Update docker/build-push-action action from v6.11.0 to v6.12.0 (.github/workflows/release-x-manual-docker-containers.yml)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action	action	minor	v6.11.0 -> v6.12.0

---

Release Notes

docker/build-push-action (docker/build-push-action)

v6.12.0

Compare Source

• Bump @​docker/actions-toolkit from 0.49.0 to 0.51.0 in https://github.com/docker/build-push-action/pull/1300

Full Changelog: docker/build-push-action@v6.11.0...v6.12.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

DryRun Security Summary

The pull request updates the Docker build-push-action in GitHub Actions workflows for DefectDojo, focusing on improving the build and deployment process while emphasizing the need for careful review of dependency updates, Docker image security, and workflow execution to maintain the application's security posture.

Expand for full summary

Summary:

The code changes in this pull request are focused on updating the Docker build-push-action used in the GitHub Actions workflows for building and releasing DefectDojo Docker containers. While the changes do not directly impact the application code itself, they do affect the build and deployment process, which is an important aspect of the application's security posture.

From an application security perspective, the key areas to review are the dependency updates, the security of the Docker images being built, the workflow execution process, and the overall validation of the build and deployment workflow. It's essential to ensure that the updated Docker build-push-action does not introduce any known security vulnerabilities, that the base images used for the Docker containers are secure, and that the workflow execution and validation processes are robust and secure.

Files Changed:

1. .github/workflows/build-docker-images-for-testing.yml:

   • The workflow is updating the Docker build-push-action from version 6.11.0 to 6.12.0. It's important to review the release notes for this version change to ensure there are no security-related updates or fixes included.
   • The workflow is disabling certain Docker build checks, which could potentially hide security-relevant issues. It's important to understand the implications of disabling these checks and ensure that appropriate security measures are in place elsewhere.
   • The workflow is tagging the built Docker images with the repository name, the Docker image name, and the OS. It's important to ensure that these tags are consistent and accurately reflect the contents of the Docker images.
   • The workflow is uploading the built Docker images as artifacts, which should be properly secured and access restricted.

2. .github/workflows/release-x-manual-docker-containers.yml:

   • The workflow is updating the Docker build-push-action from version 6.11.0 to 6.12.0, which may introduce changes or fixes to the underlying dependencies.
   • The workflow is building and pushing Docker images for the DefectDojo application, and it's essential to ensure that the base images used are up-to-date and have no known security vulnerabilities.
   • The workflow is triggered manually, and it's important to have proper access controls and authentication mechanisms in place to ensure that only authorized users can initiate the release process.
   • It's recommended to have comprehensive tests and validation steps in the workflow to ensure that the built Docker images are functioning as expected and do not introduce any regressions or security issues.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.