DefectDojo

DefectDojo

Category: ASPM
License: Free (Open-Source)
Visit Website →
GitHub (4500★)

DefectDojo is the most popular open-source Application Security Posture Management (ASPM) platform with 38M+ downloads, 4.5k GitHub stars, and 1.8k forks.

It is an OWASP Flagship Project that aggregates vulnerability findings from 200+ security tools into a single source of truth.

GitHub: DefectDojo/django-DefectDojo | Latest Release: v2.55.1 (February 2026)

Key Features

200+ Tool Integrations

DefectDojo parses results from 200+ security tools:

SAST:

  • Bandit, Semgrep, SonarQube
  • Checkmarx, Fortify, Veracode
  • CodeQL, Snyk Code

DAST:

  • OWASP ZAP, Burp Suite
  • Acunetix, Nessus
  • Nuclei, Nikto

SCA:

  • OWASP Dependency-Check
  • Snyk, npm audit
  • Trivy, Grype

Infrastructure:

  • Trivy, Checkov, KICS
  • AWS Inspector, ScoutSuite

Deduplication Engine

DefectDojo automatically deduplicates findings:

Before: 500 findings from 5 tools
After:  150 unique vulnerabilities

Deduplication is based on:

  • Vulnerability type and CWE
  • File path and line number
  • Endpoint and parameter
  • Custom hash algorithms

Risk-Based Prioritization

Calculate risk scores using:

  • CVSS severity
  • Business criticality
  • Exposure level
  • Age of vulnerability

CI/CD Integration

Integrate DefectDojo into pipelines:

# Upload findings from CI/CD
curl -X POST "https://defectdojo.example.com/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=ZAP Scan" \
  -F "file=@zap-report.xml" \
  -F "product_name=My App"

Installation

git clone https://github.com/DefectDojo/django-DefectDojo.git
cd django-DefectDojo
./dc-build.sh
./dc-up.sh

Kubernetes

helm repo add defectdojo https://defectdojo.github.io/django-DefectDojo
helm install defectdojo defectdojo/defectdojo

Architecture

┌─────────────────────────────────────────────┐
│              DefectDojo                     │
│  ┌─────────────────────────────────────┐   │
│  │         Django Application          │   │
│  └─────────────────────────────────────┘   │
│  ┌──────────┐  ┌──────────┐  ┌─────────┐  │
│  │ Celery   │  │ Postgres │  │  Redis  │  │
│  │ Workers  │  │    DB    │  │  Queue  │  │
│  └──────────┘  └──────────┘  └─────────┘  │
└─────────────────────────────────────────────┘

API Access

DefectDojo provides a comprehensive REST API:

import requests

# Get all findings
response = requests.get(
    "https://defectdojo.example.com/api/v2/findings/",
    headers={"Authorization": "Token YOUR_TOKEN"}
)
findings = response.json()

Key Workflows

Import Scans

  1. Create a Product (represents an application)
  2. Create an Engagement (testing session)
  3. Import scan results
  4. Review and triage findings

Remediation Tracking

  • Assign findings to developers
  • Track remediation status
  • Verify fixes through re-testing
  • Close resolved findings

Reporting

Generate reports for:

  • Executive summaries
  • Developer remediation lists
  • Compliance evidence
  • Trend analysis

When to Use DefectDojo

Best ForConsider Alternatives If
Open-source ASPM requirementNeed managed SaaS solution
Multiple security tools to aggregateOnly using 1-2 scanners
Limited budgetNeed vendor support SLA
Comfortable with self-hostingNo DevOps capacity

Other ASPM Tools

Aikido Security
Aikido Security

All-in-One AppSec with 95% Noise Reduction

Apiiro
Apiiro

#1 ASPM in Gartner Magic Quadrant 2025

ArmorCode
ArmorCode

AI-Powered Risk Correlation

Cycode
Cycode

Complete ASPM with 94% Fewer False Positives

See all ASPM tools