DefectDojo is a DevSecOps, ASPM (application security posture management), and vulnerability management tool.
DefectDojo can be installed using several methods, including Docker Compose, Kubernetes, SaaS, or package installation. Below are the steps for the most common installation methods:
- Docker version 19.03.0+ and Docker Compose 1.28.0+.
- A system with at least 2 vCPUs, 8GB RAM, and 2GB disk space.
# Clone the project
git clone https://github.com/DefectDojo/django-DefectDojo
cd django-DefectDojo
# Check if your installed toolkit is compatible
./docker/docker-compose-check.sh
# Building Docker images
docker compose build
# Run the application (for other profiles besides postgres-redis see
# https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md)
docker compose up -d
# Obtain admin credentials. The initializer can take up to 3 minutes to run.
# Use docker compose logs -f initializer to track its progress.
docker compose logs initializer | grep "Admin password:"
# in internet system download repo :
git clone https://github.com/DefectDojo/django-DefectDojo.git
cd django-DefectDojo
docker compose build
# add tags to postgres & redis, because this image dos not any tag!
docker images
docker tag <postgres_image_id> postgres:latest
docker tag <redis_image_id> redis:latest
# Save Docker Images:
docker save -o defectdojo.tar defectdojo/defectdojo-django
docker save -o nginx.tar defectdojo/defectdojo-nginx
docker save -o postgres.tar postgres
docker save -o redis.tar redis
# Install on the Offline Machine
docker load -i defectdojo.tar
docker load -i nginx.tar
docker load -i postgres.tar
docker load -i redis.tar
notepad docker-compose.yml
.
.
.
version: '3'
services:
defectdojo:
image: defectdojo/defectdojo-django:latest # Ensure this matches your local image name
ports:
- "8080:8080"
...
# we should change redis and postgres to new local address :
image: postgres:latest
image: redis:latest
# create container and run app
docker compose up -d
# find password for user: admin
docker compose logs initializer | find "Admin password:"
# Access DefectDojo:
http://localhost:8080/
we can use defectdojo benchmark for checking ASVS
https://demo.defectdojo.org/dashboard
admin
1Defectdojo@demo#appsec
- if you install defectdojo in windows it is better to install (docker desktop + WSL v2)
- if you install defectdojo in vmware system it is better use (docker decktop + hyper-v)
- we get error wsl.exe --update in offline mode in windows in vmware we should use hyper-v instead
- we use "find" instead of "grep" in windows
- we use "notepad" instead of "vim" for editing file in windows
- redis & postgres dose not ant tags and after export with and "load" in new machine not detect and docker compose try to download this image from the net ! we should add tags for prevent this issue