Title here
Summary here
Import Method Comparison
One of the things we understand at DefectDojo is that every company’s security needs are completely different. There is no ‘one-size-fits-all’ approach. As your organization changes, having a flexible approach is key.
DefectDojo allows you to connect your security tools in a flexible way to match those changes.
Scan Upload Methods
When DefectDojo receives a vulnerability report from a security tool, it will create Findings based on the vulnerabilities contained within that report. DefectDojo acts as the central repository for these Findings where they can be triaged, remediated or otherwise addressed by you and your team.
There are two main ways that DefectDojo can upload Finding reports.
- Via direct import through the UI: Import Scan Form
- Via API endpoint (allowing for automated data ingest): See API Docs
DefectDojo Pro Methods
DefectDojo Pro users have an additional three methods to handle reports and data:
- Via Universal Importer or DefectDojo CLI, command line tools which leverage the DefectDojo API: See External Tools
- Via Connectors for certain tools, an ‘out of the box’ data integration: See Connectors Guide
- Via Smart Upload for certain tools, an importer designed to handle infrastructure scans: See Smart Upload Guide
Comparing Upload Methods
| UI Import | API | Connectors (Pro) | Smart Upload (Pro) | |
|---|---|---|---|---|
| Supported Scan Types | All: see Supported Tools | All: see Supported Tools | Snyk, Semgrep, Burp Suite, AWS Security Hub, Probely, Checkmarx, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable |
| Automation? | Available via API: /reimport /import endpoints | Triggered from CLI Importer or external code | Connectors is inherently automated | Available via API: /smart_upload_import endpoint |
Product Hierarchy and organization
Each of these methods can create Product Hierarchy on the spot. Product Hierarchy refers to DefectDojo’s Product Types, Products, Engagements or Tests: objects in DefectDojo which help organize your data into relevant context.
- Vulnerability data can be imported into an existing Product Hierarchy. Product Types, Products, Engagements and Tests can all be created in advance, and then data can be imported to that location in DefectDojo.
- The contextual Product Hierarchy can be created at the time of import. When importing a report, you can create a new Product Type, Product, Engagement and/or Test. This is handled by DefectDojo through the ‘auto-create context’ option.
Using Import Methods (Pro UI)
In DefectDojo Pro, all of these methods can be accessed from the Import section of the sidebar.
The Pro UI allows you to create Product Types, Products and Engagements directly from the Import Scan form, so these objects are not required.
Using Import Methods (Classic UI / Open Souce)
In DefectDojo OS, you can access the Import Scan Form from two locations:
- The Tests section of an Engagement:
- The Findings section of the navigation bar on a Product:
DefectDojo OS requires you to set up one or more Products / Product Types before you can import data through the UI. See our article on Product Hierarchy for more information.
Prev
Editing FindingsNext
Import Scan Form