OpenSource Application Security Management

The leading application vulnerability management tool built for
DevOps and continuous security integration.

Get Started

Get Started

DefectDojo has a variety of installation options.

Built by Application Security Engineers

DefectDojo is an open source OWASP project.

Take DefectDojo for a spin and review the demo of DefectDojo and login with sample credentials.

  • DefectDojo is available on Github and has a setup script for easy installation.
  • A docker container with a pre-built version of DefectDojo is available.

Product Features

Vulnerability Management

DefectDojo supports 22+ scanner formats.

Jira Integration

DefectDojo has bi-directional Jira integration.

Manage Engagements

Manage your application security workflow by scheduling your engagements.


Track security tests and know exactly the state of your product security status.

CI/CD Automation and Tracking

Know exactly when new vulnerabilities are introduced in a build or remediated.

Tracking when a product is assessed is easily accomplished using DefectDojo's API to track security tests that are run on each build.

DefectDojo has the ability to track the build id, commit hash, branch or tag, orchestration server, source code repo and build server for every on demand security test.

Vulnerability Management Features

Various reports are available for tests, engagements and products. Products can be grouped into critical products to track products that are critical to your organization.

Similar findings can be easily merged into one finding to provide developers one finding instead of multiple findings.

Remediation and finding description templates can be created by CWE so that remediation advice is consistent across all reported findings. Build and customize remediation advice based on your companies requirements.

Set remediation timeframes based on the criticality of your findings and view the remainder of days to remediate.

Set thresholds for determining the grade of your product so that a scorecard of product health can be seen at a glance.

Track Vital Product Information

All text fields support markdown to allow customized detailed information on each product.

DefectDojo supports tracking source code language composition, technologies, regulations such as PCI and GDPR, criticality, lifecycle, origin, revenue, user records and platform to name a few.

Call To Action

Maintaining DefectDojo requires substantial time and effort. If you are interested in assisting with QA testing, documentation or fixing bugs then please review our Github page and issues to participate.

Additionally, as DefectDojo is an OWASP project financial contributions can be made through OWASP, specifiying the DefectDojo project.

Finally, corporations can sponsor code development and optionally have their logo on this page.

More Features

OWASP ASVS Benchmarks

Track your product proactively using OWASP's ASVS (Application Security Verification Standard Project) which provides developers with a list of requirements for secure development.


Network resources are defined as endpoints which can be tagged and each endpoint is automatically associated with any findings.

Rules Framework

A new beta feature which allows findings to be changed based on criteria. For example set a finding to verified based on the vulnerability type.

Credential Manager

Credentials can be stored for each engagement which makes it easy to retest as the credentials that are tested with can be traced to a finding.

Frequently Asked Questions

Core Contributors

Built by Application Security Engineers

Greg Anderson

Core Contributor

Aaron Weaver

Core Contributor

Matt Tesauro

Core Contributor

Past Core Contributors

Many thanks to Charles Neill and Jay Paz