DefectDojo · rossops · Oct 20, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
@@ -1,21 +1,38 @@
 {
   "extends": [
-    "config:base"
+    "config:recommended"
   ],
   "dependencyDashboard": true,
   "dependencyDashboardApproval": false,
-  "baseBranches": ["dev"],
+  "baseBranchPatterns": ["dev"],
   "rebaseWhen": "conflicted",
   "separateMinorPatch": true,
-  "ignorePaths": ["requirements.txt", "requirements-lint.txt", "components/package.json", "components/package-lock.json", "dojo/components/yarn.lock", "dojo/components/package.json", "Dockerfile**"],
+  "ignorePaths": [
+    "requirements.txt",
+    "requirements-lint.txt",
+    "components/package.json",
+    "components/package-lock.json",
+    "dojo/components/yarn.lock",
+    "dojo/components/package.json",
+    "Dockerfile**"
+  ],
   "ignoreDeps": [],
   "packageRules": [{
-    "packagePatterns": ["*"],
-    "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{toVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
+    "matchPackageNames": ["*"],
+    "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
     "commitMessageSuffix": "({{packageFile}})",
     "labels": ["dependencies"]
   }],
-  "registryAliases": {
-    "bitnami": "https://charts.bitnami.com/bitnami"
-  }
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^.github/workflows//"
+      ],
+      "matchStrings": [
+        "\\w*:\\s[\"']?(?<currentValue>\\S*[^\"']?)[\"']?\\s#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s"
+      ],
+      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
+    }
+  ]
 }
@@ -40,7 +40,7 @@ jobs:
           echo $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 

@@ -7,7 +7,7 @@ on:
       - master
       - bugfix
       - release/*
-      
+
   pull_request_target:
     types: [synchronize]
 
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: check if prs are conflicted
+        # we experience a high error rate so we allow this to fail but still have the check become green on the PR
+        continue-on-error: true
         uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
         with:
           dirtyLabel: "conflicts-detected"

@@ -15,13 +15,13 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.140.1'
+          hugo-version: '0.140.1' # renovate: datasource=github-releases depName=gohugoio/hugo versioning=loose
           extended: true
 
       - name: Setup Node
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '22.20.0'
+          node-version: '22.20.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

@@ -13,7 +13,7 @@ jobs:
   docs_updates:
     name: Update documentation
     runs-on: ubuntu-latest
-    if: startsWith(github.head_ref, 'renovate/') or startsWith(github.head_ref, 'dependabot/')
+    if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

@@ -16,9 +16,9 @@ jobs:
           # databases, broker and k8s are independent, so we don't need to test each combination
           # lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
           # are tested (https://kubernetes.io/releases/)
-          - k8s: 'v1.34.1'
+          - k8s: 'v1.34.1' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
             os: debian
-          - k8s: 'v1.31.13'
+          - k8s: 'v1.31.13' # Do not track with renovate as we likely want to rev this manually
             os: debian
     steps:
       - name: Checkout
@@ -27,7 +27,7 @@ jobs:
       - name: Setup Minikube
         uses: manusa/actions-setup-minikube@b589f2d61bf96695c546929c72b38563e856059d # v2.14.0
         with:
-          minikube version: 'v1.37.0'
+          minikube version: 'v1.37.0' # renovate: datasource=github-releases depName=kubernetes/minikube versioning=loose
           kubernetes version: ${{ matrix.k8s }}
           driver: docker
           start args: '--addons=ingress --cni calico'

@@ -0,0 +1,24 @@
+name: "Renovate validation"
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - dev
+      - master
+      - bugfix
+      - release/*
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: validate
+        uses: suzuki-shunsuke/github-action-renovate-config-validator@c22827f47f4f4a5364bdba19e1fe36907ef1318e # v1.1.1
+        with:
+          strict: "true"
+          validator_version: 41.146.0 # renovate: datasource=github-releases depName=renovatebot/renovate
@@ -4,8 +4,8 @@ on:
   pull_request:
 env:
   SHELLCHECK_REPO: 'koalaman/shellcheck'
-  SHELLCHECK_VERSION: 'v0.9.0'
-  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71'
+  SHELLCHECK_VERSION: 'v0.9.0' # renovate: datasource=github-releases depName=koalaman/shellcheck versioning=loose
+  SHELLCHECK_SHA: '038fd81de6b7e20cc651571362683853670cdc71' # Renovate config is not currently adjusted to update hash - it needs to be done manually for now
 jobs:
   shellcheck:
     runs-on: ubuntu-latest

@@ -11,7 +11,7 @@ jobs:
     if: github.repository == 'DefectDojo/django-DefectDojo' # Notify only in core repo, not in forks - it would just fail in fork
     steps:
       - name: Notify reviewers in Slack
-        uses: DefectDojo-Inc/notify-pr-reviewers-action@master
+        uses: DefectDojo-Inc/notify-pr-reviewers-action@be26734e06338b41be6e70ce96027a51aa9ba9c6 # master
         with:
           owner: "DefectDojo"
           repository: "django-DefectDojo"

@@ -24,7 +24,7 @@ jobs:
 
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: 3.14
+          python-version: 3.14 # Renovate helper is not needed here
 
       - name: Configure Helm repos
         run: |-
@@ -34,8 +34,8 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
-          yamale_version: 6.0.0
-          yamllint_version: 1.37.1
+          yamale_version: 6.0.0 # renovate: datasource=pypi depName=yamale versioning=semver
+          yamllint_version: 1.37.1 # renovate: datasource=pypi depName=yamllint versioning=semver
 
       - name: Determine target branch
         id: ct-branch-target

@@ -12,13 +12,13 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.140.1'
+          hugo-version: '0.140.1' # renovate: datasource=github-releases depName=gohugoio/hugo versioning=loose
           extended: true
 
       - name: Setup Node
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '22.20.0'
+          node-version: '22.20.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

@@ -54,6 +54,7 @@ See our [Connectors Guide](/en/connecting_your_tools/connectors/about_connectors
 
 Supported tools for Connectors include:
 
+* Anchore
 * AWS Security Hub
 * BurpSuite
 * Checkmarx ONE

@@ -8,28 +8,53 @@ Here are the release notes for **DefectDojo Pro (Cloud Version)**. These release
 
 For Open Source release notes, please see the [Releases page on GitHub](https://github.com/DefectDojo/django-DefectDojo/releases), or alternatively consult the Open Source [upgrade notes](/en/open_source/upgrading/upgrading_guide/).
 
+## Oct 2025: v2.51
+
+### Oct 14, 2025: v2.51.1
+
+* **(Pro UI)** Added Finding Quick Report feature.  Quick report allows users to quickly render an HTML report with the currently displayed Findings on a Finding table.
+
+![image](images/quick_report.png)
+
+* **(Pro UI)** Added vector builder and calculator to the Edit Finding form, for CVSSv3 and CVSSv4.  You can build vector strings using the 🛠️ button next to the CVSSv3 / CVSSv4 string entry on the Edit Finding form.
+
+Click the calculator button to render a score based on the vector string.
+
+![image](images/pro_cvss_vector_and_score.png)
+![image](images/cvssv4_vector_builder.png)
+
+* **(Pro UI)** Added Similar Findings view on Findings when enabled in System Settings.  
+* **(Pro UI)** File names (for attached artifacts) can now be edited directly in the UI.
+* **(Pro UI)** Redirect user to Home after a successful Support Inquiry submission.  
+
+### Oct 6, 2025: v2.51.0
+
+No significant Pro changes are present in this release.
+
 ## Sept 2025: v2.50
 
-### Sept 22, 2025: v2.50.4
+#### Sept 29, 2025: v2.50.4
 
-* **(Pro UI)** Changes Engagement Deduplication form label and help text
-* **(Pro UI)** Adds toggle for MCP (for superusers only)
+* **(MCP)** Added MCP toggle for Superusers only.
+* **(Pro UI)** Bypassed endpoint validation on Edit Finding form when Endpoints have not changed.
+* **(Pro UI)** Collapsed additional fields in the Universal Parser preview for cleaner display.
+* **(Pro UI)** Updated Engagement Deduplication form label and help text for clarity.
 
-### Sept 15, 2025: v2.50.3
+#### Sept 22, 2025: v2.50.3
 
 * **(Pro UI)** Added support for [CVSSv4.0](https://www.first.org/cvss/v4-0/) vector strings.
 
-### Sept 15, 2025: v2.50.2
+#### Sept 15, 2025: v2.50.2
 
 * **(Pro UI)** Added Any/All status filtering.  Filtering by status allows you to apply either AND (inner join) logic, or OR (outer join) logic to the filter.
 * **(Pro UI)** Added Contact Support form for On-Premise installs.
 
-### Sept 9, 2025: v2.50.1
+#### Sept 9, 2025: v2.50.1
 
 * **(Tools)** Removed CSV limit for Qualys HackerGuardian
 * **(SSO)** Removed Force Password Reset for users created via SSO
 
-### Sept 2, 2025: v2.50.0
+#### Sept 2, 2025: v2.50.0
 
 * **(Pro UI)** "Date During" filter has been added to the UI, allowing users to filter by a range of dates
 * **(Pro UI)** Vulnerability ID column can now be sorted, however the sorting only considers the **first** vulnerability ID.
@@ -40,7 +65,7 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 The Pro UI has been significantly reorganized, with changes to page organization.
 ![image](images/pro_ui_249.png)
 
-### August 25: 2.49.3
+#### August 25: 2.49.3
 
 [Integrations](/en/share_your_findings/integrations/) has been added to DefectDojo Pro, adding an Jira-style integrations for Azure DevOps, GitHub and GitLab boards.
 

@@ -25,6 +25,7 @@ But everyone needs a starting point, and that's where Connectors come in. Connec
 
 We currently support Connectors for the following tools, with more on the way:
 
+* **Anchore**
 * **AWS Security Hub**
 * **BurpSuite**
 * **Checkmarx ONE**

@@ -20,6 +20,17 @@ Whenever possible, we recommend creating a new 'DefectDojo Bot' account within y
 
 # **Supported Connectors**
 
+## **Anchore**
+
+The Anchore connector uses a user's API token to pull data from Anchore Enterprise.  Products will be mapped and discovered based on "Applications", which are composed of multiple Images in Anchore - see [Anchore Enterprise Documentation](https://docs.anchore.com/current/docs/sbom_management/application_groups/application_management_anchorectl/) for more information.
+
+#### Connector Mappings
+
+1. The Anchore URL in the **Location** field: this is the URL where you access the Anchore.
+2. Enter a valid API Key in the Secret field. This is the API key associated with your Burp Service account.
+
+See the official [Anchore documentation](https://docs.anchore.com/current/docs/) for more information on creating a token for Anchore.
+
 ## **AWS Security Hub**
 
 The AWS Security Hub connector uses an AWS access key to interact with the Security Hub APIs.

@@ -17,7 +17,7 @@ DefectDojo can parse data from 180+ security reports and counting.
 
 | [Connectors](../connectors/about_connectors): supported tools | [Smart Upload](../import_scan_files/smart_upload/): supported tools |
 | --- | --- |
-| AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
+| Anchore, AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
 
 # All Supported Tools