Skip to content

ADD: Alternative command to change password #12931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 9, 2025
Merged

ADD: Alternative command to change password #12931

merged 1 commit into from
Aug 9, 2025

Conversation

ThiagoCruzBr
Copy link
Contributor

Alternative command useful for automation.

@ThiagoCruzBr
ADD: Alternative command to change password
3ee97f6 
Alternative command useful for automation.
@github-actions github-actions bot added the docs label Aug 5, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 5, 2025

DryRun Security

This pull request contains a documentation issue where a hardcoded weak password ('Password123!') is included in the Docker setup instructions, which could potentially lead to security risks if users directly copy and paste the example command without changing the password.

Hardcoded Weak Password in Documentation in readme-docs/DOCKER.md
Vulnerability Hardcoded Weak Password in Documentation
Description The documentation file readme-docs/DOCKER.md contains an example command for changing the admin password that includes a hardcoded, weak password ('Password123!'). This command is presented as an alternative for automation, implying it's intended for users setting up their instances. Users are highly likely to copy and paste this command, which could lead to production systems having a known, easily guessable administrator password, thereby creating a significant security vulnerability.

django-DefectDojo/readme-docs/DOCKER.md

Lines 152 to 162 in 3ee97f6

docker compose exec -it uwsgi ./manage.py changepassword admin
```
Alternatively, you can run the command below to change the admin password in a single command. Useful for automation.
```zsh
docker compose exec uwsgi ./manage.py shell -c 'from django.contrib.auth.models import User; u = User.objects.get(username="admin"); u.set_password("Password123!"); u.save()'
```
# Logging
For docker compose release mode the log level is INFO. In the other modes the log level is DEBUG. Logging is configured in `settings.dist.py` and can be tuned using a `local_settings.py`, see [template for local_settings.py](../dojo/settings/template-local_settings)). For example the deduplication logger can be set to DEBUG in a local_settings.py file:

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch requested review from dogboat and blakeaowens August 7, 2025 06:23
mtesauro
mtesauro approved these changes Aug 9, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 0ca79ab into DefectDojo:bugfix Aug 9, 2025
85 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@dogboat dogboat Awaiting requested review from dogboat

Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ThiagoCruzBr @mtesauro @valentijnscholten @Maffooch @blakeaowens