Skip to content

DefectDojo

DefectDojo is our vulnerability management platform. It aggregates security findings from automated scanners (Trivy, Semgrep) and tracks remediation.
URL defectdojo.shared.cwiq.io
Login SSO via Authentik

Accessing DefectDojo

  1. Open defectdojo.shared.cwiq.io (requires Tailscale)
  2. Sign in via SSO

Key Concepts

Concept Description
Product A software component being scanned (maps to a repository)
Engagement A testing activity (e.g., a CI/CD pipeline scan)
Finding A single vulnerability or security issue
Severity Critical, High, Medium, Low, Informational

Products

Each CWIQ repository has a corresponding DefectDojo product:

Product Repository Scanner
orchestrator-server Backend API Trivy (filesystem + Docker image)
orchestrator-ui Frontend Trivy (filesystem + Docker image)
orchestrator-agent Task agent Trivy (filesystem + Docker image)
orchestrator-mcp MCP server Trivy (filesystem + Docker image)
orchestrator-cli CLI tool Trivy (filesystem)
orchestrator-executor Sandbox executor Trivy (filesystem)
  1. Click Findings in the sidebar
  2. Filter by:
    • Severity: Critical, High, Medium, Low
    • Status: Active, Verified, Mitigated, False Positive
    • Product: Select a specific repository
  3. Click a finding to see details: description, affected component, remediation guidance

Understanding Severity

Severity Action Required
Critical Fix immediately — blocks deployment
High Fix before next release
Medium Fix in this release cycle
Low Track for future remediation

CI/CD Integration

Trivy scans run automatically in every pipeline and upload results to DefectDojo. See Trivy + DefectDojo in CI/CD for details.