Release: Merge back 2.52.0 into dev from: master-into-dev/2.52.0-2.53.0-dev

[github-actions]

Release triggered by rossops

[dryrunsecurity]

This pull request uses a mutable GitHub Action reference: the workflow .github/workflows/slack-pr-reminder.yml pins DefectDojo-Inc/notify-pr-reviewers-action to @master, which is a supply-chain risk because changes to that branch could execute arbitrary or malicious code in your CI. Consider pinning to a specific tag or commit SHA to mitigate this.

Unpinned GitHub Action Version in .github/workflows/slack-pr-reminder.yml

Vulnerability

Unpinned GitHub Action Version

Description

The GitHub Actions workflow '.github/workflows/slack-pr-reminder.yml' uses a mutable reference ('@master') for the action 'DefectDojo-Inc/notify-pr-reviewers-action'. This creates a supply chain risk, as any changes pushed to the master branch of the action's repository, whether malicious or accidental, will be automatically executed by this workflow. This could lead to compromised builds, secret exfiltration, or other CI/CD pipeline attacks.

django-DefectDojo/.github/workflows/slack-pr-reminder.yml

Lines 14 to 17 in ec606a3

	uses: DefectDojo-Inc/notify-pr-reviewers-action@master # Do not use a specific version to always get the latest updates
	with:
	owner: "DefectDojo"
	repository: "django-DefectDojo"

---

All finding details can be found in the DryRun Security Dashboard.