DefectDojo Vulnerability Tracking¶
Trivy Docker image scan results are automatically imported into DefectDojo after every main-branch build. This page covers the product structure, engagement naming, import API, and authentication.
DefectDojo is the central store for container vulnerability data across all CWIQ services. It tracks CVE findings over time, allowing you to see when new vulnerabilities are introduced and when existing ones are resolved.
Browser access: https://defectdojo.shared.cwiq.io (via Tailscale HTTPS)
CI/CD API endpoint: http://defectdojo.shared.cwiq.io:8080 (VPC private IP, HTTP — used by pipeline jobs only)
Product Structure¶
Each CWIQ service maps to a dedicated DefectDojo product. The defectdojo-import CI job creates the product automatically on first import if it does not already exist (auto_create_context: true).
| Product | Maps To |
|---|---|
orchestrator-server |
Platform backend (FastAPI) |
orchestrator-ui |
Platform frontend (React) |
orchestrator-agent |
Task execution runner |
orchestrator-mcp |
MCP tool integration server |
orchestrator-cli |
Workflow management CLI |
orchestrator-executor |
Sandboxed executor |
Engagement Naming¶
Each pipeline run creates a separate engagement within its product. Engagement names follow the convention:
For example: CI-main-1234
This naming makes it straightforward to trace a set of findings back to the exact pipeline run and commit that produced them.
Import API¶
The defectdojo-import job calls the DefectDojo REST API after a successful Trivy image scan:
Endpoint: POST /api/v2/import-scan/
| Field | Value | Purpose |
|---|---|---|
scan_type |
Trivy Scan |
Selects the correct DefectDojo parser for Trivy's JSON output |
product_name |
orchestrator-{project} |
Identifies the product; created automatically if absent |
engagement_name |
CI-{branch}-{pipeline_id} |
Links the import to a specific pipeline run |
auto_create_context |
true |
Creates the product and engagement automatically if they do not exist |
branch_tag |
${CI_COMMIT_BRANCH} |
Records the source branch on the engagement |
commit_hash |
${CI_COMMIT_SHORT_SHA} |
Records the exact commit on the engagement |
Authentication¶
The defectdojo-import job authenticates using Vault JWT auth. No DefectDojo credentials are stored in GitLab CI/CD variables.
The flow is:
- The CI job uses GitLab's
CI_JOB_JWT_V2token to authenticate with Vault under thenexus-cirole. - Vault returns a short-lived credential scoped to that role.
- The job fetches the DefectDojo API token from
secret/data/defectdojo/svc-orchestrator. - The token is passed as a
Authorization: Token <token>header on the import API call.
See Vault JWT Auth for the general Vault JWT pattern used across all CI jobs.
Viewing Results¶
- Open https://defectdojo.shared.cwiq.io
- Log in with your CWIQ SSO credentials via Authentik
- Navigate to Products in the left sidebar
- Select the product for your service (e.g.,
orchestrator-server) - Open the most recent engagement (named
CI-main-{pipeline_id}) - View findings grouped by severity: Critical, High, Medium, Low, Informational
Findings are deduplicated across engagements. DefectDojo tracks when a vulnerability first appeared, when it was last seen, and when it was resolved.
Related Documentation¶
- Security Scanning Overview — Where DefectDojo fits in the pipeline
- Trivy — Produces the JSON artifact that DefectDojo imports
- Vault JWT Auth — Authentication pattern used by the import job