Entrypoint Scripts: Add container level breakouts to prevent doom loopings

[Maffooch]

In cases where the settings.dist.py hash is incorrect in incoming PRs, containers will boot loop during unit tests until they timeout. By default this timeout is 360 minutes, or 6 hours. This prevents units tests from actually running for all other PRs

This PR adds a breakout condition after 10 seconds of not being able to query the database through Django's db_shell to allow unit tests to exit quicker. In addition, I also added some timeouts for GHA action jobs just in case we run into a similar situation down the road

[sc-6360]

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on improving the reliability, stability, and security of the various workflows and Docker-based components used in the DefectDojo application. The changes include the addition of timeout mechanisms, database connection checks, error handling, and other security-related enhancements across multiple files and scripts.

Some key security-related changes include:

1. Timeout Handling: Several workflows and Docker entrypoint scripts now include timeout mechanisms to prevent long-running processes from causing issues, such as denial-of-service.
2. Database Connectivity: The code introduces new scripts and functions to ensure the database is reachable before running tests or initializing the application, which helps prevent failures due to database unavailability.
3. Sensitive Information Management: The changes aim to ensure that sensitive information, such as database credentials and API keys, are not hardcoded or exposed in the environment variables or configuration files.
4. Logging and Error Handling: The code includes improvements to logging and error handling, which can aid in the detection and investigation of potential security issues.
5. Dependency Management: The changes ensure that the application's dependencies, including Docker images and external libraries, are properly managed and maintained to address any known vulnerabilities.

Overall, the code changes in this pull request appear to be focused on improving the overall security and reliability of the DefectDojo application, which is a positive step for the project's security posture.

Files Changed:

1. .github/workflows/build-docker-images-for-testing.yml: The changes introduce a timeout mechanism for the Docker image build and artifact upload steps, which helps prevent potential denial-of-service issues.
2. .github/workflows/rest-framework-tests.yml: The changes add a timeout to the steps that load Docker images and run the unit tests, improving the reliability of the testing workflow.
3. .github/workflows/integration-tests.yml: The changes include timeout handling, environment configuration, and integration test case execution, all of which contribute to the overall security and stability of the application.
4. .github/workflows/k8s-tests.yml: The changes focus on improving the reliability and security of the Kubernetes deployment process, including timeout handling, Docker image security, and error logging.
5. Dockerfile.integration-tests-debian: The changes introduce a new script (reach_database.sh) and handle environment variables related to the integration tests, which require careful review to ensure security.
6. Dockerfile.django-alpine: The changes include the addition of the reach_database.sh script and the handling of environment variables, which need to be reviewed for potential security implications.
7. docker-compose.yml: The changes introduce a new environment variable to handle database connection readiness, which improves the overall reliability of the application's deployment.
8. Dockerfile.django-debian: The changes include the addition of the reach_database.sh script, which should be reviewed for potential security concerns.
9. docker/entrypoint-unit-tests-devDocker.sh: The changes focus on improving the reliability of the unit testing process, including the handling of database connectivity.
10. docker/entrypoint-celery-worker.sh: The changes include the addition of the reach_database.sh script and the configuration of the Celery worker, which should be reviewed for security implications.
11. docker/entrypoint-celery-beat.sh: The changes are similar to the Celery worker entrypoint, with the addition of the reach_database.sh script.
12. docker/entrypoint-initializer.sh: The changes in this file are focused on the initialization and setup of the DefectDojo application, with a strong emphasis on security-related aspects.
13. docker/reach_database.sh: This is a new file that introduces a function to ensure the database is reachable, which is an important security-related enhancement.
14. dojo/settings/settings.py: The changes in this file refine the error handling and configuration management process, with a focus on maintaining the integrity of the application's settings.
15. docker/entrypoint-unit-tests.sh: The changes in this file are focused on improving the reliability and security of the unit test setup.

Powered by DryRun Security

[mtesauro]

Approved

[mtesauro]

Thanks for putting some great guardrails on our GH Actions 🚀