DevSecOps Integration with DefectDojo and GitHub Actions
nitesh rijal
DevSecOps with DefectDojo and Github Actions with BEARER CLI, BANDIT CLI and SNYK Test
6 min read
·
May 6, 2025
--
Hi, everyone! Today I am going to write about DevSecOps pipeline with defectdojo integration with github actions.
Agenda
Let’s discuss our agenda today what we are going to understand today well I am also a quite a learner but I will try my best to make you feel understand
Know about defectdojo and github actions
Install defectdojo in server. or local machine
Install custom actions runner in server or local machine and integrate with defectdojo
Install different tools for scanning the code and publishing the report in defect dojo
Analyzing the issues is code application server using ZAP, Bandit CLI, Bearer CLI and SNYK.
Customizing defect dojo remove duplicate issues and add false positives
So, let’s think what is DefectDojo?
Well, DefectDojo is an open-source vulnerability management platform used for orchestrating security testing, tracking vulnerabilities, and managing the lifecycle of security issues. It centralizes and organizes information about vulnerabilities, facilitating detection, prioritization, remediation, and continuous monitoring of security risks. For more information please refer to this link https://defectdojo.com/
And also let’s think about Github actions well it’s a ci-cd pipeline right that focuses on building, testing and deploying our applications. For more information please refer to this link https://docs.github.com/en/actions/about-github-actions/understanding-github-actions
Requirements
A computer/pc/laptop (cause without computer you can’t)
Docker and docker compose installed
Python installed
Git installed
Installing Defectdojo
Well installing defectdojo is straightforward please following this guide https://github.com/DefectDojo/django-DefectDojo/blob/master/README.md or copy and paste the following commands one by one
Now that you got your admin password go to your favourite browser and use the following link
http://localhost:8080 and use admin as the username and the password just displayed while running this commandBoom! Now you are just going to be step ahead for being security analyst along with devops also.
Installing custom runner for your github actions
Let’s create a fresh repository I think as a DevOps I don’t need to give tutorial how to create a github repository if so then bro you are in wrong zone learn ABCD of DevOps first. BTW we can utilize existing repo just be sure you are the repository settings permissions. Head over to repository
Settings under Code and Automation Click on Actions then click on Runners Click on New self hosted runner then copy cammands according to your system. Once it’s running we are now a step ahead.Okay now let’s setup secrets for defectdojo we will setup
DEFECTDOJO_URL and DEFECTDOJO_API_KEY as secrets. For that head over to your Repository Settings and under Security section click on Secret and Variables now Click on Actions and click on New Repository Secret and now Give a variable name DEFECTOJO_URL and paste the value as your defectdojo url and create new secret and give a variable name DEFECTOJO_TOKEN and paste the value from defect dojo you can find that heading over defect dojo dashboard and clicking on profile icon and clicking on API v2 key paste the token value over here.Now we just need to create a github actions pipeline and we will leavarge this repository for our test https://github.com/juice-shop/juice-shop
Let’s create a Pipeline script and also a python script so that we can upload the test report and evaluate the vulnerabilities for the pipeline I have set if any of critical finding is found pipeline will not pass likewise if 2 of high findings in found then pipeline will not pass likewise 10 for the medium so these are the threshold we can tweak this in the script here I have added synk, bandit and bearer cli for my code scanning we can add any of the scan types in the defect dojo
Create a file called
upload_to_defectdojo.py here’s the link of the file https://github.com/neetesshhr/defectdojo-actions/blob/main/upload_to_defectdojo.pyThis python file utilizes
/api/v2/import-scan/ this endpoint and uses arguments to pass the API keys, defect dojo url, engagement id, report file, scan type for importing or upload scan report to the file Let’s see what the arguments are and why we need in ?API Keys : API Token of defectdojo (we need for authorization)
Defect Dojo URL: URL of your defectdojo
Engagement ID: Represent groups of related testing efforts, like security assessments or vulnerability scans, on a specific product or application.
How to create Engagements?
Open your defectdojo dashboard in the left pane you can see product in second option. Click on
Products Create a New Product my clicking on the gear icon Fill in the required details and after that click submit. After that you created product click on the product you just created. Under product menu items click on Engagements . After that click on the Add new interactive engagments or either of one it must begin with Add so that we creating new engagements.After filling the required details click on done click on the engagements that you just created if you look the url closely you can find the engagement id the url is usually like this
http://localhost:8080/engagement/1 if the last digit is 1 then your engagement id is 1.4. Report File: The scanned report file from different test tool
5. Scan type: The type of Scan that we just scanned and provided report file eg: Bearer CLI, SNYK,etc
So we gonna utilize this like the following command
Now we will also create a new file called
evalution.py that will evaluate the test report and says our pipeline wether to pass or fail this utilizes /api/v2/findings/ api endpoints now let's get it going by supplying api key and host url as an arguments and also the product id.so basically we gonna utilize this running like this
Here’s the link of the file https://github.com/neetesshhr/defectdojo-actions/blob/main/evalution.py
Now I am scanning with different tools as for tutorial my main focus is how we can use defect dojo for our environments please refer to respective tutorials for installing the tools
Create a
test.yaml file that will utilize these file and push to the defect dojo and evaluate. Here’s the link of the file https://github.com/neetesshhr/defectdojo-actions/blob/main/.github/workflows/test.yamlThis pipeline will run on custom runner replace the
runs-on: value according to yours.How to turn any cves to false positive?
Go to defectdojo url dashboard click on view finding details then click on the three dot icon in any of the findings click on edit scroll down find
false positive and click on the check box and also you can uncheck the Active option then click Finished there are other ways to convert into false positive also please explore that options.Enable deduplications
Go to Configuration and then click to
System Settings under System Settings section enable Deduplicate findings and Delete duplicates and we can set Max Duplicates to the desired value I have set 2 for now, scroll down and hit Submit.Well we have come to the end I know we have missed a lot of things over here but it’s your time to explore these and get experienced.
Well if you need any help comment below or DM me in LinkedIn
Thank you!!
DevSecOps — Community 🚀
Thank you for being a part of the DevSecOps — Communitycommunity! Before you go:
Be sure to clap and follow ️ the Author👏️️
Follow: Newsletter | LinkedIn Groups |
More content at DevSecOps — Community
Like this project
Posted Jul 28, 2025
Integrated DefectDojo with GitHub Actions for security testing.
Likes
0
Views
1
Timeline
Apr 10, 2025 - Apr 12, 2025
