Skip to content

Update python:3.13.11-alpine3.22 Docker digest from 3.13.11 to v (Dockerfile.nginx-alpine) #14211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtesauro merged 1 commit into from
Jan 30, 2026
Merged

Update python:3.13.11-alpine3.22 Docker digest from 3.13.11 to v (Dockerfile.nginx-alpine) #14211

mtesauro merged 1 commit into from
Jan 30, 2026
+2 −2

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 30, 2026

This PR contains the following updates:

Package Type Update Change
python stage digest bd1f3d92fd9379
python final digest bd1f3d92fd9379

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jan 30, 2026
@renovate renovate bot requested review from Maffooch and mtesauro as code owners January 30, 2026 05:22
@dryrunsecurity
Copy link

dryrunsecurity bot commented Jan 30, 2026

DryRun Security

This pull request includes a supply-chain integrity issue: the Dockerfile pins the base image with tag python:3.13.11-alpine3.22 but the SHA256 digest corresponds to python 3.11.11, meaning the declared tag and the actual image disagree and could cause the runtime environment to differ from the audited/declared version. This mismatch should be corrected (either update the digest to match the tag or align the tag to the digest) to restore confidence in the build provenance.

Supply Chain Integrity: Mismatched Base Image Tag in Dockerfile.nginx-alpine
Vulnerability Supply Chain Integrity: Mismatched Base Image Tag
Description The Dockerfile specifies a base image tag python:3.13.11-alpine3.22 along with a SHA256 digest sha256:2fd93799bfc6381d078a8f656a5f45d6092e5d11d16f55889b3d5cbfdc64f045. However, there is a mismatch between the tag and the digest: the digest corresponds to Python version 3.11.11, while the tag claims version 3.13.11. This discrepancy typically occurs during a faulty update process (e.g., a search-and-replace on tags that misses the pinned digests). This creates a supply chain integrity issue because the actual environment running the application (Python 3.11.11) differs from the declared and audited version (Python 3.13.11).

django-DefectDojo/Dockerfile.nginx-alpine

Lines 8 to 11 in 4b47747

FROM python:3.13.11-alpine3.22@sha256:2fd93799bfc6381d078a8f656a5f45d6092e5d11d16f55889b3d5cbfdc64f045 AS base
FROM base AS build
WORKDIR /app
RUN \

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch requested a review from Jino-T January 30, 2026 06:17
@mtesauro mtesauro merged commit f925f2a into dev Jan 30, 2026
90 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file docker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Maffooch @Jino-T @mtesauro