Skip to main content

๐Ÿ™ DefectDojo Integration

vet supports integration with DefectDojo to track and manage vulnerabilities. You can export vulnerabilities, policy violations and other findings to DefectDojo. Each scans are reported as a new engagement in DefectDojo.

Prerequisitesโ€‹

  • Docker
  • Docker Compose
  • DefectDojo instance
  • vet

Follow quickstart to install vet if you don't have it yet.

๐Ÿš€ Getting Startedโ€‹

For this example, we will setup DefectDojo instance using Docker Compose. We will scan demo-client-python repository with vet and report findings to DefectDojo.

๐Ÿ”ง Setup DefectDojoโ€‹

git clone https://github.com/DefectDojo/django-DefectDojo.git --depth 1
  • Switch to the repository directory.
cd django-DefectDojo
  • Run docker compose up -d to start DefectDojo.
docker compose up -d
info

This will take a while to start up because it will build the images and download the dependencies.

  • Get the admin password from the logs.
docker compose logs initializer | grep "Admin password:"
info

This will take a while as well because the initializer container will run the migrations and create the initial data.

  • Navigate to http://localhost:8080 and login with the credentials admin and the password you got from the logs.

DefectDojo Login

  • Create a new product called demo-client-python and note down the product ID

DefectDojo Add Product

DefectDojo Observe Product ID

  • Navigate to http://localhost:8080/api/key-v2 to get the API key.

  • Set the API key as environment variable for use by vet

export DEFECT_DOJO_APIV2_KEY=<your-api-key>

๐Ÿ”ฅ Scan using vetโ€‹

  • Run vet with the following command to scan an intentionally vulnerable demo-client-python repository.
vet scan --github https://github.com/safedep/demo-client-python \
  --filter-suite /path/to/your/policy-suite.yml \
  --report-defect-dojo \
  --defect-dojo-host-url http://localhost:8080/ \
  --defect-dojo-product-id <your-product-id>
  • vet will create a new engagement in DefectDojo
  • vet will report the policy violations as new findings in DefectDojo. Learn more about queries and policy as code

Note: vet currently reports only policy violations to DefectDojo. Feature enhancement to report vulnerabilities and malicious package information is planned at https://github.com/safedep/vet/issues/430.