DefectDojo Review 2026: Open-Source ASPM Platform

DefectDojo is a widely adopted open-source ASPM platform, with 45M+ downloads, 4.5k GitHub stars, 487 contributors, and 10K+ organizations using it. It is an OWASP Flagship Project that aggregates vulnerability findings from 200+ security tools into a single source of truth.

DefectDojo platform dashboard showing vulnerability management overview

The project runs on Django with PostgreSQL, Celery, and Redis. Latest release is v2.55.1 (February 2026). Licensed under BSD 3-Clause.

GitHub: DefectDojo/django-DefectDojo

What is DefectDojo?

DefectDojo sits between your security scanners and your remediation workflow.

It ingests scan results, deduplicates findings, assigns risk scores, and tracks remediation — all without requiring you to replace your existing tools.

200+ tool parsers

Import results from SAST, DAST, SCA, infrastructure, and container scanners. Bandit, Semgrep, ZAP, Burp Suite, Trivy, Checkov — if it produces a report, DefectDojo probably parses it.

Deduplication engine

Same vulnerability found by multiple scanners shows up once. Deduplication uses CWE, file path, endpoint, and custom hash algorithms. 500 findings from 5 tools typically become ~150 unique issues.

Open source

BSD 3-Clause license with 487 contributors and 278 releases. Self-host on Docker, Kubernetes, or bare metal. No vendor lock-in.

A commercial Pro edition adds DefectDojo Sensei (the AI triage module), advanced reporting, and enterprise support. The community edition is fully functional for most teams.

DefectDojo Pro edition with AI-powered insights and advanced reporting

What are DefectDojo’s key features?

200+ tool integrations

DefectDojo parses results from tools across every security category:

Category	Tools
SAST	Bandit, Semgrep, SonarQube, Checkmarx, Fortify, Veracode, CodeQL, Snyk Code
DAST	OWASP ZAP, Burp Suite, Acunetix, Nessus, Nuclei, Nikto
SCA	OWASP Dependency-Check, Snyk, npm audit, Trivy, Grype
Infrastructure	Trivy, Checkov, KICS, AWS Inspector, ScoutSuite
Containers	Trivy, Grype, Docker Scout

Import methods

Upload scan files through the web UI, push them via the REST API from CI/CD pipelines, or use the reimport endpoint to update existing test results without creating duplicates.

Deduplication engine

DefectDojo automatically deduplicates findings based on:

Vulnerability type and CWE classification
File path and line number
Endpoint and parameter
Custom hash algorithms for tool-specific matching

A real-world example: 500 raw findings from 5 different scanners typically reduce to about 150 unique vulnerabilities after deduplication.

DefectDojo integrations overview showing 200+ connected security tools

Risk-based prioritization

Risk scores factor in CVSS severity, business criticality of the affected product, exposure level, and how long the vulnerability has been open. Teams can define custom risk acceptance policies and track exceptions.

CI/CD integration

Push scan results from any pipeline:

# Upload findings from CI/CD
curl -X POST "https://defectdojo.example.com/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=ZAP Scan" \
  -F "file=@zap-report.xml" \
  -F "product_name=My App" \
  -F "engagement_name=CI/CD Import" \
  -F "auto_create_context=true"

Architecture

DefectDojo runs on four components:

Component	Role
Django application	Web UI, REST API, business logic
PostgreSQL	Persistent data storage
Celery workers	Background tasks (imports, deduplication, notifications)
Redis	Message queue and caching

How do I get started with DefectDojo?

Clone and build — git clone https://github.com/DefectDojo/django-DefectDojo.git && cd django-DefectDojo && docker compose build

Start the stack — docker compose up -d launches Django, PostgreSQL, Celery, and Redis. The web UI opens on port 8080.

Create a Product — Products represent your applications. Create one in the UI, then create an Engagement (testing session) under it.

Import scan results — Upload reports through the web UI or push them via the REST API. DefectDojo auto-deduplicates across tools.

Kubernetes deployment is also supported via Helm:

helm repo add defectdojo https://defectdojo.github.io/django-DefectDojo
helm install defectdojo defectdojo/defectdojo

API access

import requests

response = requests.get(
    "https://defectdojo.example.com/api/v2/findings/",
    headers={"Authorization": "Token YOUR_TOKEN"}
)
findings = response.json()

DefectDojo pricing options for open-source and commercial editions

DefectDojo Open Source vs Pro pricing

DefectDojo is one of the few ASPM platforms with a public pricing page. The community edition is free under the BSD 3-Clause license — fully functional, self-hosted on Docker or Kubernetes, with all 200+ parsers, deduplication, SLA tracking, and the REST API. The trade-off is that you operate the stack (Django + PostgreSQL + Celery + Redis) yourself.

DefectDojo Pro is the SaaS tier with the same parser coverage plus DefectDojo Sensei for automated AI-driven triage, advanced reporting, premium parsers, and enterprise support. The vendor uses a storage-based pricing model that scales with how much data you keep — exact tier rates live on defectdojo.com/pricing and require a sales conversation for larger volumes.

Pick OSS if you have an internal team to run it and care about full data ownership. Pick Pro if you want managed hosting, AI triage, and a support contract attached to the platform.

What are alternatives to DefectDojo?

If DefectDojo does not fit, four ASPM platforms cover overlapping ground.

ArmorCode — Better fit if you want commercial enterprise ASPM with 320+ scanner integrations, AI-powered prioritization, and managed SaaS rather than self-hosting.
Faraday — Better fit if you lean toward offensive security and pentest workflows; Faraday’s Agents Dispatcher and CART continuous testing are stronger on the red-team side.
Apiiro — Better fit if you want a Gartner ASPM Magic Quadrant Leader with a Risk Graph, AI-prompt guardrails, and pre-commit AppSec coverage. More expensive than DefectDojo Pro.
Cycode — Better fit if you want both native scanning (SAST/SCA/secrets) and ASPM correlation in one platform rather than aggregation only.
Aikido — Better fit for SMBs that want all-in-one SaaS scanning plus ASPM with public, transparent pricing.

The full ASPM hub lists every active platform.

DefectDojo FAQ

What are the components of DefectDojo? The data model uses Product Types → Products → Engagements → Tests → Findings → Endpoints. The technical stack is Django + PostgreSQL + Celery + Redis.

How do I set up DefectDojo? The official path is Docker Compose — git clone, docker compose build, docker compose up -d, and the UI lands on port 8080. Helm charts cover Kubernetes. SaaS via DefectDojo Pro removes installation entirely. There is also godojo, a Go-based installer that some teams prefer for VM deployments.

What is the product hierarchy of DefectDojo? Five levels: Product Types (e.g. “Customer-Facing Apps”) group Products (individual applications); each Product has Engagements (testing windows); each Engagement has Tests (one per scan); each Test holds Findings tied to Endpoints. This is what makes deduplication and SLA tracking work cleanly.

What is the EPSS score in DefectDojo? DefectDojo auto-pulls EPSS Score and EPSS Percentile for findings tagged with a CWE that maps to a known CVE. EPSS adds exploit-likelihood data on top of CVSS so prioritization reflects real-world exploitability, not just severity.

Does DefectDojo support SAST and DAST in one place? Yes — that is the entire point. The 200+ parsers cover SAST (Bandit, Semgrep, Checkmarx, Fortify, CodeQL), DAST (ZAP, Burp, Acunetix, Nuclei), SCA, infrastructure, and container categories.

Is DefectDojo really open source? Yes — BSD 3-Clause license, OWASP Flagship Project, source on GitHub with 487 contributors and 278 releases.

When to use DefectDojo

DefectDojo is the default choice when you need open-source vulnerability aggregation. It handles the basics — import, deduplicate, prioritize, track — without licensing costs or vendor dependencies.

If you’re comfortable self-hosting and want full control over your data, it’s hard to beat.

Best for

Teams that need open-source vulnerability aggregation from multiple security scanners, with the flexibility to self-host on Docker or Kubernetes and extend via REST API.

If you want managed SaaS instead of self-hosting, the DefectDojo Pro edition or commercial alternatives like ArmorCode or Seemplicity handle the infrastructure for you. If you only run 1-2 scanners, the aggregation overhead may not be worth it.

Visit DefectDojo View source on GitHub (4500★)

Frequently Asked Questions

What is DefectDojo?

DefectDojo is a widely adopted open-source ASPM platform with 45M+ downloads, 4.5k GitHub stars, and 10K+ organizations using it. It is an OWASP Flagship Project that aggregates vulnerability findings from 200+ security tools into a single source of truth with intelligent deduplication.

Is DefectDojo free?

The community edition is free and open-source under the BSD 3-Clause license. DefectDojo also offers a commercial Pro edition with additional features like DefectDojo Sensei (its AI module), advanced reporting, and enterprise support.

How does DefectDojo deduplicate findings?

DefectDojo deduplicates based on vulnerability type and CWE, file path and line number, endpoint and parameter, and custom hash algorithms. A typical result is reducing 500 findings from 5 tools down to around 150 unique vulnerabilities.

How do I install DefectDojo?

The fastest method is Docker Compose: clone the repository, run docker compose build, then docker compose up -d. DefectDojo also supports Kubernetes deployment via Helm charts. The application runs on Django with PostgreSQL, Celery workers, and Redis.

What security tools does DefectDojo support?

DefectDojo parses results from 200+ tools including Semgrep, Bandit, SonarQube, Checkmarx, OWASP ZAP, Burp Suite, Snyk, Trivy, Checkov, AWS Inspector, and many more across SAST, DAST, SCA, and infrastructure security categories.