vet supports integration with DefectDojo to track and manage vulnerabilities. You can export vulnerabilities, policy violations, and other findings to DefectDojo. Each scan is reported as a new engagement in DefectDojo.

Prerequisites

Docker & Docker Compose

Required for running DefectDojo locally

DefectDojo Instance

Either local or cloud-hosted DefectDojo installation

vet CLI

Install vet following the quickstart guide

API Access

DefectDojo API key for authentication
If you don’t have vet installed yet, follow the quickstart guide to get started.

Quick Setup with Docker

For this example, we’ll set up a DefectDojo instance using Docker Compose and scan the demo-client-python repository.

Setup DefectDojo

1

Clone DefectDojo

Download the DefectDojo repository:
git clone https://github.com/DefectDojo/django-DefectDojo.git --depth 1
cd django-DefectDojo
2

Start Services

Launch DefectDojo with Docker Compose:
docker compose up -d
This will take a while as it builds images and downloads dependencies.
3

Get Admin Password

Retrieve the admin password from the logs:
docker compose logs initializer | grep "Admin password:"
The initializer container runs migrations and creates initial data, which may take several minutes.
4

Access DefectDojo

Navigate to http://localhost:8080 and login with:
  • Username: admin
  • Password: (from previous step)
DefectDojo Login

Configure Your Project

1

Create Product

Create a new product called demo-client-python and note the product ID:DefectDojo Add ProductDefectDojo Product ID
2

Generate API Key

Navigate to http://localhost:8080/api/key-v2 to generate an API key for vet integration.
3

Set Environment Variable

Configure the API key for vet usage:
export DEFECT_DOJO_APIV2_KEY=<your-api-key>

Scanning with vet

Now you can scan a project and send results to DefectDojo: 
vet scan --github https://github.com/safedep/demo-client-python \
  --filter-suite /path/to/your/policy-suite.yml \
  --report-defect-dojo \
  --defect-dojo-host-url http://localhost:8080/ \
  --defect-dojo-product-id <your-product-id>

What Happens During Integration

Engagement Creation

vet creates a new engagement in DefectDojo for each scan

Policy Violations

Policy violations are reported as findings in DefectDojo

Centralized Tracking

All security findings are tracked in DefectDojo’s dashboard

Workflow Integration

Leverage DefectDojo’s workflow for vulnerability management
Currently, vet reports only policy violations to DefectDojo. Support for reporting vulnerabilities and malicious package information is planned in GitHub issue #430.

Advanced Configuration

Custom Policy Suites

Create comprehensive policy suites for DefectDojo integration: 
# defectdojo-policy.yml
name: DefectDojo Security Policy
description: Comprehensive policy for DefectDojo integration
filters:
  - name: critical-vulnerabilities
    value: |
      vulns.critical.size() > 0
      
  - name: high-risk-packages
    value: |
      vulns.high.size() > 3
      
  - name: license-violations
    value: |
      !licenses.exists(p, p in ["MIT", "Apache-2.0", "BSD-3-Clause"])
      
  - name: unmaintained-packages
    value: |
      scorecard.scores.Maintained < 5

CI/CD Integration

name: Security Scan to DefectDojo
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run vet security scan
        run: |
          vet scan -D . \
            --filter-suite .github/security-policy.yml \
            --report-defect-dojo \
            --defect-dojo-host-url ${{ secrets.DEFECT_DOJO_URL }} \
            --defect-dojo-product-id ${{ secrets.DEFECT_DOJO_PRODUCT_ID }}
        env:
          DEFECT_DOJO_APIV2_KEY: ${{ secrets.DEFECT_DOJO_API_KEY }}

Multiple Projects

For organizations with multiple projects, create separate products in DefectDojo: 
# Project A
vet scan -D ./project-a \
  --report-defect-dojo \
  --defect-dojo-product-id 1

# Project B  
vet scan -D ./project-b \
  --report-defect-dojo \
  --defect-dojo-product-id 2

DefectDojo Workflow Benefits

Centralized Dashboard

  • Unified View: See security findings across all projects
  • Trend Analysis: Track security improvements over time
  • Risk Prioritization: Focus on critical issues first

Team Collaboration

  • Assignment: Assign findings to team members
  • Status Tracking: Track remediation progress
  • Comments: Add context and discussion to findings

Reporting

  • Executive Reports: Generate high-level security reports
  • Compliance: Track compliance with security policies
  • Metrics: Monitor key security metrics and KPIs

Best Practices

Create separate DefectDojo products for:
  • Different applications or microservices
  • Different environments (dev, staging, prod)
  • Different teams or business units
Design policies that provide actionable findings:
  • Focus on fixable issues
  • Set appropriate severity levels
  • Include context in policy descriptions
Integrate vet scans into your development workflow:
  • Run scans on every commit
  • Include security gates in deployment pipelines
  • Automate policy updates across projects

Troubleshooting

If authentication fails:
  • Verify the API key is correctly set in the environment
  • Check that the API key has sufficient permissions
  • Ensure the DefectDojo URL is accessible from your environment
If the product ID is invalid:
  • Verify the product exists in DefectDojo
  • Check that you have access to the specified product
  • Ensure the product ID is numeric, not the product name
If no findings appear in DefectDojo:
  • Confirm that policy violations exist in your scan
  • Check the vet scan output for errors
  • Verify the DefectDojo integration is properly configured

DefectDojo Documentation

Learn more about DefectDojo features and configuration

Policy as Code Guide

Create effective security policies for DefectDojo integration

vet GitHub Issues

Track progress on enhanced DefectDojo integration features

Demo Repository

Use the demo repository to test your DefectDojo integration