DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
git clone https://github.com/DefectDojo/django-DefectDojo
cd django-DefectDojo
# building
docker-compose build
# running
docker-compose up
# obtain admin credentials. the initializer can take up to 3 minutes to run
# use docker-compose logs -f initializer to track progress
docker-compose logs initializer | grep "Admin password:"Navigate to http://localhost:8080.
Alternatively, try out the demo sever at demo.defectdojo.org
Log in with admin / defectdojo@demo#appsec and please note that the demo server is refreshed regularly.
For detailed documentation you can visit Github Pages.
** Now EOL'ed **
We recommend checking out the about document to learn the terminology of DefectDojo and the getting started guide for setting up a new installation. We've also created some example workflows that should give you an idea of how to use DefectDojo for your own team.
** Deprecation notice ** apiv1 is deprecated and EOS is on 12-31-2020. EOL is planned for 06-30-2021. Please move on to apiv2 and raise issues for any unsupported operations.
Defectdojo can be accessed through a Swagger REST API. Please see the API documentation or the in-app Swagger documentation.
This section presents different ways to programmatically interact with DefectDojo APIs.
See Wrappers
A magical, illusionary, non-existent, YMMV, wannabe, no guarantees list of thing we may or may not be working on:
- New permission model (underway)
- Push groups of findings to a single JIRA ticket (experimental now in!)
- Reimport matching improvements
To manage expectations, we call this the wishlist. These are items we want to do, are discussing or pondering our minds:
- New modern UI / SPA
- New dashboarding / statistics
- New search engine
- Adopt a plugin framework to allow plugins for issue trackers, parsers, reports, etc
- More flexible model
Please come to our Slack channel first, where we can try to help you or point you in the right direction:
Realtime discussion is done in the OWASP Slack Channel, #defectdojo. Get Access.
DefectDojo Twitter Account tweets project updates and changes.
Engagement Surveys – A plugin that adds answerable surveys to engagements.
DefectDojo is maintained by:
Project Moderators can help you with pull requests or feedback on dev ideas.
- Alex Dracea
- Valentijn Scholten (@valentijnscholten) (github | sponsor | linkedin)
- Jannik Jürgens
- Fred Blaise
- Saurabh kumar
- Cody Maffucci
- Pascal Trovatelli / Sopra Steria
- Damien Carol
- Charles Neill (@ccneill) – Charles served as a DefectDojo Maintainer for years and wrote some of Dojo's core functionality.
- Jay Paz (@jjpaz) – Jay was a DefectDojo maintainer for years. He performed Dojo's first UI overhaul, optimized code structure/features, and added numerous enhancements.
We greatly appreciate all of our contributors.
More info: Contributing guideline
We would also like to highlight the contributions from Michael Dong and Fatimah Zohra who contributed to DefectDojo before it was open source.
If you fix an issue with the swag reward tag, we'll send you a shirt and some
stickers!
Proceeds are used for testing, infrastructure, etc.
Interested in becoming a sponsor and having your logo displayed? Please review our sponsorship information or email greg.anderson@owasp.org
DefectDojo is licensed under the BSD Simplified license https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/dev/docs/static/images/DD-Hierarchy.png