Bump python from 3.11.11-slim-bookworm to 3.13.4-slim-bookworm

[dependabot]

Bumps python from 3.11.11-slim-bookworm to 3.13.4-slim-bookworm.

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
python	[>= 3.9.a, < 3.10]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

This pull request improves supply chain security by updating Docker base images to use specific SHA256 digests in both Dockerfile.nginx-alpine and Dockerfile.nginx-debian, which prevents potential unauthorized image modifications and ensures reproducible builds.

⚠️ Supply Chain Security in Dockerfile.nginx-alpine

Vulnerability	Supply Chain Security
Description	The change from a tag-based to a digest-based image reference is a security best practice. By using the specific SHA256 digest, the build ensures exact image reproducibility, preventing potential unauthorized or unintended image modifications. This mitigates risks of pulling unexpected or potentially compromised image versions.

django-DefectDojo/Dockerfile.nginx-alpine

Lines 5 to 11 in 3d802b3

	# Dockerfile.django-alpine to use the caching mechanism of Docker.
	# Ref: https://devguide.python.org/#branchstatus
	FROM python:3.13.3-alpine3.20@sha256:40a4559d3d6b2117b1fbe426f17d55b9100fa40609733a1d0c3f39e2151d4b33 AS base
	FROM base AS build
	WORKDIR /app

⚠️ Supply Chain Security in Dockerfile.nginx-debian

Vulnerability	Supply Chain Security
Description	Similar to hunk_id 2, this change pins the Docker base image to a specific SHA256 digest. This approach prevents potential supply chain attacks by ensuring the exact same image content is used across builds, eliminating risks associated with mutable image tags that could be inadvertently or maliciously altered.

django-DefectDojo/Dockerfile.nginx-debian

Lines 5 to 11 in 3d802b3

	# Dockerfile.django-debian to use the caching mechanism of Docker.
	# Ref: https://devguide.python.org/#branchstatus
	FROM python:3.13.4-slim-bookworm@sha256:d97b595c5f4ac718102e5a5a91adaf04b22e852961a698411637c718d45867c8 AS base
	FROM base AS build
	WORKDIR /app
	RUN \

---

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

This will need to be tested before we consider this update