SafeDep Documentation

vet integrates with DefectDojo to export vulnerabilities, policy violations, and other findings. Each scan is reported as a new engagement in DefectDojo.

Prerequisites

Docker & Docker Compose

Required for running DefectDojo locally

DefectDojo Instance

Either local or cloud-hosted DefectDojo installation

Vet CLI

Install Vet following the quickstart guide

API Access

DefectDojo API key for authentication

If you don’t have Vet installed yet, follow the quickstart guide to get started.

Quick Setup with Docker

The steps below use Docker Compose to run DefectDojo locally and scan the demo-client-python repository as a worked example.

Setup DefectDojo

Clone DefectDojo

Download the DefectDojo repository:

git clone https://github.com/DefectDojo/django-DefectDojo.git --depth 1
cd django-DefectDojo

Start Services

Launch DefectDojo with Docker Compose:

docker compose up -d

This will take a while as it builds images and downloads dependencies.

Get Admin Password

Retrieve the admin password from the logs:

docker compose logs initializer | grep "Admin password:"

The initializer container runs migrations and creates initial data, which may take several minutes.

Access DefectDojo

Navigate to http://localhost:8080 and login with:

Username: admin
Password: (from previous step)

Configure Your Project

Create Product

Create a new product called demo-client-python and note the product ID:

Generate API Key

Navigate to http://localhost:8080/api/key-v2 to generate an API key for Vet integration.

Set Environment Variable

Configure the API key for Vet usage:

export DEFECT_DOJO_APIV2_KEY=<your-api-key>

Scanning with Vet

Now you can scan a project and send results to DefectDojo:

vet scan --github https://github.com/safedep/demo-client-python \
  --filter-suite /path/to/your/policy-suite.yml \
  --report-defect-dojo \
  --defect-dojo-host-url http://localhost:8080/ \
  --defect-dojo-product-id <your-product-id>

Each scan creates a new engagement in DefectDojo; policy violations are reported as findings and visible in DefectDojo’s dashboard.

Currently, Vet reports only policy violations to DefectDojo. Support for reporting vulnerabilities and malicious package information is planned in GitHub issue #430.

Advanced Configuration

Custom Policy Suites

Example policy suite for DefectDojo integration:

# defectdojo-policy.yml
name: DefectDojo Security Policy
description: Comprehensive policy for DefectDojo integration
filters:
  - name: critical-vulnerabilities
    value: |
      vulns.critical.size() > 0
      
  - name: high-risk-packages
    value: |
      vulns.high.size() > 3
      
  - name: license-violations
    value: |
      !licenses.exists(p, p in ["MIT", "Apache-2.0", "BSD-3-Clause"])
      
  - name: unmaintained-packages
    value: |
      scorecard.scores.Maintained < 5

CI/CD Integration

GitHub Actions
GitLab CI

name: Security Scan to DefectDojo
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run vet security scan
        run: |
          vet scan -D . \
            --filter-suite .github/security-policy.yml \
            --report-defect-dojo \
            --defect-dojo-host-url ${{ secrets.DEFECT_DOJO_URL }} \
            --defect-dojo-product-id ${{ secrets.DEFECT_DOJO_PRODUCT_ID }}
        env:
          DEFECT_DOJO_APIV2_KEY: ${{ secrets.DEFECT_DOJO_API_KEY }}

security-scan:
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . 
        --filter-suite security-policy.yml
        --report-defect-dojo
        --defect-dojo-host-url $DEFECT_DOJO_URL
        --defect-dojo-product-id $DEFECT_DOJO_PRODUCT_ID
  variables:
    DEFECT_DOJO_APIV2_KEY: $DEFECT_DOJO_API_KEY

Multiple Projects

For organizations with multiple projects, create separate products in DefectDojo:

# Project A
vet scan -D ./project-a \
  --report-defect-dojo \
  --defect-dojo-product-id 1

# Project B  
vet scan -D ./project-b \
  --report-defect-dojo \
  --defect-dojo-product-id 2

Troubleshooting

API Key Issues

If authentication fails:

Verify the API key is correctly set in the environment
Check that the API key has sufficient permissions
Ensure the DefectDojo URL is accessible from your environment

Product ID Errors

If the product ID is invalid:

Verify the product exists in DefectDojo
Check that you have access to the specified product
Ensure the product ID is numeric, not the product name

No Findings Reported

If no findings appear in DefectDojo:

Confirm that policy violations exist in your scan
Check the Vet scan output for errors
Verify the DefectDojo integration is properly configured

DefectDojo Documentation

Learn more about DefectDojo features and configuration

Policy as Code Guide

Create effective security policies for DefectDojo integration

Vet GitHub Issues

Track progress on enhanced DefectDojo integration features

Demo Repository

Use the demo repository to test your DefectDojo integration

​Prerequisites

Docker & Docker Compose

DefectDojo Instance

Vet CLI

API Access

​Quick Setup with Docker

​Setup DefectDojo

​Configure Your Project

​Scanning with Vet

​Advanced Configuration

​Custom Policy Suites

​CI/CD Integration

​Multiple Projects

​Troubleshooting

DefectDojo Documentation

Policy as Code Guide

Vet GitHub Issues

Demo Repository

Prerequisites

Quick Setup with Docker

Setup DefectDojo

Configure Your Project

Scanning with Vet

Advanced Configuration

Custom Policy Suites

CI/CD Integration

Multiple Projects

Troubleshooting