Video tutorial coming soon.
Centralize your security findings from OpenVAS, Trivy, Nessus, and 150+ other scanners. Track vulnerabilities from discovery to remediation in one place.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/defectdojo/defectdojo-ubuntu.sh
chmod +x defectdojo-ubuntu.sh
sudo bash defectdojo-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/defectdojo/defectdojo-ubuntu.shchmod +x defectdojo-ubuntu.shScript deploys DefectDojo with Django, Celery worker, Redis, and PostgreSQL via Docker Compose. Admin credentials are printed at the end.
sudo bash defectdojo-ubuntu.shOpen your browser and navigate to port 8080. Log in with the admin credentials shown by the installer.
http://<your-server-ip>:8080Create a Product, then a Test, then import a scan report (XML/JSON from Trivy, OpenVAS, Nessus, Burp Suite, etc.) to start tracking findings.
| Port | Purpose |
|---|---|
| 8080 | Web UI |
DefectDojo is an open-source vulnerability management and security orchestration platform used by security teams to aggregate, deduplicate, and track findings from virtually any scanning tool. Instead of drowning in raw scanner output, DefectDojo gives you a structured workflow: import findings, assign severity, track remediation, and measure your security posture over time. It integrates with 150+ security tools out of the box and fits naturally into DevSecOps pipelines via its REST API.
Security scanners generate mountains of data — the same CVE across 50 containers reported as 50 separate findings. DefectDojo deduplicates them, lets you accept risk, assign tickets, and track SLAs. It transforms raw vulnerability noise into an actionable security backlog and gives leadership metrics to prove progress.
DefectDojo listens on port 8080 (HTTP). Block this port from public internet access entirely — route it through a reverse proxy with HTTPS and authentication. The PostgreSQL and Redis ports (5432 and 6379) should never be exposed outside the Docker network.
OpenVAS/Greenbone is a vulnerability scanner, not a management platform — use both together. Wazuh covers endpoint and log monitoring but lacks the multi-scanner aggregation workflow. ThreadFix (commercial) and Dradis are alternatives with different pricing and feature sets. For lightweight needs, a simple spreadsheet or JIRA labels may suffice before you hit the scale where DefectDojo's deduplication becomes essential.
Skip DefectDojo if you run a single scanner on a small homelab — it adds operational overhead that only pays off with multiple tools and teams. If you only need container scanning, Trivy with Harbor's built-in vulnerability UI may be enough. DefectDojo shines at scale: multiple teams, multiple tools, and a need for structured remediation workflows.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
DefectDojo supports 150+ scanner parsers including Trivy, OpenVAS, Nessus, Burp Suite, OWASP ZAP, Checkmarx, Veracode, Snyk, Semgrep, SonarQube, and many more. The full list is in the DefectDojo documentation under 'Supported Tools'. If your scanner outputs SARIF format, DefectDojo can import that generically.
DefectDojo uses a hash-based deduplication algorithm. When you import a finding, it computes a hash from the vulnerability title, CWE, file path, and other attributes. If an identical hash already exists in the same product, the new finding is marked as a duplicate and linked to the original. You can configure the deduplication algorithm per scanner type to tune accuracy.
Yes — DefectDojo has a full REST API. You can use `curl` or the `defectdojo-cli` Python package to upload scan results from Woodpecker CI, Gitea Actions, GitLab CI, or any pipeline. The typical flow is: run scanner → save report file → POST to `/api/v2/import-scan/` with your API token, product ID, and engagement ID.
Go to Configuration → Users → Add User. You can assign roles per product: Owner, Manager, Writer, or Reader. DefectDojo also supports SSO via LDAP, SAML, or OAuth2 (Google/Azure/Okta) — configure this under Configuration → Authentication in the admin panel.
An Engagement is a container for a specific scanning activity — a pentest, a sprint security review, or a CI/CD automated scan. It belongs to a Product and lets you organize findings by time period and purpose. Without engagements, all findings pile into an unstructured list. Most teams create one 'CI/CD' engagement per product for continuous scans and separate engagements for manual pentests.
Open the finding and click 'Risk Accept'. You set an expiry date and a justification note. The finding moves to the Risk Accepted state and stops counting against your open vulnerability metrics. Risk acceptances expire automatically, forcing periodic review. An audit trail is maintained for compliance purposes.
Yes. Configure JIRA integration under Configuration → Tool Configurations → JIRA. Set your JIRA URL, project key, and API token. Then enable 'Push All Issues' on an Engagement or individual findings to push/update tickets. DefectDojo syncs status bidirectionally — closing the JIRA ticket can optionally close the finding.
Backup: `docker exec defectdojo_db pg_dump -U defectdojo defectdojo > defectdojo_backup.sql` and copy your `.env` file. Restore: create a fresh DefectDojo deployment, then run `docker exec -i defectdojo_db psql -U defectdojo defectdojo < defectdojo_backup.sql`. Also backup the Django media volume if you store uploaded scan files.