DefectDojo’s Documentation

About DefectDojo

What is DefectDojo?

DefectDojo is a security tool that automates application security vulnerability management. DefectDojo streamlines the application security testing process by offering features such as importing third party security findings, merging and de-duping, integration with Jira, templating, report generation and security metrics.

What does DefectDojo do?

While traceability and metrics are the ultimate end goal, DefectDojo is a bug tracker at its core. Taking advantage of DefectDojo’s Product:Engagement model, enables traceability among multiple projects and test cycles, and allows for fine-grained reporting.

How does DefectDojo work?

DefectDojo is based on a model that allows the ultimate flexibility in your test tracking needs.

• Working in DefectDojo starts with a Product Type.
• Each Product Type can have one of more Products.
• Each Product can have one or more Engagements.
• Each Engagement can have one more Tests.
• Each Test can have one or more Findings.

The code is open source, and available on github.

A demo installation can be found over at PythonAnywhere.

Our documentation is organized in the following sections:

• User Documentation
• Feature Documentation
• API Documentation
• Plugins

User Documentation

• About DefectDojo
  • DefectDojo Basics
• Getting Started
  • Live Demo
  • Docker Compose Install
• Integrations
  • Anchore-Engine
  • Arachni Scanner
  • AppSpider (Rapid7)
  • Bandit
  • Bundler-Audit
  • Burp XML
  • Clair
  • Contrast Scanner
  • Checkmarx
  • DawnScanner
  • Dependency Check
  • Generic Findings Import
  • Nessus (Tenable)
  • Netsparker
  • Nexpose XML 2.0 (Rapid7)
  • Nikto
  • Nmap
  • Node Security Platform
  • NPM Audit
  • OpenVAS CSV
  • PHP Symfony Security Checker
  • Qualys
  • Retire.js
  • SKF Scan
  • Snyk
  • SSL Labs
  • Trufflehog
  • Visual Code Grepper (VCG)
  • Veracode
  • Zed Attack Proxy
• Models
  • Product Types
  • Products
  • Environments
  • Engagements
  • Test Types
  • Test
  • Finding
• Usage Examples
  • Create a new Product Type
  • Create a new Test Type
  • Create a new Development Environment
  • Create a new Engagement
  • Adding Tests to an Engagement
  • Adding Findings to a Test
  • Accepting a Finding Risk
  • Viewing an Engagement
  • Tracking your Engagements in the calendar
  • Tracking metrics for your Products
• Workflows
  • Example 1 - Bill the security engineer
  • Example 2 - John the QE manager
• Upgrading
  • FAQ
  • Upgrading to DefectDojo Version 1.5.0
  • Upgrading to DefectDojo Version 1.3.1
  • Upgrading to DefectDojo Version 1.2.9
  • Upgrading to DefectDojo Version 1.2.8
  • Upgrading to DefectDojo Version 1.2.4
  • Upgrading to DefectDojo Version 1.2.3
  • July 6th 2017 - New location for system settings
  • Upgrading to DefectDojo Version 1.2.2
  • Upgrading to Django 1.1.5
  • Upgrading to Django 1.11
• Running in Production

Feature Documentation

• DefectDojo Features
  • Products
  • Engagements
  • Endpoints
  • Findings
  • Metrics
  • Users
  • Calendar
  • Port Scans
  • Notifications
  • Benchmarks
  • Reports
  • JIRA Integration
  • Issue Consolidation
  • False Positive Removal

API Documentation

• DefectDojo API Documentation
  • Authentication
  • Sample Code
• DefectDojo API v2 Documentation
  • Authentication
  • Sample Code

Plugins

• Defect Dojo Burp-Plugin
  • Installation
  • Usage