DefectDojo Skill

Overview

DefectDojo is an open-source DevSecOps, Application Security Posture Management (ASPM), and vulnerability management platform. It orchestrates end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting.

Key Capabilities:

• Unified vulnerability management across 200+ security tools
• Automated scan import and deduplication
• CI/CD pipeline integration
• Bidirectional JIRA integration
• Role-based access control
• SLA tracking and reporting
• REST API v2 for automation
• MCP Tools for Claude Code integration

Official Resources:

• Documentation: https://docs.defectdojo.com/
• GitHub: https://github.com/DefectDojo/django-DefectDojo
• Demo: https://demo.defectdojo.org (admin / 1Defectdojo@demo#appsec)

MCP Tools (Primary Interface)

This skill provides 12 MCP tools for direct DefectDojo API interaction. Use these tools instead of manual API calls.

Read Operations

defectdojo_list_products

name_contains

prod_type

limit

defectdojo_get_product

product_id

defectdojo_list_engagements

product_id

status

engagement_type

defectdojo_list_tests

engagement_id

test_type

defectdojo_list_findings

severity

active

product_id

cwe

defectdojo_get_finding

finding_id

defectdojo_get_statistics

product_id

engagement_id

defectdojo_list_endpoints

product_id

host

protocol

defectdojo_list_test_types

name_contains

Write Operations

defectdojo_create_engagement

product_id

name

engagement_type

defectdojo_update_finding

finding_id

active

verified

false_p

defectdojo_close_engagement

engagement_id

Usage Examples

List all critical active findings:

Use defectdojo_list_findings with:
- severity: "Critical"
- active: true

Get vulnerability statistics for a product:

Use defectdojo_get_statistics with:
- product_id: 1

Search for SQL injection findings:

Use defectdojo_list_findings with:
- cwe: 89
- active: true

Mark a finding as false positive:

Use defectdojo_update_finding with:
- finding_id: 123
- false_p: true
- active: false

Create a CI/CD engagement:

Use defectdojo_create_engagement with:
- product_id: 1
- name: "Pipeline Security Scan"
- engagement_type: "CI/CD"

Response Formats

All tools support two output formats via the

response_format

• markdown

  (default) - Human-readable formatted output

• json

  - Raw JSON for programmatic processing

MCP Server Configuration

The MCP server is configured in

.mcp.json

{
  "mcpServers": {
    "defectdojo": {
      "command": "python",
      "args": [".claude/mcp-servers/defectdojo-mcp/defectdojo_mcp.py"],
      "env": {
        "DEFECTDOJO_URL": "https://defectdojo.dev.cafehyna.com.br",
        "DEFECTDOJO_API_TOKEN": "${DEFECTDOJO_API_TOKEN}"
      }
    }
  }
}

Environment Variables:

• DEFECTDOJO_URL

  - Your DefectDojo instance URL

• DEFECTDOJO_API_TOKEN

  - API token from

  /api/key-v2

Data Model (Product Hierarchy)

DefectDojo uses five interconnected data classes to organize security work:

Product Type
    └── Product
        └── Engagement (CI/CD or Interactive)
            └── Test
                └── Finding
                    └── Endpoint

Product Types

The topmost organizational level that categorizes products by business domain, team, or security area. Enables role-based access control at the category level.

Products

Individual applications or systems under security testing. Each product maintains:

• Its own testing history
• Deduplication scope (findings deduplicate within products)
• SLA configuration
• Team assignments

Engagements

Scheduled testing periods containing one or more tests. Two types:

Tests

Individual security scans grouped by tool type. Tests support:

• Reimporting (add findings to existing test)
• Environment tagging
• Version tracking

Findings

Specific vulnerabilities discovered during testing:

Finding States:

• Active / Inactive
• Verified / Unverified
• Duplicate
• Mitigated
• False Positive
• Risk Accepted
• Out of Scope

Endpoints

References to affected hosts, URLs, or systems. Enables vulnerability tracking by infrastructure component.

API v2 Reference

Note: For most operations, use the MCP Tools above instead of direct API calls. Use direct API calls only for scan imports or operations not covered by MCP tools.

Authentication

Generate API token at:

<your-instance>/api/key-v2

# Header format
Authorization: Token <api_key>

Environment Variables:

• DD_API_TOKENS_ENABLED=False

  - Disable API tokens entirely

• DD_API_TOKEN_AUTH_ENDPOINT_ENABLED=False

  - Disable only token auth endpoint

Core Endpoints

/api/v2/import-scan/

/api/v2/reimport-scan/

/api/v2/products/

/api/v2/engagements/

/api/v2/tests/

/api/v2/findings/

/api/v2/endpoints/

/api/v2/users/

Import Scan Parameters

curl -X POST "https://defectdojo.example.com/api/v2/import-scan/" \
  -H "Authorization: Token <api-token>" \
  -F "scan_type=<scanner-type>" \
  -F "file=@results.json" \
  -F "engagement=<engagement-id>" \
  -F "minimum_severity=Info" \
  -F "active=true" \
  -F "verified=false" \
  -F "scan_date=2024-01-15"

Key Parameters:

scan_type

engagement

test_title

minimum_severity

active

verified

scan_date

do_not_reactivate

auto_create_context

Reimport Scan (Deduplication)

curl -X POST "https://defectdojo.example.com/api/v2/reimport-scan/" \
  -H "Authorization: Token <api-token>" \
  -F "scan_type=Trivy Scan" \
  -F "file=@trivy-results.json" \
  -F "test=<test-id>" \
  -F "do_not_reactivate=true"

The reimport endpoint:

• Detects new vs. existing findings
• Updates existing findings
• Closes findings not in the new scan
• Can auto-create context when

  auto_create_context=true

Interactive API Documentation

Access Swagger UI at:

<your-instance>/api/v2/oa3/swagger-ui/

CI/CD Integration

Pipeline Integration Pattern

# GitLab CI Example
stages:
  - security-scan
  - upload-results

trivy-scan:
  stage: security-scan
  script:
    - trivy image --format json -o trivy-results.json $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  artifacts:
    paths:
      - trivy-results.json

upload-to-defectdojo:
  stage: upload-results
  script: |
    curl -X POST "${DEFECTDOJO_URL}/api/v2/reimport-scan/" \
      -H "Authorization: Token ${DEFECTDOJO_API_TOKEN}" \
      -F "scan_type=Trivy Scan" \
      -F "file=@trivy-results.json" \
      -F "product_name=${CI_PROJECT_NAME}" \
      -F "engagement_name=CI/CD-${CI_PIPELINE_ID}" \
      -F "auto_create_context=true" \
      -F "minimum_severity=Low"

Jenkins Integration

Install the DefectDojo Jenkins plugin from: https://plugins.jenkins.io/defectdojo/

Pipeline Configuration:

pipeline {
    agent any
    environment {
        DEFECTDOJO_URL = 'https://defectdojo.example.com'
        DEFECTDOJO_API_KEY = credentials('defectdojo-api-key')
    }
    stages {
        stage('Security Scan') {
            steps {
                sh 'trivy image --format json -o trivy.json myapp:latest'
            }
        }
        stage('Upload to DefectDojo') {
            steps {
                defectDojoPublisher(
                    artifact: 'trivy.json',
                    productName: 'MyApp',
                    scanType: 'Trivy Scan',
                    engagementName: "Build-${BUILD_NUMBER}"
                )
            }
        }
    }
}

GitHub Actions Integration

name: Security Scan
on: [push]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'json'
          output: 'trivy-results.json'

      - name: Upload to DefectDojo
        run: |
          curl -X POST "${{ secrets.DEFECTDOJO_URL }}/api/v2/reimport-scan/" \
            -H "Authorization: Token ${{ secrets.DEFECTDOJO_TOKEN }}" \
            -F "scan_type=Trivy Scan" \
            -F "file=@trivy-results.json" \
            -F "product_name=${{ github.repository }}" \
            -F "engagement_name=GitHub-${{ github.run_id }}" \
            -F "auto_create_context=true"

Python API Examples

Tip: For Claude Code interactions, use the MCP tools (

defectdojo_list_findings

, etc.) instead of writing Python code. The examples below are for CI/CD scripts and external integrations.

Basic API Connection

import requests

class DefectDojoAPI:
    def __init__(self, url, api_token):
        self.url = url.rstrip('/')
        self.headers = {
            'Authorization': f'Token {api_token}',
            'Accept': 'application/json'
        }

    def get_products(self):
        response = requests.get(
            f'{self.url}/api/v2/products/',
            headers=self.headers
        )
        response.raise_for_status()
        return response.json()

    def import_scan(self, engagement_id, scan_type, file_path, **kwargs):
        with open(file_path, 'rb') as f:
            data = {
                'engagement': engagement_id,
                'scan_type': scan_type,
                'minimum_severity': kwargs.get('minimum_severity', 'Info'),
                'active': kwargs.get('active', True),
                'verified': kwargs.get('verified', False),
            }
            files = {'file': f}
            response = requests.post(
                f'{self.url}/api/v2/import-scan/',
                headers={'Authorization': self.headers['Authorization']},
                data=data,
                files=files
            )
        response.raise_for_status()
        return response.json()

# Usage
api = DefectDojoAPI('https://defectdojo.example.com', 'your-api-token')
products = api.get_products()

Create Product and Engagement

def create_product(api, name, prod_type_id, description=''):
    response = requests.post(
        f'{api.url}/api/v2/products/',
        headers=api.headers,
        json={
            'name': name,
            'prod_type': prod_type_id,
            'description': description
        }
    )
    response.raise_for_status()
    return response.json()

def create_engagement(api, product_id, name, target_start, target_end,
                      engagement_type='CI/CD'):
    response = requests.post(
        f'{api.url}/api/v2/engagements/',
        headers=api.headers,
        json={
            'name': name,
            'product': product_id,
            'target_start': target_start,
            'target_end': target_end,
            'engagement_type': engagement_type,
            'status': 'In Progress'
        }
    )
    response.raise_for_status()
    return response.json()

Query Findings

def get_findings(api, product_id=None, severity=None, active=True):
    params = {'active': active}
    if product_id:
        params['test__engagement__product'] = product_id
    if severity:
        params['severity'] = severity

    response = requests.get(
        f'{api.url}/api/v2/findings/',
        headers=api.headers,
        params=params
    )
    response.raise_for_status()
    return response.json()

# Get all critical findings
critical = get_findings(api, severity='Critical')

Supported Security Tools (200+)

SAST / Code Analysis

• Bandit, Checkmarx, Fortify, SonarQube, Semgrep
• CodeQL, Horusec, Brakeman, SpotBugs

Dependency / SCA

• Snyk, OWASP Dependency-Check, Dependency-Track
• npm Audit, pip-audit, Trivy, Safety

DAST / Web Scanning

• Burp Suite, OWASP ZAP, Nikto, Nessus
• Qualys, OpenVAS, Acunetix, AppScan

Container / Infrastructure

• Trivy, Aqua, Anchore, Wiz, NeuVector
• kube-bench, Kubescape, Prisma Cloud

Secrets Detection

• Gitleaks, Trufflehog, Detect-secrets
• GitHub Secret Scanning

Cloud Security

• AWS Inspector, AWS Prowler, ScoutSuite
• Azure Security Center, Checkov

IaC Scanning

• Checkov, Terrascan, KICS, TFSec, Dockle

Full list: https://docs.defectdojo.com/supported_tools/

JIRA Integration

Configuration

1. Enable in System Settings:

   Configuration > System Settings > Enable JIRA Integration
   

2. Add JIRA Instance:

   Enterprise Settings > JIRA Instances > + New JIRA Instance
   

3. Configure Webhook (bidirectional sync):

   • Create webhook in JIRA pointing to:

     https://<defectdojo>/jira/webhook/<webhook-secret>

   • Enable in DefectDojo: "Enable JIRA web hook"

Environment Variables

extraEnv:
  - name: DD_JIRA_URL
    value: "https://your-jira.atlassian.net"
  - name: DD_JIRA_MAX_RETRIES
    value: "3"

Features

• Push findings to JIRA as issues
• Bidirectional comment sync
• Auto-close findings when JIRA issues close
• SLA notifications as JIRA comments

Project File Locations

infra-team/applicationset/defectdojo.yaml

argo-cd-helm-values/kube-addons/defectdojo/<cluster>/values.yaml

argo-cd-helm-values/kube-addons/defectdojo/<cluster>/secretproviderclass.yaml

Environment Configuration

kv-cafehyna-dev-hlg

3f7a3df4-f85b-4ca8-98d0-08b1034e6567

Azure AD App Registration

79ada8c7-4270-41e8-9ea0-1e1e62afff3d

3f7a3df4-f85b-4ca8-98d0-08b1034e6567

https://defectdojo.dev.cafehyna.com.br/complete/azuread-tenant-oauth2/

Azure AD SSO Configuration

Required Environment Variables

extraEnv:
  # Enable Azure AD OAuth2
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_ENABLED
    value: "True"
  # Application (Client) ID
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY
    value: "<client-id>"
  # Directory (Tenant) ID
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID
    value: "<tenant-id>"
  # Client Secret (from Key Vault)
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET
    valueFrom:
      secretKeyRef:
        name: defectdojo
        key: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET

Group Synchronization

extraEnv:
  # Sync groups from Azure AD token
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS
    value: "True"
  # Remove users from groups when removed in Azure AD
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS
    value: "True"
  # Filter to only sync DefectDojo groups
  - name: DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GROUPS_FILTER
    value: "^G-Usuarios-DefectDojo-.*"

Required Azure AD Permissions (Application type, Admin consent required):

• Group.Read.All

• GroupMember.Read.All

• User.Read.All

For complete Azure AD SSO details, see references/azure-ad-sso.md.

DefectDojo Roles

Azure AD Groups for Role Mapping

G-Usuarios-DefectDojo-Superuser

G-Usuarios-DefectDojo-Owner

G-Usuarios-DefectDojo-Maintainer

G-Usuarios-DefectDojo-Writer

G-Usuarios-DefectDojo-Reader

Helm Chart Quick Reference

Key Values

# Host configuration
host: defectdojo.dev.cafehyna.com.br
siteUrl: https://defectdojo.dev.cafehyna.com.br

# Secrets (use CSI driver)
createSecret: false
disableHooks: true

# Django
django:
  replicas: 1
  ingress:
    enabled: true
    activateTLS: true
    className: nginx

# Celery (keep beat at 1 replica)
celery:
  beat:
    enabled: true
    replicas: 1
  worker:
    enabled: true
    replicas: 1

# Database
postgresql:
  enabled: true

# Cache
redis:
  enabled: true

For complete Helm values reference, see references/helm-values.md.

Kubernetes Deployment

Basic Helm Install

git clone https://github.com/DefectDojo/django-DefectDojo
cd django-DefectDojo

helm install defectdojo ./helm/defectdojo \
  -n defectdojo --create-namespace \
  --set django.ingress.enabled=true \
  --set django.ingress.activateTLS=false \
  --set createSecret=true \
  --set createRabbitMqSecret=true \
  --set createPostgresqlSecret=true

Access DefectDojo

kubectl port-forward --namespace=defectdojo service/defectdojo-django 8080:80

Secrets Management

Secrets are managed via Azure Key Vault CSI Driver:

defectdojo-admin-password

DD_ADMIN_PASSWORD

defectdojo-secret-key

DD_SECRET_KEY

defectdojo-credential-aes-key

DD_CREDENTIAL_AES_256_KEY

defectdojo-azuread-client-secret

DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET

Common Troubleshooting

User Not in Groups After SSO Login

Symptoms: User logged in via Azure AD but shows "No group members found"

Solutions:

1. Verify

   DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS=True

2. Check Azure AD API permissions (Group.Read.All with admin consent)
3. Verify Azure AD token includes group claim (not role claims)
4. User must log out and log back in to sync groups
5. Create matching groups in DefectDojo UI

HTTPS Redirect URI Mismatch (ADSTS50011)

Error: "The redirect URI specified in the request does not match"

Solution: Ensure these are set:

- name: DD_SESSION_COOKIE_SECURE
  value: "True"
- name: DD_CSRF_COOKIE_SECURE
  value: "True"
- name: DD_SECURE_PROXY_SSL_HEADER
  value: "True"

ERR_TOO_MANY_REDIRECTS

Cause:

DD_SECURE_SSL_REDIRECT=True

Solution: Set

DD_SECURE_SSL_REDIRECT=False

Emergency Login Access

If SSO breaks, access standard login form:

https://defectdojo.dev.cafehyna.com.br/login?force_login_form

For complete troubleshooting guide, see references/troubleshooting.md.

Useful Commands

Check Pod Status

KUBECONFIG=~/.kube/aks-rg-hypera-cafehyna-dev-config kubectl get pods -n defectdojo

View Logs

KUBECONFIG=~/.kube/aks-rg-hypera-cafehyna-dev-config kubectl logs -n defectdojo -l app.kubernetes.io/name=defectdojo -c uwsgi

Restart Deployment

KUBECONFIG=~/.kube/aks-rg-hypera-cafehyna-dev-config kubectl rollout restart deployment/defectdojo-django -n defectdojo

Additional References

MCP Server

• MCP Server README - MCP server setup and usage
• MCP Server Source - Server implementation

Skill References

• Azure AD SSO Configuration - Complete SSO setup guide
• Helm Values Reference - Full Helm chart configuration
• Troubleshooting Guide - Common issues and solutions
• API v2 Reference - Complete API documentation
• CI/CD Integration Guide - Pipeline integration patterns

External

• Official Documentation
• Swagger UI - Interactive API docs