Deploy DefectDojo as a centralized vulnerability management dashboard with scanner integrations, deduplication, metrics tracking, and Jira ticketing workflows.
DefectDojo is an open-source application vulnerability management platform that aggregates findings from 200+ security tools, deduplicates results, tracks remediation progress, and provides executive dashboards. It serves as a central hub for vulnerability management, integrating with CI/CD pipelines, Jira for ticketing, and Slack for notifications. DefectDojo supports OWASP-based categorization and provides REST API for automation.
# Clone DefectDojo repository
git clone https://github.com/DefectDojo/django-DefectDojo.git
cd django-DefectDojo
# Start with Docker Compose (production mode)
./dc-up-d.sh
# Alternative: manual Docker Compose
docker compose up -d
# Check service status
docker compose ps
# View initial admin credentials
docker compose logs initializer 2>&1 | grep "Admin password"
# Access DefectDojo at http://localhost:8080
# Key environment variables in docker-compose.yml
DD_DATABASE_ENGINE=django.db.backends.postgresql
DD_DATABASE_HOST=postgres
DD_DATABASE_PORT=5432
DD_DATABASE_NAME=defectdojo
DD_DATABASE_USER=defectdojo
DD_DATABASE_PASSWORD=<secure_password>
DD_ALLOWED_HOSTS=*
DD_SECRET_KEY=<random_64_char_key>
DD_CREDENTIAL_AES_256_KEY=<random_128_bit_key>
DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED=True
Product Type (Business Unit)
└── Product (Application/Service)
└── Engagement (Assessment/Sprint)
└── Test (Scanner Run)
└── Finding (Individual Vulnerability)
import requests
DD_URL = "http://localhost:8080/api/v2"
API_KEY = "your_api_key_here"
HEADERS = {"Authorization": f"Token {API_KEY}", "Content-Type": "application/json"}
# Create Product Type
resp = requests.post(f"{DD_URL}/product_types/", headers=HEADERS, json={
"name": "Web Applications",
"description": "Customer-facing web application portfolio"
})
product_type_id = resp.json()["id"]
# Create Product
resp = requests.post(f"{DD_URL}/products/", headers=HEADERS, json={
"name": "Customer Portal",
"description": "Main customer-facing web application",
"prod_type": product_type_id,
"sla_configuration": 1,
})
product_id = resp.json()["id"]
# Create Engagement
resp = requests.post(f"{DD_URL}/engagements/", headers=HEADERS, json={
"name": "Q1 2024 Security Assessment",
"product": product_id,
"target_start": "2024-01-01",
"target_end": "2024-03-31",
"engagement_type": "CI/CD",
"status": "In Progress",
})
engagement_id = resp.json()["id"]
# Upload Nessus scan results
curl -X POST "${DD_URL}/reimport-scan/" \
-H "Authorization: Token ${API_KEY}" \
-F "scan_type=Nessus Scan" \
-F "file=@nessus_report.csv" \
-F "product_name=Customer Portal" \
-F "engagement_name=Q1 2024 Security Assessment" \
-F "auto_create_context=true" \
-F "deduplication_on_engagement=true"
# Upload OWASP ZAP results
curl -X POST "${DD_URL}/reimport-scan/" \
-H "Authorization: Token ${API_KEY}" \
-F "scan_type=ZAP Scan" \
-F "file=@zap_report.xml" \
-F "product_name=Customer Portal" \
-F "engagement_name=Q1 2024 Security Assessment" \
-F "auto_create_context=true"
# Upload Trivy container scan
curl -X POST "${DD_URL}/reimport-scan/" \
-H "Authorization: Token ${API_KEY}" \
-F "scan_type=Trivy Scan" \
-F "file=@trivy_results.json" \
-F "product_name=Customer Portal" \
-F "engagement_name=Q1 2024 Security Assessment" \
-F "auto_create_context=true"
| Scanner | Type String | Format |
|---|---|---|
| Nessus | Nessus Scan | CSV/XML |
| OpenVAS | OpenVAS CSV | CSV |
| Qualys | Qualys Scan | XML |
| OWASP ZAP | ZAP Scan | XML/JSON |
| Burp Suite | Burp XML | XML |
| Trivy | Trivy Scan | JSON |
| Semgrep | Semgrep JSON Report | JSON |
| Snyk | Snyk Scan | JSON |
| SonarQube | SonarQube Scan | JSON |
| Checkov | Checkov Scan | JSON |
# .github/workflows/security-scan.yml