Video tutorial coming soon.
📋 Deploy DefectDojo — Vulnerability Management Platform
Centralize your security findings from OpenVAS, Trivy, Nessus, and 150+ other scanners. Track vulnerabilities from discovery to remediation in one place.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along with the video.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/defectdojo/defectdojo-ubuntu.sh
chmod +x defectdojo-ubuntu.sh
sudo bash defectdojo-ubuntu.sh
Tutorial Steps
1 Download the Script
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/defectdojo/defectdojo-ubuntu.sh
2 Make it Executable
chmod +x defectdojo-ubuntu.sh
3 Run the Installer
Script deploys DefectDojo with Django, Celery worker, Redis, and PostgreSQL via Docker Compose. Admin credentials are printed at the end.
sudo bash defectdojo-ubuntu.sh
4 Access the Web UI
Open your browser and navigate to port 8080. Log in with the admin credentials shown by the installer.
http://<your-server-ip>:8080
5 Import Your First Scan
Create a Product, then a Test, then import a scan report (XML/JSON from Trivy, OpenVAS, Nessus, Burp Suite, etc.) to start tracking findings.
Ports Used
| Port | Purpose |
|---|---|
| 8080 | Web UI |
Overview
DefectDojo is an open-source vulnerability management and security orchestration platform used by security teams to aggregate, deduplicate, and track findings from virtually any scanning tool. Instead of drowning in raw scanner output, DefectDojo gives you a structured workflow: import findings, assign severity, track remediation, and measure your security posture over time. It integrates with 150+ security tools out of the box and fits naturally into DevSecOps pipelines via its REST API.
Why Use It
Security scanners generate mountains of data — the same CVE across 50 containers reported as 50 separate findings. DefectDojo deduplicates them, lets you accept risk, assign tickets, and track SLAs. It transforms raw vulnerability noise into an actionable security backlog and gives leadership metrics to prove progress.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
DefectDojo listens on port 8080 (HTTP). Block this port from public internet access entirely — route it through a reverse proxy with HTTPS and authentication. The PostgreSQL and Redis ports (5432 and 6379) should never be exposed outside the Docker network.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
OpenVAS/Greenbone is a vulnerability scanner, not a management platform — use both together. Wazuh covers endpoint and log monitoring but lacks the multi-scanner aggregation workflow. ThreadFix (commercial) and Dradis are alternatives with different pricing and feature sets. For lightweight needs, a simple spreadsheet or JIRA labels may suffice before you hit the scale where DefectDojo's deduplication becomes essential.
When Not to Use It
Skip DefectDojo if you run a single scanner on a small homelab — it adds operational overhead that only pays off with multiple tools and teams. If you only need container scanning, Trivy with Harbor's built-in vulnerability UI may be enough. DefectDojo shines at scale: multiple teams, multiple tools, and a need for structured remediation workflows.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
Which scanners does DefectDojo support out of the box?
DefectDojo supports 150+ scanner parsers including Trivy, OpenVAS, Nessus, Burp Suite, OWASP ZAP, Checkmarx, Veracode, Snyk, Semgrep, SonarQube, and many more. The full list is in the DefectDojo documentation under 'Supported Tools'. If your scanner outputs SARIF format, DefectDojo can import that generically.
How does deduplication work?
DefectDojo uses a hash-based deduplication algorithm. When you import a finding, it computes a hash from the vulnerability title, CWE, file path, and other attributes. If an identical hash already exists in the same product, the new finding is marked as a duplicate and linked to the original. You can configure the deduplication algorithm per scanner type to tune accuracy.
Can I auto-import scan results from my CI/CD pipeline?
Yes — DefectDojo has a full REST API. You can use `curl` or the `defectdojo-cli` Python package to upload scan results from Woodpecker CI, Gitea Actions, GitLab CI, or any pipeline. The typical flow is: run scanner → save report file → POST to `/api/v2/import-scan/` with your API token, product ID, and engagement ID.
How do I create a new user for a team member?
Go to Configuration → Users → Add User. You can assign roles per product: Owner, Manager, Writer, or Reader. DefectDojo also supports SSO via LDAP, SAML, or OAuth2 (Google/Azure/Okta) — configure this under Configuration → Authentication in the admin panel.
What is an Engagement and why do I need it?
An Engagement is a container for a specific scanning activity — a pentest, a sprint security review, or a CI/CD automated scan. It belongs to a Product and lets you organize findings by time period and purpose. Without engagements, all findings pile into an unstructured list. Most teams create one 'CI/CD' engagement per product for continuous scans and separate engagements for manual pentests.
How do I accept risk for a finding I won't fix?
Open the finding and click 'Risk Accept'. You set an expiry date and a justification note. The finding moves to the Risk Accepted state and stops counting against your open vulnerability metrics. Risk acceptances expire automatically, forcing periodic review. An audit trail is maintained for compliance purposes.
Can DefectDojo create JIRA tickets automatically?
Yes. Configure JIRA integration under Configuration → Tool Configurations → JIRA. Set your JIRA URL, project key, and API token. Then enable 'Push All Issues' on an Engagement or individual findings to push/update tickets. DefectDojo syncs status bidirectionally — closing the JIRA ticket can optionally close the finding.
How do I backup and restore DefectDojo?
Backup: `docker exec defectdojo_db pg_dump -U defectdojo defectdojo > defectdojo_backup.sql` and copy your `.env` file. Restore: create a fresh DefectDojo deployment, then run `docker exec -i defectdojo_db psql -U defectdojo defectdojo < defectdojo_backup.sql`. Also backup the Django media volume if you store uploaded scan files.
