Skip to content

fix(renovate): Clean records #13509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 27, 2025
Merged

fix(renovate): Clean records #13509

merged 3 commits into from
Oct 27, 2025
+10 −8

Conversation

@kiblik
Copy link
Contributor

@kiblik kiblik commented Oct 23, 2025
edited
Loading

@kiblik kiblik force-pushed the renovate_help branch 3 times, most recently from 3f5cdc4 to 5fb9e62 Compare October 23, 2025 20:40
@kiblik kiblik marked this pull request as ready for review October 23, 2025 21:29
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 23, 2025
edited
Loading

DryRun Security

This pull request updates the shellcheck workflow to use SHELLCHECK_VERSION v0.9.0 but leaves the hardcoded SHELLCHECK_SHA unchanged (with a comment noting it isn't auto-updated), which creates a supply-chain/integrity risk if the checksum is out of date or if integrity checks are skipped. Consider updating the SHA when bumping the version or automating checksum verification to prevent build failures or potential compromise.

CI/CD Supply Chain Risk (Outdated Checksum) in .github/workflows/shellcheck.yml
Vulnerability CI/CD Supply Chain Risk (Outdated Checksum)
Description The shellcheck.yml workflow updates the SHELLCHECK_VERSION to 'v0.9.0', but the SHELLCHECK_SHA is explicitly noted in a comment as not being automatically updated. This creates a risk where the downloaded shellcheck binary might not match the hardcoded SHA. If an integrity check is performed, it would fail, potentially breaking the build. More critically, if the integrity check is skipped or improperly implemented, a compromised version of the shellcheck tool could be executed, leading to a supply chain attack. The code comment itself highlights this manual update requirement, indicating a known gap in automated integrity verification for this specific dependency.

django-DefectDojo/.github/workflows/shellcheck.yml

Lines 8 to 10 in 9cf6ff2

SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71' # Renovate config is not currently adjusted to update hash - it needs to be done manually for now
jobs:
shellcheck:

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added this to the 2.51.3 milestone Oct 23, 2025
mtesauro
mtesauro approved these changes Oct 26, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@Maffooch Maffooch mentioned this pull request Oct 27, 2025
Closed
1 task
@github-actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@rossops rossops merged commit 7f11d0d into DefectDojo:bugfix Oct 27, 2025
150 checks passed
@kiblik kiblik deleted the renovate_help branch October 27, 2025 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@rossops rossops rossops approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.51.3

Development

Successfully merging this pull request may close these issues.

6 participants

@kiblik @mtesauro @rossops @Maffooch @Jino-T @valentijnscholten