Nov 27, 2025

adjustments

1be8710
Select commit
Loading
Failed to load commit list.
Merged

feat(helm): Use Valkey #13408

adjustments
1be8710
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Nov 26, 2025 in 2m 6s

DryRun Security

Details

General Security Analyzer Findings: 3 detected

⚠️ Supply Chain Risk from New Dependency helm/defectdojo/Chart.yaml (click for details)
Type Supply Chain Risk from New Dependency
Description The Helm chart introduces a new dependency, valkey, from an external OCI registry oci://registry-1.docker.io/cloudpirates. This registry is not officially associated with the Valkey project. Sourcing dependencies from unverified third-party registries introduces a significant supply chain risk, as the integrity and authenticity of the distributed chart cannot be guaranteed. While a SHA256 digest is present in Chart.lock, it only verifies that the downloaded chart matches the one recorded in Chart.lock. It does not protect against a scenario where the cloudpirates repository itself is compromised and distributes a malicious chart with a new, valid digest.
Filename helm/defectdojo/Chart.yaml
CodeLink

django-DefectDojo/helm/defectdojo/Chart.yaml

Lines 18 to 21 in 1be8710

repository: "oci://registry-1.docker.io/cloudpirates"
condition: valkey.enabled
# For correct syntax, check https://artifacthub.io/docs/topics/annotations/helm/
# This is example for "artifacthub.io/changes"
⚠️ Insufficient Entropy in Valkey Password Generation helm/defectdojo/templates/secret-valkey.yaml (click for details)
Type Insufficient Entropy in Valkey Password Generation
Description The Helm chart generates a 10-character alphanumeric password for Valkey when no password is explicitly provided. This results in an entropy of approximately 59.54 bits. This level of entropy is significantly lower than modern security recommendations for machine-to-machine secrets (typically 128 bits or more). This makes the generated password vulnerable to brute-force attacks, which could compromise the Valkey instance.
Filename helm/defectdojo/templates/secret-valkey.yaml
CodeLink

django-DefectDojo/helm/defectdojo/templates/secret-valkey.yaml

Lines 33 to 36 in 1be8710

{{ .Values.valkey.auth.existingSecretPasswordKey }}: {{ randAlphaNum 10 | b64enc | quote }}
{{- end }}
{{- end }}
⚠️ Weak TLS Configuration by Default helm/defectdojo/templates/_helpers.tpl (click for details)
Type Weak TLS Configuration by Default
Description The Helm chart for DefectDojo sets ssl_cert_reqs=optional as the default for Valkey/Redis connections when TLS (rediss scheme) is enabled. This configuration disables server certificate validation, making the connection vulnerable to Man-in-the-Middle (MitM) attacks. While the valkeyParams or redisParams can override this, the insecure default is applied if not explicitly changed. Best practice dictates ssl_cert_reqs=required for production environments to ensure server authenticity and prevent eavesdropping or tampering.
Filename helm/defectdojo/templates/_helpers.tpl
CodeLink

django-DefectDojo/helm/defectdojo/templates/_helpers.tpl

Lines 73 to 76 in 1be8710

{{- $defaultBrokerParams := ternary "ssl_cert_reqs=optional" "" (eq "rediss" $redisScheme) -}}
{{- if .Values.valkey.enabled -}}
{{- default $defaultBrokerParams .Values.valkeyParams -}}
{{- else -}}
View more details on DryRunSecurity