vet supports integration with DefectDojo to track and manage vulnerabilities. You can export vulnerabilities, policy violations, and other findings to DefectDojo. Each scan is reported as a new engagement in DefectDojo.

Prerequisites

Docker & Docker Compose

Required for running DefectDojo locally

DefectDojo Instance

Either local or cloud-hosted DefectDojo installation

vet CLI

Install vet following the quickstart guide

API Access

DefectDojo API key for authentication
If you don’t have vet installed yet, follow the quickstart guide to get started.

Quick Setup with Docker

For this example, we’ll set up a DefectDojo instance using Docker Compose and scan the demo-client-python repository.

Setup DefectDojo

1

Clone DefectDojo

Download the DefectDojo repository:
git clone https://github.com/DefectDojo/django-DefectDojo.git --depth 1
cd django-DefectDojo
2

Start Services

Launch DefectDojo with Docker Compose:
docker compose up -d
This will take a while as it builds images and downloads dependencies.
3

Get Admin Password

Retrieve the admin password from the logs:
docker compose logs initializer | grep "Admin password:"
The initializer container runs migrations and creates initial data, which may take several minutes.
4

Access DefectDojo

Navigate to http://localhost:8080 and login with:
  • Username: admin
  • Password: (from previous step)
DefectDojo Login

Configure Your Project

1

Create Product

Create a new product called demo-client-python and note the product ID:DefectDojo Add ProductDefectDojo Product ID
2

Generate API Key

Navigate to http://localhost:8080/api/key-v2 to generate an API key for vet integration.
3

Set Environment Variable

Configure the API key for vet usage:
export DEFECT_DOJO_APIV2_KEY=<your-api-key>

Scanning with vet

Now you can scan a project and send results to DefectDojo:
vet scan --github https://github.com/safedep/demo-client-python \
  --filter-suite /path/to/your/policy-suite.yml \
  --report-defect-dojo \
  --defect-dojo-host-url http://localhost:8080/ \
  --defect-dojo-product-id <your-product-id>

What Happens During Integration

Engagement Creation

vet creates a new engagement in DefectDojo for each scan

Policy Violations

Policy violations are reported as findings in DefectDojo

Centralized Tracking

All security findings are tracked in DefectDojo’s dashboard

Workflow Integration

Leverage DefectDojo’s workflow for vulnerability management
Currently, vet reports only policy violations to DefectDojo. Support for reporting vulnerabilities and malicious package information is planned in GitHub issue #430.

Advanced Configuration

Custom Policy Suites

Create comprehensive policy suites for DefectDojo integration:
# defectdojo-policy.yml
name: DefectDojo Security Policy
description: Comprehensive policy for DefectDojo integration
filters:
  - name: critical-vulnerabilities
    value: |
      vulns.critical.size() > 0
      
  - name: high-risk-packages
    value: |
      vulns.high.size() > 3
      
  - name: license-violations
    value: |
      !licenses.exists(p, p in ["MIT", "Apache-2.0", "BSD-3-Clause"])
      
  - name: unmaintained-packages
    value: |
      scorecard.scores.Maintained < 5

CI/CD Integration

name: Security Scan to DefectDojo
on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run vet security scan
        run: |
          vet scan -D . \
            --filter-suite .github/security-policy.yml \
            --report-defect-dojo \
            --defect-dojo-host-url ${{ secrets.DEFECT_DOJO_URL }} \
            --defect-dojo-product-id ${{ secrets.DEFECT_DOJO_PRODUCT_ID }}
        env:
          DEFECT_DOJO_APIV2_KEY: ${{ secrets.DEFECT_DOJO_API_KEY }}

Multiple Projects

For organizations with multiple projects, create separate products in DefectDojo:
# Project A
vet scan -D ./project-a \
  --report-defect-dojo \
  --defect-dojo-product-id 1

# Project B  
vet scan -D ./project-b \
  --report-defect-dojo \
  --defect-dojo-product-id 2

DefectDojo Workflow Benefits

Centralized Dashboard

  • Unified View: See security findings across all projects
  • Trend Analysis: Track security improvements over time
  • Risk Prioritization: Focus on critical issues first

Team Collaboration

  • Assignment: Assign findings to team members
  • Status Tracking: Track remediation progress
  • Comments: Add context and discussion to findings

Reporting

  • Executive Reports: Generate high-level security reports
  • Compliance: Track compliance with security policies
  • Metrics: Monitor key security metrics and KPIs

Best Practices

Troubleshooting