docker.recipes

DefectDojo Security Management

advanced

Application security vulnerability management and orchestration platform.

Overview

DefectDojo is an enterprise-grade application security vulnerability management and orchestration platform that consolidates security testing tools and findings into a centralized dashboard. Originally developed by Rackspace and now maintained by the OWASP Foundation, DefectDojo ingests results from over 100 security scanners including SAST, DAST, SCA, and infrastructure tools, providing unified vulnerability tracking, risk assessment, and remediation workflows for development and security teams. This stack combines DefectDojo's Django-based web application with a robust backend infrastructure designed for production workloads. PostgreSQL serves as the primary database for storing vulnerability findings, product metadata, and user configurations, while RabbitMQ handles message queuing for asynchronous tasks like scan imports and report generation. Celery workers process background jobs including parser execution, metric calculations, and notification delivery, with a separate beat scheduler managing recurring tasks like SLA monitoring and engagement status updates. NGINX provides reverse proxy capabilities with SSL termination and static file serving optimized for DefectDojo's web interface. Security teams at organizations implementing DevSecOps practices will find this configuration particularly valuable for centralizing vulnerability management across multiple tools and teams. The architecture supports high-volume scan ingestion common in CI/CD pipelines while maintaining data integrity through PostgreSQL's ACID compliance and reliable task processing via RabbitMQ's persistent queues, making it suitable for enterprises requiring comprehensive security posture tracking and compliance reporting.

Key Features

  • Multi-scanner integration supporting 100+ security tools including Bandit, SonarQube, OWASP ZAP, Nessus, and Burp Suite
  • PostgreSQL-backed vulnerability deduplication using configurable hash algorithms across finding title, file path, and line number
  • RabbitMQ-powered asynchronous scan processing enabling high-volume import queues without blocking the web interface
  • Celery-distributed task execution for parser workflows, JIRA synchronization, and scheduled engagement reporting
  • NGINX reverse proxy with custom DefectDojo optimizations for handling large scan file uploads and static asset delivery
  • Built-in SLA tracking with Celery beat scheduler monitoring remediation timelines and generating compliance reports
  • RESTful API with Django REST framework enabling CI/CD integration and custom automation workflows
  • Role-based access control with product-level permissions supporting multi-tenant security program management

Common Use Cases

  • 1Enterprise security teams consolidating SAST, DAST, and SCA findings from multiple CI/CD pipelines into unified dashboards
  • 2DevSecOps organizations requiring automated vulnerability tracking with JIRA integration and developer notification workflows
  • 3Compliance-driven environments needing centralized security metrics for SOC2, PCI-DSS, or regulatory audit reporting
  • 4Security consulting firms managing vulnerability assessments across multiple client engagements with isolated product spaces
  • 5Development teams implementing shift-left security practices with automated scan imports from Jenkins, GitLab CI, or GitHub Actions
  • 6Penetration testing teams requiring structured finding management with custom severity ratings and remediation tracking
  • 7Organizations migrating from spreadsheet-based vulnerability management to automated tracking with historical trending

Prerequisites

  • Minimum 4GB RAM allocation with 2GB specifically for PostgreSQL data processing and DefectDojo application server
  • Docker host with at least 20GB available storage for PostgreSQL data, RabbitMQ queues, and DefectDojo media uploads
  • Network access to ports 8080 (HTTP) and 8443 (HTTPS) for DefectDojo web interface and API endpoints
  • Understanding of security scanner output formats (JSON, XML, CSV) for proper parser configuration and finding import
  • Basic knowledge of DefectDojo product hierarchy concepts including Organizations, Products, and Engagements for initial setup

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  postgres: 
3    image: postgres:15-alpine
4    environment: 
5      - POSTGRES_USER=defectdojo
6      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
7      - POSTGRES_DB=defectdojo
8    volumes: 
9      - postgres_data:/var/lib/postgresql/data
10    networks: 
11      - dojo_net
12
13  rabbitmq: 
14    image: rabbitmq:3-management-alpine
15    environment: 
16      - RABBITMQ_DEFAULT_USER=defectdojo
17      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD}
18    volumes: 
19      - rabbitmq_data:/var/lib/rabbitmq
20    networks: 
21      - dojo_net
22
23  defectdojo: 
24    image: defectdojo/defectdojo-django:latest
25    environment: 
26      - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
27      - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
28      - DD_SECRET_KEY=${DD_SECRET_KEY}
29      - DD_CREDENTIAL_AES_256_KEY=${DD_AES_KEY}
30    volumes: 
31      - defectdojo_media:/app/media
32    depends_on: 
33      - postgres
34      - rabbitmq
35    networks: 
36      - dojo_net
37
38  celeryworker: 
39    image: defectdojo/defectdojo-django:latest
40    command: celery -A dojo worker -l info
41    environment: 
42      - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
43      - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
44      - DD_SECRET_KEY=${DD_SECRET_KEY}
45    depends_on: 
46      - defectdojo
47    networks: 
48      - dojo_net
49
50  celerybeat: 
51    image: defectdojo/defectdojo-django:latest
52    command: celery -A dojo beat -l info
53    environment: 
54      - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
55      - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
56      - DD_SECRET_KEY=${DD_SECRET_KEY}
57    depends_on: 
58      - defectdojo
59    networks: 
60      - dojo_net
61
62  nginx: 
63    image: defectdojo/defectdojo-nginx:latest
64    ports: 
65      - "8080:8080"
66      - "8443:8443"
67    depends_on: 
68      - defectdojo
69    networks: 
70      - dojo_net
71
72volumes: 
73  postgres_data: 
74  rabbitmq_data: 
75  defectdojo_media: 
76
77networks: 
78  dojo_net:

.env Template

.env
1# DefectDojo
2POSTGRES_PASSWORD=secure_postgres_password
3RABBITMQ_PASSWORD=secure_rabbitmq_password
4DD_SECRET_KEY=your_secret_key_at_least_50_chars
5DD_AES_KEY=your_32_char_aes_key_here_32ch
6
7# DefectDojo at http://localhost:8080
8# Default: admin/admin (change immediately)

Usage Notes

  1. 1DefectDojo at http://localhost:8080
  2. 2Default credentials: admin/admin
  3. 3Import SAST/DAST scan results
  4. 4Track vulnerability lifecycle
  5. 5CI/CD integration available

Individual Services(6 services)

Copy individual services to mix and match with your existing compose files.

postgres
postgres:
  image: postgres:15-alpine
  environment:
    - POSTGRES_USER=defectdojo
    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    - POSTGRES_DB=defectdojo
  volumes:
    - postgres_data:/var/lib/postgresql/data
  networks:
    - dojo_net
rabbitmq
rabbitmq:
  image: rabbitmq:3-management-alpine
  environment:
    - RABBITMQ_DEFAULT_USER=defectdojo
    - RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD}
  volumes:
    - rabbitmq_data:/var/lib/rabbitmq
  networks:
    - dojo_net
defectdojo
defectdojo:
  image: defectdojo/defectdojo-django:latest
  environment:
    - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
    - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
    - DD_SECRET_KEY=${DD_SECRET_KEY}
    - DD_CREDENTIAL_AES_256_KEY=${DD_AES_KEY}
  volumes:
    - defectdojo_media:/app/media
  depends_on:
    - postgres
    - rabbitmq
  networks:
    - dojo_net
celeryworker
celeryworker:
  image: defectdojo/defectdojo-django:latest
  command: celery -A dojo worker -l info
  environment:
    - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
    - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
    - DD_SECRET_KEY=${DD_SECRET_KEY}
  depends_on:
    - defectdojo
  networks:
    - dojo_net
celerybeat
celerybeat:
  image: defectdojo/defectdojo-django:latest
  command: celery -A dojo beat -l info
  environment:
    - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
    - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
    - DD_SECRET_KEY=${DD_SECRET_KEY}
  depends_on:
    - defectdojo
  networks:
    - dojo_net
nginx
nginx:
  image: defectdojo/defectdojo-nginx:latest
  ports:
    - "8080:8080"
    - "8443:8443"
  depends_on:
    - defectdojo
  networks:
    - dojo_net

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  postgres:
5    image: postgres:15-alpine
6    environment:
7      - POSTGRES_USER=defectdojo
8      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
9      - POSTGRES_DB=defectdojo
10    volumes:
11      - postgres_data:/var/lib/postgresql/data
12    networks:
13      - dojo_net
14
15  rabbitmq:
16    image: rabbitmq:3-management-alpine
17    environment:
18      - RABBITMQ_DEFAULT_USER=defectdojo
19      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD}
20    volumes:
21      - rabbitmq_data:/var/lib/rabbitmq
22    networks:
23      - dojo_net
24
25  defectdojo:
26    image: defectdojo/defectdojo-django:latest
27    environment:
28      - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
29      - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
30      - DD_SECRET_KEY=${DD_SECRET_KEY}
31      - DD_CREDENTIAL_AES_256_KEY=${DD_AES_KEY}
32    volumes:
33      - defectdojo_media:/app/media
34    depends_on:
35      - postgres
36      - rabbitmq
37    networks:
38      - dojo_net
39
40  celeryworker:
41    image: defectdojo/defectdojo-django:latest
42    command: celery -A dojo worker -l info
43    environment:
44      - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
45      - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
46      - DD_SECRET_KEY=${DD_SECRET_KEY}
47    depends_on:
48      - defectdojo
49    networks:
50      - dojo_net
51
52  celerybeat:
53    image: defectdojo/defectdojo-django:latest
54    command: celery -A dojo beat -l info
55    environment:
56      - DD_DATABASE_URL=postgresql://defectdojo:${POSTGRES_PASSWORD}@postgres:5432/defectdojo
57      - DD_CELERY_BROKER_URL=amqp://defectdojo:${RABBITMQ_PASSWORD}@rabbitmq:5672//
58      - DD_SECRET_KEY=${DD_SECRET_KEY}
59    depends_on:
60      - defectdojo
61    networks:
62      - dojo_net
63
64  nginx:
65    image: defectdojo/defectdojo-nginx:latest
66    ports:
67      - "8080:8080"
68      - "8443:8443"
69    depends_on:
70      - defectdojo
71    networks:
72      - dojo_net
73
74volumes:
75  postgres_data:
76  rabbitmq_data:
77  defectdojo_media:
78
79networks:
80  dojo_net:
81EOF
82
83# 2. Create the .env file
84cat > .env << 'EOF'
85# DefectDojo
86POSTGRES_PASSWORD=secure_postgres_password
87RABBITMQ_PASSWORD=secure_rabbitmq_password
88DD_SECRET_KEY=your_secret_key_at_least_50_chars
89DD_AES_KEY=your_32_char_aes_key_here_32ch
90
91# DefectDojo at http://localhost:8080
92# Default: admin/admin (change immediately)
93EOF
94
95# 3. Start the services
96docker compose up -d
97
98# 4. View logs
99docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/defectdojo-security/run | bash

Troubleshooting

  • Celery workers stuck on large scan imports: Increase RabbitMQ memory limits and configure task-time-limit in celery settings to prevent worker timeout
  • PostgreSQL connection errors during high scan volume: Tune max_connections and shared_buffers in PostgreSQL configuration, ensure connection pooling is enabled
  • DefectDojo parser failures with 'Unable to process scan' errors: Verify scan file format matches expected parser input, check celery worker logs for specific parsing exceptions
  • NGINX 413 'Request Entity Too Large' on scan uploads: Increase client_max_body_size in NGINX configuration and Django FILE_UPLOAD_MAX_MEMORY_SIZE setting
  • RabbitMQ disk space warnings causing task failures: Configure RabbitMQ disk free limit and enable queue length limits to prevent unbounded growth during high import periods
  • DefectDojo duplicate findings not being merged: Review deduplication configuration in System Settings, ensure hash_code algorithm matches your scanner output consistency

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

defectdojonginxpostgresqlrabbitmqcelery

Tags

#defectdojo#security#vulnerability#devsecops#scanning

Category

Security & Networking

Related Recipes

Ad Space