DefectDojo
A DevSecOps vulnerability management platform for tracking security findings.
DefectDojo is an open-source application vulnerability management tool that aggregates findings from security scanners (SAST, DAST, dependency scanners) and tracks them through remediation. It provides dashboards, deduplication, SLA tracking, and integrations with CI/CD pipelines. Self-hosting avoids the per-finding or per-seat costs of commercial ASPM platforms.
Alternatives considered
Cloud Hosted
| Tool | Open Source | Free Tier | Monthly Cost |
|---|---|---|---|
| Veracode | No | No | Enterprise |
| Snyk | No | Limited | From $25/dev |
| GitHub Advanced Security | No | No | From $49/seat |
Installation
Architecture
- HelmRelease: Deployed via the official
defectdojoHelm chart with custom values in a ConfigMap - StatefulSet: Django/uwsgi application with a media PVC (5Gi,
longhorn-encrypted,ReadWriteMany) - Database: External CNPG PostgreSQL cluster — chart's built-in PostgreSQL disabled
- Cache: External Valkey (
valkey/valkey:9.0.3-alpine, digest-pinned) — chart's built-in Valkey disabled - Networking: HTTPRoute via internal gateway
Security
- Valkey runs as
runAsUser: 999,runAsNonRoot: true,allowPrivilegeEscalation: false, capabilities dropped DD_SESSION_COOKIE_SECURE,DD_CSRF_COOKIE_SECURE, andDD_SECURE_SSL_REDIRECTall set to"True"- Longhorn media PVC encrypted at rest
Updates
Managed by Renovate. Valkey image is digest-pinned.
Data Management
- Database: CNPG PostgreSQL cluster (Longhorn-encrypted PVCs)
- PVC: Media volume (5Gi,
longhorn-encrypted, ReadWriteMany) for uploaded files - Backups: No k8up schedule present. CNPG operator manages PostgreSQL backups.
User Management
OIDC configured via PocketID — DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT set, DD_SOCIAL_AUTH_OIDC_KEY and DD_SOCIAL_AUTH_OIDC_SECRET from SOPS secret. DD_SOCIAL_LOGIN_AUTO_REDIRECT: "true" enforces SSO-only login.
Configuration Management
- Helm chart values in ConfigMap (Postgres/Redis disabled, external endpoints configured)
- OIDC credentials from SOPS-encrypted secret
- Database credentials injected from CNPG-generated secret
Administration
Usage
Import scan results from tools like OWASP ZAP, Trivy, or Semgrep via the API or UI. Triage findings, assign severity and owners, and track remediation status. Organize findings using the product/engagement hierarchy. Users authenticate via PocketID OIDC.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/apps/talos/defectdojo/README.md.
Cluster Deployment
DefectDojo — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/apps/defectdojo.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/apps/defectdojo.mdx — document anything this cluster does differently here, with a one-line reason.
- HelmRelease:
defectdojo@1.9.30 - HelmRepo:
defectdojo(https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/helm-charts) - Image:
valkey/valkey:9.1.0-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
Rendered manifests (kustomize build)
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: valkey
namespace: defectdojo
spec:
replicas: 1
selector:
matchLabels:
app: valkey
serviceName: valkey
template:
metadata:
labels:
app: valkey
spec:
containers:
- args:
- valkey-server
image: valkey/valkey:9.1.0-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
livenessProbe:
initialDelaySeconds: 10
periodSeconds: 10
tcpSocket:
port: 6379
name: valkey
ports:
- containerPort: 6379
name: client
readinessProbe:
initialDelaySeconds: 3
periodSeconds: 5
tcpSocket:
port: 6379
resources:
limits:
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
volumeMounts:
- mountPath: /conf
name: conf
- mountPath: /data
name: data
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 999
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: conf
- emptyDir: {}
name: data