DefectDojo’s Documentation¶

About DefectDojo
What is DefectDojo?

DefectDojo is a security tool that automates application security vulnerability management. DefectDojo streamlines the application security testing process by offering features such as importing third party security findings, merging and de-duping, integration with Jira, templating, report generation and security metrics.
What does DefectDojo do?

While traceability and metrics are the ultimate end goal, DefectDojo is a bug tracker at its core. Taking advantage of DefectDojo’s Product:Engagement model, enables traceability among multiple projects and test cycles, and allows for fine-grained reporting.
How does DefectDojo work?

DefectDojo is based on a model that allows the ultimate flexibility in your test tracking needs.
- Working in DefectDojo starts with a
Product Type
. - Each Product Type can have one or more
Products
. - Each Product can have one or more
Engagements
. - Each Engagement can have one or more
Tests
. - Each Test can have one or more
Findings
.

The code is open source, and available on github.
Our documentation is organized in the following sections:
User Documentation¶
- About DefectDojo
- Getting Started
- Integrations
- Acunetix Scanner
- Anchore-Engine
- Aqua
- Arachni Scanner
- AppSpider (Rapid7)
- AWS Security Hub
- AWS Scout2 Scanner
- AWS Prowler Scanner
- Bandit
- Blackduck Hub
- Brakeman Scan
- Bugcrowd
- Bundler-Audit
- Burp XML
- Burp Enterprise Scan
- CCVS Report
- Checkov Report
- Clair Scan
- Clair Klar Scan
- Cobalt.io Scan
- Crashtest Security
- Contrast Scanner
- Checkmarx
- Choctaw Hog parser
- DawnScanner
- Dependency Check
- Dependency Track
- DrHeader
- ESLint
- Fortify
- Generic Findings Import
- Hadolint
- Harbor Vulnerability
- JFrogXRay
- Gosec Scanner
- Gitleaks
- GitLab SAST Report
- Github Vulnerability
- HuskyCI Report
- IBM AppScan DAST
- Immuniweb Scan
- Kiuwan Scanner
- kube-bench Scanner
- Microfocus Webinspect Scanner
- MobSF Scanner
- Mozilla Observatory Scanner
- Nessus (Tenable)
- Netsparker
- Nexpose XML 2.0 (Rapid7)
- Nikto
- Nmap
- Node JS Scan
- Node Security Platform
- NPM Audit
- Openscap Vulnerability Scan
- OpenVAS CSV
- OssIndex Devaudit
- Oss Review Toolkit
- PHP Security Audit v2
- PHP Symfony Security Checker
- Probely
- Qualys Scan
- Qualys Webapp Scan
- Retire.js
- Risk Recon API Importer
- Safety Scan
- SARIF
- ScoutSuite
- SKF Scan
- Snyk
- SonarQube Scan (Aggregates findings per cwe, title, description, file_path.)
- SonarQube Scan Detailed (Import all findings from SonarQube html report.)
- SonarQube API Import
- SpotBugs
- Sonatype
- SSL Labs
- Sslscan
- Sslyze Scan
- SSLyze 3 Scan (JSON)
- Testssl Scan
- Trivy
- Trufflehog
- Trustwave
- Twistlock
- Visual Code Grepper (VCG)
- Veracode
- Wapiti Scan
- Whitesource Scan
- Wpscan Scanner
- Xanitizer
- Zed Attack Proxy
- Models
- Usage Examples
- Workflows
- Upgrading
- Docker-compose
- Setup.bash
- FAQ
- Upgrading to DefectDojo Version 1.10.x
- Upgrading to DefectDojo Version 1.9.3
- Upgrading to DefectDojo Version 1.8.0
- Upgrading to DefectDojo Version 1.7.0
- Upgrading to DefectDojo Version 1.5.0
- Upgrading to DefectDojo Version 1.3.1
- Upgrading to DefectDojo Version 1.2.9
- Upgrading to DefectDojo Version 1.2.8
- Upgrading to DefectDojo Version 1.2.4
- Upgrading to DefectDojo Version 1.2.3
- July 6th 2017 - New location for system settings
- Upgrading to DefectDojo Version 1.2.2
- Upgrading to Django 1.1.5
- Upgrading to Django 1.11
- Running in Production