Using DefectDoJo to improve security posture
Category: security
Modified: Fri, 2025-Dec-12
Introduction
Recently, I had evaluated a security product called DefectDojo. I would like to utilize open source tools that can consolidate the security findings of my CICD pipelines or container scanning results to a central location. Why DefectDojo? GitLab has support for the security reports if it is created in GitLab SARIF format, however it required the GitLab instance in the Ultimate tier.
Scanning Terraform code
I have a Git repository that uses GitLab CICD. The repository has some Terraform code. Terraform is executed in the GitLab CICD. So, I have utilized some open source tools in the pipeline that would look for problems in the Terraform code.
For example, if credentials in plaintext are found in the code or IAC code is not following the best practice. After the pipeline is run, vulnerability reports will be sent to DefectDojo.
DefectDojo has a built-in dashboard.
DefectDojo supports several file formats:
-
GitHub
-
GitLab
-
SARIF (Static Analysis Results Interchange Format) standard format for the output of static analysis tools
-
AWS Security Hub Scan
-
Checkov
-
Trivy
-
and etc.
Let us see some examples in below.
Scanning result of the Terraform code for AWS RDS (PostgreSQL)
Here is the Terraform code for creating an AWS RDS database.
There are several problems:
-
Plaintext password is specified in the Terraform code, at line 7. For remediation, one may use AWS Secrets Manager to store the postgres master user credential, or use SOPS to encrypt the initial master credential.
-
GitLeaks reports that there are plaintext credentials
-
KICS reports that there are plaintext credentials
-
-
Backup is not enabled
-
KICS reports that backup is not enabled
-
Terrascan reports that backup is not enabled
-
-
Encryption is not enabled
-
Trivy reports that encryption at rest is not enabled
-
KICS reports that encryption at rest is not enabled
-
Several tools were able to catch the problems. For this case, KICS can catch all three problems. Gitleaks is specific to scanning credentials, it does not know anything about coes written in Terraform. Trivy is able to find out the problem about the encryption. I would suggest using multiple tools for security scanning. For Terrascan, as of 2025 Nov 21, their GitHub repository was in archived state.
In the GitLab CICD pipeline, the results of the security scanning were sent to DefectDojo over curl/webhook. The above reports are extracted from DefectDojo.
Scanning result of the Terraform code for Grafana
Here is the Terraform code for managing users in Grafana.
-
KICS is able to detect plantext credential is found in the Terraform code at line 4 and line 18.
-
Gitleaks is also able to find plaintext credential in the Teraform code.
About DefectDojo
Above picture is one of the vulnerabilities listing. Besides storing the reports from security scanning on IAC, DefectDojo also supports storing the security scanning reports of programming codes and containers. If the output format of the report is supported by DefectDojo, it would be fine.
I had just scratched the surface of DefectDojo. There are lots of features about DefectDojo. Refer to the official documentation for DefectDojo for details.
Comments
No. of comments: 0
Please read and agree the privacy policy before using the comment system.