RapidFort is a solution for building secure, optimized Docker containers. This fork of DefectDojo uses container images optimized by the RapidFort Build-Time product instead of the original images. This public use case optimizes an entire platform (DefectDojo) instead of indvidual images often found in the RapidFort Community.
Trivy was used to count CVEs before and after RapidFort optimization instead of RapidFort reporting how great RapidFort is.
Exactly the same as before. The original README is below.
Only the docker-compose files were updated to use the optimized images e.g.
> image: "defectdojo/defectdojo-django:${DJANGO_VERSION:-latest}"
97,99c86
< image: "defectdojo/defectdojo-django:latest-rfhardened"
git clone https://github.com/ddooley77/django-DefectDojo
cd django-DefectDojo
./dc-up.sh postgres-redis
# obtain admin credentials. the initializer can take up to 3 minutes to run
# use docker-compose logs -f initializer to track progress
docker-compose logs initializer | grep "Admin password:"- RapidFort would like to contribute to Open Source and OWASP.
- Dojo is easy to deploy.
- Dojo is easy to test.
- It already has integration tests and unit tests in the project
- (This saves a couple hours creating a coverage script).
- A RapidFort Customer asked could we do this (amongst other platforms).
- An initial RapidFort scan showed that there could be large savings, especially in the main python defectdojo-django image.
- The Dojo team is already security savvy. As an example, when it comes to container images they use in the platform, they go for the alpine variants. Hopefully we can incorporate RapidFort into their tooling.
- Create a smaller, more secure version (less CVEs and smaller attack surface) of DefectDojo.
- Make it available for public consumption and gain feedback from end-users.
- Longer term if this has value, we could create a pipeline for any new DefectDojo version and hopefully partner with the OWASP team on this.
- RapidFort stub all containers.
xargs -0 -n 1 rfstub < <(tr \\n \\0 <image_list.txt) - Update docker-compose.yml and docker-compose.override.integration_tests.yml with rfstubbed versions.
- Run with postgres/mysql options, click around the UI
- Run existing test cases
docker/setEnv.sh unit_tests ./dc-up.sh ./dc-up.sh mysql-rabbitmq docker/setEnv.sh integration_tests ./dc-up.sh ./dc-up.sh mysql-rabbitmq - RapidFort optimize (rfharden) all containers
xargs -0 -n 1 rfharden < <(tr \\n \\0 < image_list_stubbed.txt) - Update docker-compose.yml and docker-compose.override.integration_tests.yml with the RapidFort optimized versions (rfhardened).
- Sanity Check - re-run postgres/mysql options, click around the UI, check it all looks good.
|
|
|---|
DefectDojo is a security orchestration and vulnerability management platform. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings to systems like JIRA and Slack. DefectDojo enriches and refines vulnerability data using a number of heuristic algorithms that improve with the more you use the platform.
Try out the demo server at demo.defectdojo.org
Log in with admin / 1Defectdojo@demo#appsec. Please note that the demo is publicly accessible and regularly reset. Do not put sensitive data in the demo.
git clone https://github.com/DefectDojo/django-DefectDojo
cd django-DefectDojo
# building
./dc-build.sh
# running (for other profiles besides postgres-redis look at https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md)
./dc-up.sh postgres-redis
# obtain admin credentials. the initializer can take up to 3 minutes to run
# use docker-compose logs -f initializer to track progress
docker-compose logs initializer | grep "Admin password:"Navigate to http://localhost:8080.
- Docker / Docker Compose
- SaaS - Includes Support & Supports the Project
- AWS AMI - Supports the Project
- godojo
Join the slack community and discussion! Realtime discussion is done in the OWASP Slack Channel, #defectdojo. Follow DefectDojo on Twitter, Linkedin, and YouTube for project updates!
See our Contributing guidelines
Commercial support and training is availaible. For information please email info@defectdojo.com.
DefectDojo is maintained by:
- Greg Anderson (@devGregA | linkedin)
- Matt Tesauro (@mtesauro | linkedin | @matt_tesauro)
Core Moderators can help you with pull requests or feedback on dev ideas:
Moderators can help you with pull requests or feedback on dev ideas:
- Damien Carol (@damnielcarol | linkedin)
- Jannik Jürgens (@alles-klar)
- Dubravko Sever (@dsever)
- Valentijn Scholten (@valentijnscholten | sponsor | linkedin) - Valentijn served as a core moderator for 3 years. Valentijn’s contributions were numerous and extensive. He overhauled, improved, and optimized many parts of the codebase. He consistently fielded questions, provided feedback on pull requests, and provided a helping hand wherever it was needed.
- Fred Blaise (@madchap | linkedin) - Fred served as a core moderator during a critical time for DefectDojo. He contributed code, helped the team stay organized, and architected important policies and procedures.
- Charles Neill (@ccneill) – Charles served as a DefectDojo Maintainer for years and wrote some of Dojo's core functionality.
- Jay Paz (@jjpaz) – Jay was a DefectDojo maintainer for years. He performed Dojo's first UI overhaul, optimized code structure/features, and added numerous enhancements.
Please report Security issues via our disclosure policy.
DefectDojo is licensed under the BSD-3-Clause License