Skip to main content


License Apache-2.0GitHub release (latest SemVer)OWASP Incubator ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is "Persistence DefectDojo" Hook about?#

The DefectDojo hook imports the reports from scans automatically into OWASP DefectDojo. The hook uses the import scan API v2 from DefectDojo to import the scan results.

This means that only scan types are supported by the hook which are both supported by the secureCodeBox and DefectDojo. These are:

  • Nmap
  • Nikto
  • ZAP (Baseline, API Scan and Full Scan)
  • ZAP Advanced
  • SSLyze
  • Trivy
  • Gitleaks

After uploading the results to DefectDojo, it will use the findings parsed by DefectDojo to overwrite the original secureCodeBox findings identified by the parser. This lets you access the finding metadata like the false positive and duplicate status from DefectDojo in further ReadOnly hooks, e.g. send out Slack notification for non-duplicate & non-false positive findings only.


Be careful when using the DefectDojo Hook in combination with other ReadAndWrite hooks. The secureCodeBox currently has no way to guarantee that one ReadAndWrite hook gets executed before another ReadAndWrite hook. This can lead to "lost update" problems as the DefectDojo hook will overwrite all findings, which disregards the results of previously run ReadAndWrite hooks. ReadOnly hooks work fine with the DefectDojo hook as they are always executed after ReadAndWrite Hooks.

Running "Persistence DefectDojo" Hook Locally from Source#

For development purposes, it can be useful to run this hook locally. You can do so by following these steps:

  1. Make sure you have access to a running DefectDojo instance.
  2. Run a Scan of your choice.
  3. Supply Download Links for the Scan Results (Raw Result and Findings.json). You can e.g., access them from the included Minio Instance and upload them to a GitHub Gist.
  4. Set the following environment variables:
  • DEFECTDOJO_APIKEY= (e.g. b09c.., can be fetched from the DefectDojo Settings)
  • IS_DEV=true
  • SCAN_NAME (e.g, must be set exactly to the name of the scan used in step 2)
  1. Build the jar with gradle and run it with the following CLI arguments: {Raw Result Download URL} {Findings Download URL} {Raw Result Upload URL} {Findings Upload URL}. See the code snippet below. You have to adjust the filename of the jar for other versions than the '0.1.0-SNAPSHOT'. Also you will need to change the download URLs for the Raw Result and Findings to the ones from Step 3.
./gradlew buildjava -jar build/libs/defectdojo-persistenceprovider-0.1.0-SNAPSHOT.jar


The persistence-defectdojo chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)helm upgrade --install persistence-defectdojo secureCodeBox/persistence-defectdojo


Kubernetes: >=v1.11.0-0

Additional Chart Configurations#

Installing the DefectDojo persistenceProvider hook will add a ReadOnly Hook to your namespace.

kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..."
helm upgrade --install dd secureCodeBox/persistence-defectdojo \    --set="defectdojo.url=https://defectdojo-django.default.svc"

The hook will automatically import the scan results into an engagement in DefectDojo. If the engagement doesn't exist the hook will create the engagement (CI/CD engagement) and all objects required for it (product & product type).

You don't need any configuration for that to work, the hook will infer engagement & product names from the scan name. If you want more control over the names or add additional meta information like the version of the tested software you can add these via annotation to the scan. See examples below.

Scan AnnotationDescriptionDefault if not setNotes of the Product TypeProduct Type with ID 1 (typically "Research and Development")Product Type will be automatically created if no Product Type under that name exists of the ProductScheduledScan Name if Scheduled, Scan Name if it's a standalone ScanProduct will be automatically created if no Product under that name exists of the ProductEmpty StringOnly used when creating the Product not used for updating TagsNothingOnly used when creating the Product not used for updating of the EngagementScan NameWill be automatically created if no engagement with that name and version exists VersionNothing On EngagementfalseOnly used when creating the Engagement not used for updating TagsNothingOnly used when creating the Engagement not used for updating TitleScan Name

Simple Example Scans#

This will import the results daily into an engagements called: "zap-juiceshop-$UNIX_TIMESTAMP" (Name of the Scan created daily by the ScheduledScan), in a Product called: "zap-juiceshop" in the default DefectDojo product type.

apiVersion: ""kind: ScheduledScanmetadata:  name: "zap-juiceshop"spec:  interval: 24h  scanSpec:    scanType: "zap-full-scan"    parameters:      - "-t"      - "http://juice-shop.demo-targets.svc:3000"

Complete Example Scan#

This will import the results into engagement, product and product type following the labels. The engagement will be reused by the hook for the daily scans / imports until the engagement version is increased.

apiVersion: ""kind: ScheduledScanmetadata:  name: "zap-full-scan-juiceshop"  annotations: "OWASP" "Juice Shop" |      OWASP Juice Shop is probably the most modern and sophisticated insecure web application!      It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools!      Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! vulnerable,appsec,owasp-top-ten,vulnapp "Juice Shop" "v12.6.1" "automated,daily" "true" "Juice Shop - v12.6.1"spec:  interval: 24h  scanSpec:    scanType: "zap-full-scan"    parameters:      - "-t"      - "http://juice-shop.demo-targets.svc:3000"


defectdojo.authentication.apiKeyKeystring"apikey"Name of the apikey key in the userSecret secret. Use this if you already have a secret with different key / value pairs
defectdojo.authentication.userSecretstring"defectdojo-credentials"Link a pre-existing generic secret with username and apikey key / value pairs
defectdojo.authentication.usernameKeystring"username"Name of the username key in the userSecret secret. Use this if you already have a secret with different key / value pairs
defectdojo.syncFindingsBackbooltrueSyncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store, set to false to only import the findings to DefectDojo (one way sync).
defectdojo.urlstring"http://defectdojo-django.default.svc"Url to the DefectDojo Instance
hook.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info:
hook.image.repositorystring""Hook image repository
hook.image.tagstringnilContainer image tag



Code of secureCodeBox is licensed under the Apache License 2.0.