DefectDojo
A DevSecOps vulnerability management platform for tracking security findings.
About
DefectDojo is an open-source application vulnerability management tool that aggregates findings from security scanners (SAST, DAST, dependency scanners) and tracks them through remediation. It provides dashboards, deduplication, SLA tracking, and integrations with CI/CD pipelines. Self-hosting avoids the per-finding or per-seat costs of commercial ASPM platforms.
AlternativeTo
Cloud Hosted
| Tool | Open Source | Free Tier | Monthly Cost |
|---|---|---|---|
| Veracode | No | No | Enterprise |
| Snyk | No | Limited | From $25/dev |
| GitHub Advanced Security | No | No | From $49/seat |
Installation
From kustomize build k8s/apps/talos/defectdojo:
- HelmRelease: Deployed via the official
defectdojoHelm chart with custom values in a ConfigMap - StatefulSet: Django/uwsgi application with a media PVC (5Gi,
longhorn-encrypted,ReadWriteMany) - Database: External CNPG PostgreSQL cluster (
cnpg-rw) — chart's built-in PostgreSQL disabled - Cache: External Valkey (Redis-compatible) — chart's built-in Valkey disabled
- Networking: HTTPRoute ; internal service aliases configured
Administration
- Backups: No k8up schedule present; CNPG handles PostgreSQL backups
- OpenID/SSO: OIDC configured via PocketID —
DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINTpoints;DD_SOCIAL_AUTH_OIDC_KEYandDD_SOCIAL_AUTH_OIDC_SECRETfrom SOPS secret;DD_SOCIAL_LOGIN_AUTO_REDIRECT: "true"enforces SSO login - Security:
DD_SESSION_COOKIE_SECURE,DD_CSRF_COOKIE_SECURE, andDD_SECURE_SSL_REDIRECTall set to"True"
Usage
Import scan results from tools like OWASP ZAP, Trivy, or Semgrep via the API or UI. Triage findings, assign severity and owners, and track remediation status. Organize findings using the product/engagement hierarchy. Users authenticate via PocketID OIDC.
Metadata
- Image:
valkey/valkey:9.0.3-alpine@sha256:e1095c6c76ee982cb2d1e07edbb7fb2a53606630a1d810d5a47c9f646b708bf5