Update postgres:17.2-alpine Docker digest from 17.2 to 17.2-alpine (docker-compose.yml)

[renovate]

This PR contains the following updates:

Package	Update	Change
postgres	digest	f58b02e -> 0bcc5bb

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

DryRun Security Summary

The docker-compose.yml file for DefectDojo was updated with a new Postgres image version, requiring careful review of environment variables, encryption key management, database configuration, volume security, and dependency updates to maintain the application's security posture.

Expand for full summary

Summary:

The provided code change is an update to the docker-compose.yml file for the DefectDojo application. The key changes include an update to the Postgres image version, which is likely a security or bug fix update. From an application security perspective, the important aspects to consider are the proper management of sensitive environment variables, secure storage and management of encryption keys, handling of database connection issues, secure configuration of data volumes, and maintaining the security of the underlying dependencies.

Overall, the changes in this docker-compose.yml file appear to be routine updates to the underlying Docker images and configuration parameters. As an application security engineer, it is crucial to review these changes to ensure that the application's security posture is maintained and that any potential vulnerabilities or security risks are addressed.

Files Changed:

• docker-compose.yml: The key changes in this file include:
  1. Postgres Image Update: The Postgres image has been updated from version 17.2-alpine@sha256:f58b02ec01778a7c590c3dcf869da3f4294d89adc70e6f55d63b0b8c6f78faa1 to 17.2-alpine@sha256:0bcc5bbbb2aa9c9b4c6505845918c7eb55d783cf5c1f434fac33012579fb149d.
  2. Environment Variables: The file uses several environment variables to configure the application, such as database connection details, secret keys, and other sensitive information. It is important to ensure that these environment variables are properly secured and not exposed in the codebase or deployment process.
  3. Credential Storage: The DD_CREDENTIAL_AES_256_KEY environment variable is used to encrypt sensitive credentials. The secure storage and management of the encryption key is crucial to prevent unauthorized access to these credentials.
  4. Database Readiness Timeout: The DD_DATABASE_READINESS_TIMEOUT environment variable sets the timeout for the application to wait for the database to become available, which is an important configuration to ensure the application can handle database connection issues gracefully.
  5. Volumes: The file mounts several volumes for the Postgres, Redis, and media data, which must be properly secured and backed up to prevent data loss or unauthorized access.
  6. Dependency Management: The application relies on several Docker images, including Postgres, Redis, and the DefectDojo-specific images, which must be kept up-to-date and monitored for any security vulnerabilities.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.