About Our Documentation
DefectDojo Inc. and open-source contributors maintain this documentation to support both the Community and Pro editions of DefectDojo.
What is DefectDojo?
DefectDojo is a Developer Security Operations (DevSecOps) platform. DefectDojo streamlines DevSecOps by serving as an automatic aggregator for your suite of security tools, allowing you to easily organize your security work and report your organizationβs security posture to other stakeholders.
While security process automation and integrated development pipelines are the end goals of DefectDojo, at its core this software is a bug tracker for security vulnerabilities, which is meant to ingest, organize and standardize reports from many security tools.
What does DefectDojo do?
DefectDojo has smart features to enhance and tune the results from your security tools, including the ability to:
- Track and report on security Findings in context
- Enforce SLAs in context
- Handle False Positives, Risk Acceptances and other triage decisions
- Distill duplicates using DefectDojo’s deduplication algorithm
- Integrate with external Project Tracking software.
- Provide metrics/reports across repositories and development branches using CI/CD integration.
- Coordinate traditional Pen test management.
- Set and enforce SLAs for vulnerability remediation procedures.
- Create and track Risk Acceptances for security vulnerabilities.
Ultimately, DefectDojo’s Product:Engagement model allows you to take inventory of your development environment and immediately place new security Findings in context.
Here are some examples of ways DefectDojo can be implemented, with DefectDojo co-founder and CTO Matt Tesauro:
DefectDojo Open-Source
DefectDojo’s core functionality is available in DefectDojo Open-Source.
This edition of DefectDojo includes:
- Import/Reimport for all 200+ Supported Tools
- REST API
- Deduplication features
- Limited UI, metrics and reporting features
- Jira integration capability
For teams managing a smaller volume of Findings, DefectDojo Open-Source is a great starting point.
Installation Guides
There are a few supported ways to install DefectDojoβs Open-Source edition (available on Github):
Docker Compose is the easiest method to install the core program and services required to run DefectDojo. Our Architecture guide gives you an overview of each service and component used by DefectDojo. Running In Production lists system requirements, performance tweaks and maintenance processes for running DefectDojo on a production server (with Docker Compose).
Kubernetes is not fully supported at the Open-Source level, but this guide can be referenced and used as a starting point to integrate DefectDojo into Kubernetes architecture.
If you run into trouble with an Open-Source install, we highly recommend asking questions on the OWASP Slack. Our community members are active on the #defectdojo channel and can help you with issues youβre facing.
π§ DefectDojo Pro Edition
DefectDojo Inc. hosts a Pro edition of this software for commercial purposes. Along with a sleek, modern UI, DefectDojo Pro includes:
- Connectors: out-of-the-box API integrations with enterprise-level scanners (such as Checkmarx One, BurpSuite, Semgrep and more)
- Configurable Import Methods: Universal Parser, Smart Upload
- CLI Tools for rapid integration with your systems
- Additional Project Tracking Integrations: ServiceNow, Azure DevOps, GitHub and GitLab
- Improved Metrics for executive reporting and high-level analysis
- Priority And Risk to identify the Findings of highest urgency, system-wide
- Premium Support and implementation guidance for your organization
The Pro edition is available as a cloud-hosted SaaS offering, and is also available for installation on-premises.
For more information on DefectDojo Pro, check out our Pricing page.
Online Demos
Online demos for both Open-Source and Pro versions of DefectDojo are available. Both can be accessed using the following credentials:
- Username:
admin - Password:
1Defectdojo@demo#appsec
These demos come loaded with sample data, and are reset on a daily basis.
Open-Source Demo
A running example of DefectDojo (Open-Source Edition) is available at https://demo.defectdojo.org/.
Pro Demo
A running example of DefectDojo Pro is available at https://pro.demo.defectdojo.com/.
Learning DefectDojo
Whether youβre a Pro or an Open-Source user, we have many resources to help you get started with DefectDojo.
- Our New User Checklist covers the fundamentals of setting up your DefectDojo environment and establishing your import, triage and reporting workflows.
- Review our supported security tool integrations to help fit DefectDojo in your DevSecOps program.
- Our team maintains a YouTube Channel which hosts tutorials, archived Office Hours events, and other content.
Connect With Us
To get in touch with the DefectDojo Inc team, you can always reach out to .
We regularly on LinkedIn and also host online presentations for AppSec professionals that can be accessed live or on demand. You can learn about upcoming events on our Events page or watch past presentations on our YouTube Channel.
Stickers
Looking for cool DefectDojo laptop stickers? As a thank you for being a part of the DefectDojo community, you can sign up to get some free DefectDojo stickers. For more information, check out this link.