En

Integrators Tool Reference

Here are specific instructions detailing how to set up a DefectDojo Integration with a third party Issue Tracker.

Azure DevOps Boards

Instance Setup

  • Label should be the label that you want to use to identify this integration.
  • Location should be set to your Azure URL - for example https://dev.azure.com/{your organization}
  • Token should be set to a personal access token from Azure.

Authentication with Azure DevOps requires a personal access token with permissions set to “Read, Write and Manage” for “Work Items” for the Azure Project that you wish to work with.

Issue Tracker Mapping

These details dictate how DefectDojo will map Finding or Finding Group attributes to a given Project in Azure DevOps:

Issue Tracker Mapping Details

The Project ID field corresponds to the name or the ID of the Project in Azure.

Severity Mapping Details

The attributes in the form are supplied as defaults, and are as follows:

  • Severity Field Name: /fields/Microsoft.VSTS.Common.Priority
  • Info Mapping: 4
  • Low Mapping: 4
  • Medium Mapping: 3
  • High Mapping: 2
  • Critical Mapping: 1

Status Mapping Details

The attributes in the form are supplied as defaults and are as follows:

  • Status Field Name: /fields/System.State
  • Active Mapping: To Do
  • Closed Mapping: Done
  • False Positive Mapping: Done
  • Risk Accepted Mapping: Done

GitHub

The GitHub integration allows you to add issues to a GitHub Project, which also open Issues in an associated Repo. These Repos/Projects can be associated with either a GitHub Organization or a personal GitHub account.

Instance Setup

  • Label should be the label that you want to use to identify this integration.
  • Location should be set to your GitHub User or Organization URL, depending on where you wish to create issues. for example https://github.com/{your-organization}
  • Token should be set to a personal access token from GitHub.

Personal access tokens for GitHub can be created at https://github.com/settings/tokens. The token must have Repo and Project scopes.

Issue Tracker Mapping

  • Issue Tracker Mapping Label should be set to identify the Project or Repo that you wish to create Issues in.
  • Project Number should be the ID of a GitHub project that you want to send items to. You can get this from the URL while looking at a Project, for example https://github.com/orgs/{your-org}/projects/{project number}.
  • Repository Name should be the name of a repo associated with your organization (or user) that you want to push Issues to.

Severity Mapping Details

In order to set up the integration, the Project MUST have a custom field created to represent Issue Priority, otherwise Severity will not be mapped correctly and Issues will not push to GitHub.

Follow this guide to create a custom field. Each Severity will need to have a corresponding single-select option available. For example, out of the box DefectDojo suggests P0, P1, P2, P3, P4 as possible Priority values, and each of those will need to be added to the Priority custom field.

  • Severity Field Name: Priority
  • Info Mapping: P0
  • Low Mapping: P1
  • Medium Mapping: P2
  • High Mapping: P3
  • Critical Mapping: P4

Status Mapping Details

By default, new GitHub Projects will have Statuses for Issues of “In Progress” and “Done”. Additional statuses can be added to the Project to track False Positive or Risk Accepted status if you wish. One of the ways this can be done is by adding a new Status Column to the Project Board.

  • Status Field Name: Status
  • Active Mapping: In Progress
  • Closed Mapping: Done
  • False Positive Mapping: Done
  • Risk Accepted Mapping: Done

GitLab

The GitLab integration allows you to add issues to a GitLab Project.

Instance Setup

  • Label should be the label that you want to use to identify this integration.
  • Location should be set to the link to your GitLab server, for example https://gitlab.com/.
  • Token should be set to a personal access token from GitLab. The token must have API scopes. See GitLab’s guide to creating a personal access token.

Issue Tracker Mapping

  • Project Name: The name of the project in GitLab that you want to send issues to.

Severity Mapping Details

This maps to the GitLab Priority field.

  • Severity Field Name: Priority
  • Info Mapping: 1
  • Low Mapping: 2
  • Medium Mapping: 3
  • High Mapping: 4
  • Critical Mapping: 5

Status Mapping Details

By default, GitLab has statuses of ‘opened’ and ‘closed’. Additional status labels can be added if you want to track False Positive or Risk Accepted status. See GitLab Docs for details.

  • Status Field Name: Status
  • Active Mapping: opened
  • Closed Mapping: closed
  • False Positive Mapping: closed
  • Risk Accepted Mapping: closed

ServiceNow

The ServiceNow Integration allows you to push DefectDojo Findings as ServiceNow Incidents.

Instance Setup

Your ServiceNow instance will require you to obtain a Refresh Token, associated with the User or Service account that will push Incidents to ServiceNow.

You’ll need to start by creating an OAuth registration on your ServiceNow instance for DefectDojo:

  1. In the left-hand navigation bar, search for β€œApplication Registry” and select it.
  2. Click β€œNew”.
  3. Choose β€œCreate an OAuth API endpoint for external clients”.
  4. Fill in the required fields:
    • Name: Provide a meaningful name for your application (e.g., Vulnerability Integration Client).
    • (Optional) Adjust the Token Lifespan:
    • Access Token Lifespan: Default is 1800 seconds (30 minutes).
    • Refresh Token Lifespan: The default is 8640000 seconds (approximately 100 days).
  5. Click Submit to create the application record.
  6. After submission, select the application from the list and take note of the Client ID and Client Secret fields.

You will then need to use this registration to obtain a Refresh Token, which can only be obtained through the ServiceNow API. Open a terminal window and paste the following (substituting the variables wrapped in {{}} with your user’s actual information)

curl --request POST \
 --url {{INSTANCE_HOST}}/oauth_token.do \
 --header 'content-type: application/x-www-form-urlencoded' \
 --data grant_type=password \
 --data 'client_id={{CLIENT_ID}}' \
 --data 'client_secret={{CLIENT_SECRET}}' \
 --data 'username={{USERNAME}}' \
 --data 'password={{PASSWORD}}'

If your ServiceNow credentials are correct, and allow for admin level-access to ServiceNow, you should receive a response with a RefreshToken. You’ll need that token to complete integration with DefectDojo.

  • Instance Label should be the label that you want to use to identify this integration.
  • Location should be set to the URL for your ServiceNow server, for example https://your-organization.service-now.com/.
  • Refresh Token is where the Refresh Token should be entered.
  • Client ID should be the Client ID set in the OAuth App Registration.
  • Client ID should be the Client Secret set in the OAuth App Registration.

Severity Mapping Details

This maps to the ServiceNow Impact field.

  • Info Mapping: 1
  • Low Mapping: 1
  • Medium Mapping: 2
  • High Mapping: 3
  • Critical Mapping: 3

Status Mapping Details

  • Status Field Name: State
  • Active Mapping: New
  • Closed Mapping: Closed
  • False Positive Mapping: Resolved
  • Risk Accepted Mapping: Resolved
Prev
Integrations Guide (Pro)
Next
Introduction to Findings