Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(helm-local_settings): Add option to add local_settings.py #10803

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Aug 23, 2024

This PR adds the ability to use local_settings.py in k8s setup as well

Copy link

dryrunsecurity bot commented Aug 23, 2024

DryRun Security Summary

The pull request focuses on improving the deployment and configuration of the DefectDojo application in a Kubernetes environment by introducing customizable local settings, enhancing security practices for handling sensitive information, and providing more flexibility in volume mounting and external dependency management.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the deployment and configuration of the DefectDojo application, a vulnerability management and security tool, in a Kubernetes environment. The key changes include:

  1. Customizable Local Settings: The changes introduce the ability to customize the local_settings.py file, which is a configuration file for the Django application, through a Kubernetes ConfigMap. This provides users with more flexibility in extending the functionality of the DefectDojo application.

  2. Handling of Sensitive Information: The code changes demonstrate good security practices, such as storing sensitive information (e.g., database passwords) in Kubernetes Secrets and properly handling environment variables.

  3. Volume Mounts and External Dependencies: The changes include the mounting of volumes, such as the local_settings.py file and SSL/TLS certificates, as well as the handling of external dependencies like the Cloud SQL proxy and DB migration checker.

From an application security perspective, the changes are generally positive, as they focus on improving the deployment configuration and handling of sensitive information. However, there are a few areas that require careful review and consideration:

  1. Validation of Customized Local Settings: The ability to customize the local_settings.py file through a Kubernetes ConfigMap introduces the potential for security risks if the added code is not properly validated and sanitized.

  2. Secure Access to Sensitive Configuration Files: Ensuring that the local_settings.py file and any other sensitive configuration files are properly secured and accessed only by authorized parties is crucial.

  3. Ongoing Monitoring and Maintenance: As the application and its deployment infrastructure evolve, it's important to regularly review the security posture and address any potential vulnerabilities or misconfigurations.

Overall, the code changes in this pull request appear to be a step in the right direction for improving the security and maintainability of the DefectDojo application in a Kubernetes environment. However, continuous vigilance and a strong focus on application security best practices are essential to ensure the ongoing security and integrity of the application.

Files Changed:

  1. helm/defectdojo/templates/configmap-local-settings-py.yaml: This file adds a new Kubernetes ConfigMap resource to store the contents of the local_settings.py file, which allows for customization of the DefectDojo application's settings.

  2. docs/content/en/open_source/installation/configuration.md: The changes in this file update the documentation to reflect the ability to use the local_settings.py file for configuration in both Docker Compose and Kubernetes deployments.

  3. helm/defectdojo/templates/celery-beat-deployment.yaml: The changes in this file handle the Celery Beat deployment, including the mounting of the local_settings.py file and the management of external dependencies like the Cloud SQL proxy and DB migration checker.

  4. helm/defectdojo/templates/celery-worker-deployment.yaml: This file includes changes related to the Celery worker deployment, such as the volume mount for the local_settings.py file and the handling of SSL/TLS certificates.

  5. helm/defectdojo/values.yaml: The changes in this file add a new section to allow users to provide custom code snippets for the local_settings.py file, which introduces potential security risks that require careful review.

  6. helm/defectdojo/templates/django-deployment.yaml: The changes in this file introduce the ability to mount the local_settings.py file as a ConfigMap volume, which allows for further customization of the Django application's settings.

  7. helm/defectdojo/templates/initializer-job.yaml: The changes in this file handle the initialization process for the DefectDojo application, including the volume mount for the local_settings.py file and the management of sensitive environment variables.

Code Analysis

We ran 9 analyzers against 7 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@kiblik kiblik force-pushed the add_localSettingsPy branch 2 times, most recently from cea7b4e to 5018921 Compare August 26, 2024 09:17
@kiblik kiblik force-pushed the add_localSettingsPy branch from 5018921 to 9978908 Compare November 20, 2024 09:28
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 unittests integration_tests ui parser labels Nov 20, 2024
@kiblik kiblik changed the base branch from bugfix to dev November 20, 2024 09:33
@kiblik kiblik force-pushed the add_localSettingsPy branch from 9978908 to 96ea735 Compare November 20, 2024 10:47
@github-actions github-actions bot removed docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 unittests integration_tests ui parser labels Nov 20, 2024
@kiblik kiblik force-pushed the add_localSettingsPy branch from 96ea735 to 1397f77 Compare November 20, 2024 10:48
@kiblik kiblik marked this pull request as ready for review November 20, 2024 11:06
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the add_localSettingsPy branch from 1397f77 to 90fdaf1 Compare November 26, 2024 08:36
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik requested review from mtesauro and Maffooch December 9, 2024 16:04
@kiblik kiblik force-pushed the add_localSettingsPy branch from 90fdaf1 to be27458 Compare December 11, 2024 20:30
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro
Copy link
Contributor

mtesauro commented Jan 2, 2025

@kiblik Sorry, this one fell off my radar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants