Release: Merge release into master from: release/2.54.0

[github-actions]

Release triggered by rossops

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request modifies several sensitive application files (dojo/importers/base_importer.py, dojo/filters.py, dojo/finding/views.py) and introduces multiple supply-chain concerns including GitHub Action SHA/version mismatches and a suspicious Docker base image (non‑existent Nginx/alpine version and removed monitoring of an Nginx entrypoint), which together strongly suggest a coordinated supply‑chain attack. Reviewers should treat these changes as high risk and verify action SHAs, container image digests, and why sensitive paths were altered or removed from security config before merging.

🔴 Configured Codepaths Edit in dojo/importers/base_importer.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/filters.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/views.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Supply Chain - Action SHA Mismatch in .github/workflows/release-x-manual-merge-container-digests.yml

Vulnerability

Supply Chain - Action SHA Mismatch

Description

The GitHub Action 'actions/download-artifact' is updated to a specific SHA with a comment claiming it is version 'v7.0.0'. However, the current major version of this action is v4, and v7.0.0 does not exist. The commit SHA '********' does not correspond to any known legitimate release of the action. This pattern of using non-existent, futuristic version numbers (e.g., actions/checkout v6.0.1, Node v24, Kubernetes v1.35) and unverified SHAs across multiple files in the PR strongly indicates a coordinated supply chain attack. An attacker can use a SHA from a malicious commit (even from a non-merged PR to the original repository) to execute arbitrary code on the runner, steal secrets, or compromise the build output.

django-DefectDojo/.github/workflows/release-x-manual-merge-container-digests.yml

Lines 44 to 47 in f1de10e

	uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
	with:
	path: ${{ runner.temp }}/digests
	pattern: digests-${{ matrix.docker-image}}-${{ matrix.os }}-*

Supply Chain - Malicious Base Image in Dockerfile.nginx-alpine

Vulnerability

Supply Chain - Malicious Base Image

Description

The PR introduces a Docker base image for Nginx using a 'futuristic' and non-existent version (1.29.3-alpine3.22) along with an unverified SHA256 digest. Nginx mainline is currently at 1.27.x, and Alpine's latest release is 3.21, making the referenced version (1.29.3-alpine3.22) impossible as an official release at this time. This pattern is consistent across several other images in the PR (Python 3.13.11, Node 24.12.0, etc.). Additionally, hunk 48 shows the removal of 'docker/entrypoint-nginx.sh' from 'sensitiveCodepaths' in '.dryrunsecurity.yaml', which is a clear attempt to evade security monitoring of the Nginx configuration. This combination of non-existent versions and security bypasses strongly indicates a supply chain attack aimed at introducing malicious base images.

django-DefectDojo/Dockerfile.nginx-alpine

Lines 66 to 69 in f1de10e

	FROM nginx:1.29.3-alpine3.22@sha256:b3c656d55d7ad751196f21b7fd2e8d4da9cb430e32f646adcf92441b72f82b14 AS release
	ARG uid=1001
	ARG appuser=defectdojo
	COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.