En

Supported Report Types

DefectDojo can parse data from 180+ security reports and counting.

DefectDojo Pro Methods

DefectDojo Pro users have enhanced methods of import available for certain tools.

Connectors allow you to automatically import and sync vulnerabilities from certain tools.

Smart Upload allows you to split infrastructure-wide scan files up by component or endpoint, and easily combine those results with other Findings from the same location.

Connectors: supported toolsSmart Upload: supported tools
AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, TenableNexpose, NMap, OpenVas, Qualys, Tenable

All Supported Tools

All of these listed reports can be ingested via Import/Reimport methods. This means that they can be imported to both Open-Source and Pro instances using the UI or API.

If your tool is not in this list, there’s a good chance that DefectDojo can still import a report from the tool. Consider the Generic Findings Import method.

DefectDojo Pro users can import any JSON or CSV report using the Universal Parser.

Acunetix Scanner →
Anchore Enterprise Policy Check →
Anchore Grype →
Anchore-Engine →
AnchoreCTL Policies Report →
AnchoreCTL Vuln Report →
AppCheck Web Application Scanner →
AppSpider (Rapid7) →
Aqua →
Arachni Scanner →
AuditJS (OSSIndex) →
AWS Inspector2 Scanner →
AWS Prowler Scanner →
AWS Prowler V3 →
AWS Security Finding Format (ASFF) →
AWS Security Hub →
Azure Security Center Recommendations Scan →
Bandit →
Bearer CLI →
Blackduck API →
Blackduck Binary Analysis →
Blackduck Component Risk →
Blackduck Hub →
Brakeman Scan →
Bugcrowd →
Bugcrowd API →
Bundler-Audit →
Burp Dastardly →
Burp Enterprise Scan →
Burp GraphQL →
Burp REST API →
Burp XML →
CargoAudit Scan →
Checkmarx →
Checkmarx CxFlow SAST →
Checkmarx One Scan →
Checkov Report →
Chef Inspect Log →
Clair Scan →
Cloudsploit (AquaSecurity) →
Cobalt.io API Import →
Cobalt.io Scan →
Codechecker Report Native →
CodeQL →
Contrast Scanner →
Coverity API →
Coverity Scan JSON Report →
Crashtest Security →
CredScan Report →
Crunch42 Scan →
CycloneDX →
DawnScanner →
Deepfence Threatmapper →
Dependency Check →
Dependency Track →
Detect-Secrets →
Docker-Bench-Security Scanner →
Dockle Report →
DrHeader →
DSOP Scan →
Edgescan →
Edgescan →
ESLint →
Fortify →
Generic Findings Import →
Generic Findings Import →
Ggshield →
Github Vulnerability →
GitLab API Fuzzing Report Scan →
GitLab Container Scan →
GitLab DAST Report →
GitLab Dependency Scanning Report →
GitLab SAST Report →
GitLab Secret Detection Report →
Gitleaks →
Google Cloud Artifact Vulnerability Scan →
Gosec Scanner →
Govulncheck →
HackerOne Cases →
Hadolint →
Harbor Vulnerability →
HCL Appscan →
HCL AppScan on Cloud SAST →
Horusec →
Humble Report →
HuskyCI Report →
Hydra →
IBM AppScan DAST →
Immuniweb Scan →
IntSights Report →
Invicti →
JFrog Xray API Summary Artifact Scan →
JFrog Xray on Demand Binary Scan →
JFrog XRay Unified →
JFrogXRay →
KICS Scanner →
Kiuwan Scanner (SAST) →
Kiuwan Scanner (SCA I.e. "Insights") →
KrakenD Audit Scan →
Kube-Bench Scanner →
Kubeaudit Scan →
KubeHunter Scanner →
Kubescape Scanner →
Legitify →
Mend Scan →
Meterian Scanner →
Microfocus Webinspect Scanner →
MobSF Scanner →
MobSF Scorecard Scanner →
Mobsfscan →
Mozilla Observatory Scanner →
MS Defender Parser →
Nancy Scan →
Netsparker →
NeuVector (Compliance) →
NeuVector (REST) →
Nexpose XML 2.0 (Rapid7) →
Nikto →
Nmap →
Node Security Platform →
Nosey Parker →
NPM Audit →
NPM Audit Version 7+ →
Nuclei →
Openscap Vulnerability Scan →
OpenVAS Parser →
ORT Evaluated Model Importer →
OssIndex Devaudit →
OSV Scanner →
Outpost24 Scan →
PHP Security Audit V2 →
PHP Symfony Security Checker →
Pip-Audit Scan →
PMD Scan →
Popeye →
Progpilot →
PTART Reports →
PWN Security Automation Framework →
Qualys Hacker Guardian Scan →
Qualys Infrastructure Scan (WebGUI XML) →
Qualys Scan →
Qualys Webapp Scan →
Rapplex Scan →
Red Hat Satellite →
Retire.js →
Risk Recon API Importer →
Rubocop Scan →
Rusty Hog Parser →
SARIF →
Scantist Scan →
ScoutSuite →
Semgrep JSON Report →
SKF Scan →
Snyk →
Snyk Code →
Solar Appscreener Scan →
SonarQube →
SonarQube API Import →
Sonatype →
SpotBugs →
SSH Audit →
SSL Labs →
Sslscan →
Sslyze Scan →
StackHawk HawkScan →
Sysdig Vulnerability Reports →
Talisman →
Tenable →
Terrascan →
Testssl Scan →
TFSec →
Threagile →
Threat Composer →
Trivy →
Trivy Operator →
Trufflehog →
Trufflehog3 →
Trustwave →
Trustwave Fusion API Scan →
Twistlock →
Veracode →
Veracode SourceClear →
Visual Code Grepper (VCG) →
Vulners →
Wapiti Scan →
Wazuh Scanner →
Wfuzz JSON Importer →
Whispers →
WhiteHat Sentinel →
Wiz Scanner →
Wiz-Cli Dir Scanner →
Wiz-Cli IaC Scanner →
Wiz-Cli Img Scanner →
Wpscan Scanner →
Xanitizer →
Yarn Audit →
Zed Attack Proxy →