killvxk/building-vulnerability-dashboard-with-defectdojo
skills/building-vulnerability-dashboard-with-defectdojo/SKILL.md
部署 DefectDojo 作为集中式漏洞管理仪表盘,支持扫描器集成、去重、指标跟踪和 Jira 工单工作流。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh building-vulnerability-dashboard-with-defectdojoInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 8:07 AM395.1s7 files scanned
SKILL.md
- name:
- building-vulnerability-dashboard-with-defectdojo
- description:
- 部署 DefectDojo 作为集中式漏洞管理仪表盘,支持扫描器集成、去重、指标跟踪和 Jira 工单工作流。
- domain:
- cybersecurity
- subdomain:
- vulnerability-management
- tags:
- [defectdojo, vulnerability-management, dashboard, deduplication, scanner-integration, devsecops, jira]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
使用 DefectDojo 构建漏洞仪表盘
概述
DefectDojo 是一个开源应用漏洞管理平台,可聚合来自 200+ 安全工具的发现结果、去重处理、跟踪修复进度,并提供高管级仪表盘。它作为漏洞管理的中心枢纽,可与 CI/CD 管道、Jira 工单系统和 Slack 通知集成。DefectDojo 支持基于 OWASP 的分类,并提供 REST API 进行自动化操作。
前置条件
- Docker 和 Docker Compose
- 4GB+ 内存,2+ CPU 核心,20GB+ 磁盘空间
- PostgreSQL 12+(包含在 Docker 部署中)
- Python 3.9+(用于 API 集成脚本)
- Jira 实例(可选,用于工单集成)
部署
Docker Compose 部署
# 克隆 DefectDojo 仓库
git clone https://github.com/DefectDojo/django-DefectDojo.git
cd django-DefectDojo
# 使用 Docker Compose 启动(生产模式)
./dc-up-d.sh
# 备选:手动 Docker Compose
docker compose up -d
# 检查服务状态
docker compose ps
# 查看初始管理员凭据
docker compose logs initializer 2>&1 | grep "Admin password"
# 访问 DefectDojo:http://localhost:8080
环境配置
# docker-compose.yml 中的关键环境变量
DD_DATABASE_ENGINE=django.db.backends.postgresql
DD_DATABASE_HOST=postgres
DD_DATABASE_PORT=5432
DD_DATABASE_NAME=defectdojo
DD_DATABASE_USER=defectdojo
DD_DATABASE_PASSWORD=<secure_password>
DD_ALLOWED_HOSTS=*
DD_SECRET_KEY=<random_64_char_key>
DD_CREDENTIAL_AES_256_KEY=<random_128_bit_key>
DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED=True
组织结构
层级关系
产品类型(业务单元)
└── 产品(应用/服务)
└── 参与(评估/冲刺)
└── 测试(扫描器运行)
└── 发现(单个漏洞)
通过 API 设置
import requests
DD_URL = "http://localhost:8080/api/v2"
API_KEY = "your_api_key_here"
HEADERS = {"Authorization": f"Token {API_KEY}", "Content-Type": "application/json"}
# 创建产品类型
resp = requests.post(f"{DD_URL}/product_types/", headers=HEADERS, json={
"name": "Web Applications",
"description": "Customer-facing web application portfolio"
})
product_type_id = resp.json()["id"]
# 创建产品
resp = requests.post(f"{DD_URL}/products/", headers=HEADERS, json={
"name": "Customer Portal",
"description": "Main customer-facing web application",
"prod_type": product_type_id,
"sla_configuration": 1,
})
product_id = resp.json()["id"]
# 创建参与记录
resp = requests.post(f"{DD_URL}/engagements/", headers=HEADERS, json={
"name": "Q1 2024 Security Assessment",
"product": product_id,
"target_start": "2024-01-01",
"target_end": "2024-03-31",
"engagement_type": "CI/CD",
"status": "In Progress",
})
engagement_id = resp.json()["id"]
扫描器集成
通过 API 导入扫描结果
# 上传 Nessus 扫描结果
curl -X POST "${DD_URL}/reimport-scan/" \
-H "Authorization: Token ${API_KEY}" \
-F "scan_type=Nessus Scan" \
-F "file=@nessus_report.csv" \
-F "product_name=Customer Portal" \
-F "engagement_name=Q1 2024 Security Assessment" \
-F "auto_create_context=true" \
-F "deduplication_on_engagement=true"
# 上传 OWASP ZAP 结果
curl -X POST "${DD_URL}/reimport-scan/" \
-H "Authorization: Token ${API_KEY}" \
-F "scan_type=ZAP Scan" \
-F "file=@zap_report.xml" \
-F "product_name=Customer Portal" \
-F "engagement_name=Q1 2024 Security Assessment" \
-F "auto_create_context=true"
# 上传 Trivy 容器扫描结果
curl -X POST "${DD_URL}/reimport-scan/" \
-H "Authorization: Token ${API_KEY}" \
-F "scan_type=Trivy Scan" \
-F "file=@trivy_results.json" \
-F "product_name=Customer Portal" \
-F "engagement_name=Q1 2024 Security Assessment" \
-F "auto_create_context=true"
支持的扫描器类型(部分列表)
| 扫描器 | 类型字符串 | 格式 | |---------|------------|--------| | Nessus | Nessus Scan | CSV/XML | | OpenVAS | OpenVAS CSV | CSV | | Qualys | Qualys Scan | XML | | OWASP ZAP | ZAP Scan | XML/JSON | | Burp Suite | Burp XML | XML | | Trivy | Trivy Scan | JSON | | Semgrep | Semgrep JSON Report | JSON | | Snyk | Snyk Scan | JSON | | SonarQube | SonarQube Scan | JSON | | Checkov | Checkov Scan | JSON |
CI/CD 集成(GitHub Actions)
# .github/workflows/security-scan.yml
name: Security Scan
on: [push]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
run: |
pip install semgrep
semgrep --config auto --json -o semgrep_results.json .
- name: Upload to DefectDojo
run: |
curl -X POST "${{ secrets.DD_URL }}/api/v2/reimport-scan/" \
-H "Authorization: Token ${{ secrets.DD_API_KEY }}" \
-F "scan_type=Semgrep JSON Report" \
-F "file=@semgrep_results.json" \
-F "product_name=${{ github.event.repository.name }}" \
-F "engagement_name=CI/CD" \
-F "auto_create_context=true"
Jira 集成
# 在 DefectDojo 设置中配置 Jira 集成
jira_config = {
"url": "https://company.atlassian.net",
"username": "[email protected]",
"password": "jira_api_token",
"default_issue_type": "Bug",
"critical_mapping_severity": "Blocker",
"high_mapping_severity": "Critical",
"medium_mapping_severity": "Major",
"low_mapping_severity": "Minor",
"finding_text": "**漏洞**: {{ finding.title }}\n**严重性**: {{ finding.severity }}\n**CVE**: {{ finding.cve }}\n**描述**: {{ finding.description }}",
"accepted_mapping_resolution": "Done",
"close_status_key": 6,
}
指标与仪表盘
关键指标 API 查询
# 按严重性获取发现计数
resp = requests.get(f"{DD_URL}/findings/?limit=0&active=true",
headers=HEADERS)
findings = resp.json()
# 获取 SLA 违规计数
resp = requests.get(f"{DD_URL}/findings/?limit=0&active=true&sla_breached=true",
headers=HEADERS)
# 获取产品级指标
resp = requests.get(f"{DD_URL}/products/{product_id}/",
headers=HEADERS)
product_data = resp.json()
参考资料
- DefectDojo GitHub
- DefectDojo 文档
- DefectDojo REST API
- OWASP DefectDojo 项目
- DefectDojo 集成
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026