Skip to content

feat(lab10): defectdojo governance report and walkthrough#1439

Open
L10nff wants to merge 4 commits into
inno-devops-labs:mainfrom
L10nff:feature/lab10
Open

feat(lab10): defectdojo governance report and walkthrough#1439
L10nff wants to merge 4 commits into
inno-devops-labs:mainfrom
L10nff:feature/lab10

Conversation

@L10nff

@L10nff L10nff commented Jul 9, 2026

Copy link
Copy Markdown

Goal

This PR delivers Lab 10: Vulnerability Management with DefectDojo β€” the capstone governance report and bonus walkthrough script.

Changes

  • Added submissions/lab10.md
  • Added submissions/lab10-walkthrough.md
  • Updated .gitignore to exclude the local DefectDojo working directory and temporary Lab 10 work files
  • Documented local DefectDojo 2.58.4 setup using Docker Compose release configuration
  • Created DefectDojo Product Type, Product, and Engagement for OWASP Juice Shop
  • Imported scan reports from previous labs into DefectDojo
  • Documented import counts, severity distribution, SLA matrix, backlog metrics, and deduplication/correlation analysis
  • Documented importer limitations for ZAP JSON, Trivy Operator output, and Falco custom runtime logs
  • Added a bonus 5-minute DevSecOps interview walkthrough script

Testing

Commands used:

git switch main
git checkout -b feature/lab10

mkdir -p labs/lab10/work
mkdir -p submissions

cd labs/lab10/work
git clone https://github.com/DefectDojo/django-DefectDojo dd
cd dd
git checkout 2.58.4
./docker/setEnv.sh release
docker compose up -d
docker compose ps
curl -I http://localhost:8080

export DD_URL="http://localhost:8080"
export DD_TOKEN="<local-defectdojo-api-token>"

curl -s -H "Authorization: Token $DD_TOKEN" "$DD_URL/api/v2/products/" | jq .count

curl -s -X POST "$DD_URL/api/v2/product_types/" ...
curl -s -X POST "$DD_URL/api/v2/products/" ...
curl -s -X POST "$DD_URL/api/v2/engagements/" ...

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=Anchore Grype" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab4/grype-from-sbom.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=Trivy Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab4/trivy.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=Semgrep JSON Report" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab5/results/semgrep.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=ZAP Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab5/results/auth-report.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=Checkov Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab6/results/checkov-terraform/results_json.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=KICS Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab6/results/kics-ansible/results.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=KICS Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab6/results/kics-pulumi/results.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=Trivy Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab7/results/trivy-image.json"

curl -s -X POST "$DD_URL/api/v2/import-scan/" \
  -H "Authorization: Token $DD_TOKEN" \
  -F "scan_type=Trivy Operator Scan" \
  -F "engagement=$ENGAGEMENT_ID" \
  -F "file=@labs/lab7/results/trivy-k8s.json"

curl -s -H "Authorization: Token $DD_TOKEN" \
  "$DD_URL/api/v2/findings/?engagement=$ENGAGEMENT_ID&limit=1" | jq .count

curl -s -H "Authorization: Token $DD_TOKEN" \
  "$DD_URL/api/v2/findings/?engagement=$ENGAGEMENT_ID&active=true&limit=1000" | \
  jq '[.results[] | .severity] | group_by(.) | map({severity: .[0], count: length})'

for TEST_ID in 1 2 3 4 5 6 7 8 9; do
  SCAN_TYPE=$(curl -s -H "Authorization: Token $DD_TOKEN" "$DD_URL/api/v2/tests/$TEST_ID/" | jq -r '.scan_type')
  COUNT=$(curl -s -H "Authorization: Token $DD_TOKEN" "$DD_URL/api/v2/findings/?test=$TEST_ID&limit=1" | jq -r '.count')
  echo "$TEST_ID | $SCAN_TYPE | $COUNT"
done

Observed output:

DefectDojo version: 2.58.4
DefectDojo runtime check: HTTP/1.1 302 Found
Redirect target: /login?next=/

Product Type ID: 2
Product ID: 1
Engagement ID: 1

Total findings after import: 385

Severity distribution:
Critical: 17
High: 164
Medium: 168
Low: 27
Info: 9

Import counts:
Anchore Grype: 104
Trivy Scan β€” Lab 4: 113
Semgrep JSON Report: 22
ZAP Scan: 0
Checkov Scan: 80
KICS Scan β€” Ansible: 10
KICS Scan β€” Pulumi: 6
Trivy Scan β€” Lab 7 image: 50
Trivy Operator Scan: 0

Dedup/correlation example:
GHSA-5mrr-rgp6-x4gr was observed across Grype and Trivy outputs:
- Finding ID 98 β€” Anchore Grype
- Finding ID 164 β€” Trivy Scan
- Finding ID 353 β€” Trivy Scan

Importer limitations documented:
- ZAP JSON report was not imported because the parser expected XML
- Trivy Operator test was created but produced 0 findings
- Falco custom runtime logs were documented but not imported because the default importer does not support this custom log format

Artifacts & Screenshots

  • Submission file: submissions/lab10.md
  • Bonus walkthrough: submissions/lab10-walkthrough.md
  • Evidence documented in submissions/lab10.md:
    • DefectDojo version and runtime check
    • Product and Engagement IDs
    • Import counts
    • Severity distribution
    • SLA matrix
    • Deduplication/correlation analysis
    • Program metrics and next-quarter SAMM goal

Checklist

  • Title is clear (feat(lab10): defectdojo governance report and walkthrough style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab10.md exists
  • Bonus walkthrough file at submissions/lab10-walkthrough.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant