-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(initContainer): Tune start-up process #10454
base: dev
Are you sure you want to change the base?
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request are focused on improving the security and reliability of the DefectDojo application's deployment using Helm. The key changes include the addition of a database migration checker, the use of Kubernetes Secrets to store sensitive information, and the implementation of security-related configurations such as session and CSRF cookie security, security contexts, and resource limits. The database migration checker is a particularly noteworthy addition, as it helps ensure that the application's database is in a valid state before the main containers start. This can prevent issues related to database schema changes or migrations, which is an important security consideration. Additionally, the use of Kubernetes Secrets to store sensitive information, such as database passwords and the application's secret key, follows security best practices and helps prevent the accidental exposure of sensitive data. The code also sets appropriate security-related configurations, such as session and CSRF cookie security, which can help mitigate common web application vulnerabilities. Overall, the changes in this pull request appear to be focused on improving the security and reliability of the DefectDojo application's deployment, which is a positive step from an application security perspective. Files Changed:
Powered by DryRun Security |
f55d424
to
925dc4f
Compare
I believe you forgot to add the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
@fcecagno, thank you for your feedback. |
Hi @kiblik , thanks for your reply. IMO this PR improves the current state. |
@kiblik Got a new/different opinion of this one? Wanted to double check since we're getting close to 4 approvals. |
dbMigrationChecker: | ||
enabled: true | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd put this either at the top of values.yaml
(somewhere near podLabels
) or at the bottom (somewhere near extraConfigs
). It's likely to be missed where it is right now sandwiched between the blocks configuring individual services.
Previous implementation used
initialDelaySeconds
set to120s
which might be fine for standard (default resource allocation), first-time starting (with empty database) instances. Mentioned fact is problematic for:120s
might not be enough120s
might be wasting of time (to wait until the instance is marked asReady
)This solution does not solve #10197 but at least do not silently allow full rollout until the database is fully migrated.
This solution might be solved as well #10141