Update docker/build-push-action action from v5 to v6 (.github/workflows/release-x-manual-docker-containers.yml)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action	action	major	v5 -> v6

---

Release Notes

docker/build-push-action (docker/build-push-action)

v6

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided GitHub Actions workflows demonstrate good practices for building and deploying Docker images in a secure and efficient manner. The "release-x-manual-docker-containers.yml" workflow is responsible for building and pushing Docker images for the DefectDojo application, while the "build-docker-images-for-testing.yml" workflow builds Docker images for testing purposes.

Both workflows exhibit several security-conscious features, such as versioning and tagging of Docker images, multi-platform support, caching, secure storage of credentials, and checkout of the correct Git repository. The "build-docker-images-for-testing.yml" workflow also highlights the importance of keeping track of the versions of the actions used and ensuring that the cache is properly invalidated.

However, it's important to review the underlying Dockerfiles used in these workflows to ensure that they do not introduce any security vulnerabilities, such as the use of outdated or insecure dependencies, the inclusion of sensitive information, or the execution of untrusted code. Additionally, the security of the uploaded Docker image artifacts should be carefully considered to prevent potential misuse or exploitation.

Files Changed:

1. .github/workflows/release-x-manual-docker-containers.yml:

   • This workflow is responsible for building and pushing Docker images for the DefectDojo application.
   • It ensures that the Docker images are tagged with the specified release version and the latest tag, providing version control and easy rollback.
   • The workflow supports building images for both Alpine and Debian Linux distributions, offering flexibility in the deployment environment.
   • It utilizes Docker layer caching to speed up the build process and securely stores the DockerHub credentials using GitHub secrets.
   • The workflow checks out the Git repository at the specified release version, ensuring the correct code is used for the build.

2. .github/workflows/build-docker-images-for-testing.yml:

   • This workflow builds Docker images for testing purposes, triggered either manually or as part of another workflow.
   • It builds Docker images for different combinations of Docker images (django, nginx, integration-tests) and operating systems (alpine, debian).
   • The workflow uses the latest version of the docker/build-push-action action, which should be monitored for potential security vulnerabilities or breaking changes.
   • It utilizes the GitHub Actions cache to speed up subsequent builds, but it's important to ensure the cache is properly invalidated when the underlying Dockerfiles or dependencies change.
   • The built Docker images are uploaded as artifacts, which should be properly secured and access-controlled.
   • The use of the alpine and debian base images requires ensuring they are regularly updated and patched to address known security vulnerabilities.

Powered by DryRun Security

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Powered by DryRun Security

[mtesauro]

Approved