extract first boot portion of script

[hblankenship]

Extracting first boot portion of script into its own file.

[sc-8584]

[dryrunsecurity]

DryRun Security Summary

The code changes introduce modifications to the Docker environment and initialization scripts for a Django-based web application, focusing on improving security, configuration, and deployment processes through careful management of dependencies, environment variables, entrypoint scripts, and initialization tasks.

Expand for full summary

Summary:

The provided code changes introduce several modifications to the Docker environment and initialization scripts for a Django-based web application, likely the DefectDojo application. These changes aim to improve the application's setup, configuration, and security posture.

Key security-related aspects of the changes include:

1. Dependency Management: The Dockerfiles install various system dependencies, which need to be regularly reviewed and updated to ensure they are free of known vulnerabilities.
2. Environment Variables: The code makes use of several environment variables to configure sensitive information, such as admin user credentials and JIRA webhook secrets. It's crucial to ensure these values are properly secured and not exposed in the codebase or deployment process.
3. Entrypoint Scripts: The new entrypoint scripts, entrypoint-first-boot.sh and entrypoint-initializer.sh, are responsible for executing various setup and configuration tasks. These scripts should be reviewed carefully to ensure they do not contain any security vulnerabilities or perform any unintended actions.
4. Fixture Loading: The code loads various Django fixtures, which should be reviewed to ensure they do not contain any sensitive information or introduce potential security risks.
5. Search Index: The installation of the Watson search index can have security implications and should be properly configured and maintained.
6. Audit Logging: The code ensures that the audit logging functionality is properly enabled and configured, which is an important security feature.

Overall, the changes appear to be focused on improving the Docker-based deployment and initialization of the Django application, with a strong emphasis on security-related aspects, such as credential management, secret generation, and configuration consistency.

Files Changed:

1. Dockerfile.django-debian and Dockerfile.django-alpine: These Dockerfiles introduce a new entrypoint script, entrypoint-first-boot.sh, and set various environment variables related to the application's configuration, including admin user details and Celery/UWSGI settings.
2. .dryrunsecurity.yaml: This file specifies a list of sensitive code paths that should be closely reviewed, including the new entrypoint-first-boot.sh script.
3. docker/entrypoint-first-boot.sh: This script is responsible for executing various initialization tasks, such as creating a superuser, loading fixtures, updating the JIRA webhook secret, and installing the Watson search index.
4. docker/entrypoint-initializer.sh: This script is responsible for the initial setup and configuration of the DefectDojo application, including admin user creation, JIRA webhook secret generation, database initialization, and announcement banner creation.

Code Analysis

We ran 9 analyzers against 5 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

View PR in the DryRun Dashboard.

[mtesauro]

Approved