DefectDojo is an Open Source application available through GitHub.
Please refer to the different usage examples for more details on the different usage types.
The importing of our scan results is available through easy integration. Once you start an engagement, you can easily import our machine-readable scan results and have them shown as findings, including CVSS scoring, vulnerability description, URL, and remediation advice, and included links to our wiki system.
If you want to automate this process completely, you can automatically use the DefectDojo API to send our scan reports to the API.
This process would need to be defined in your CI/CD to ensure this happens after every scan. Also, see the below example of importing a scan result via the API.
Additionally, DefectDojo allows you to integrate with Jira, so you can easily create Jira tickets from your DefectDojo and close findings if the corresponding ticket is closed.
More documentation is available through the DefectDojo documentation website.
If you need any support to set this process up, please contact us.
Example for importing a scan result in DefectDojo
Below is an example of how to test the DefectDojo API with a tool, such as Postman.
We assume your DefectDojo is running at https://defectdojo.herokuapp.com/ (demo application)
- Verb: POST
- URI: https://defectdojo.herokuapp.com/api/v2/import-scan/
- Headers tab: add the authentication header
- Key: Authorization
- Value: Token “token_value”
- Body tab
select “form-data”, click “bulk edit”. Example for a Crashtest Security scan: engagement:3 verified:true active:true lead:1 tags:test scan_date:2019-04-30 scan_type:Crashtest Security Scan minimum_severity:Info skip_duplicates:true Close_old_findings:false
- Body tab
- Click “Key-value” edit
- Add a “file” parameter of type “file”. This will trigger multi-part form data for sending the file content
- Browse for the file to upload
- Click send
DefectDojo + Jira integration
If you are using Jira and DefectDojo, there is a neat way to integrate the two tools. The Defect Dojo API allows you to set up two-way communication.
So in an ideal scenario, once you create an issue in DefectDojo, a new issue in Jira is automatically created, including the important information on how to remediate it and where it was found.
Let’s assume the vulnerability was closed and the corresponding Jira ticket was closed. Then the related finding in DefectDojo will be closed. Neat, right?
Please either look up this documentation or contact us for setting this up.