DefectDojo
Connects to DefectDojo vulnerability management systems to retrieve, create, and manage security findings, products, and engagements through the DefectDojo API.
Bridges to the DefectDojo vulnerability management system, enabling interaction with security findings, products, and engagements for streamlined security workflow integration.
What it does
- Query security findings and vulnerabilities
- Search and filter DefectDojo findings
- Create and update security findings
- Manage engagement lifecycles
- List products and engagements
- Add notes to security findings
Best for
About DefectDojo
DefectDojo is a community-built MCP server published by jamiesonio that provides AI assistants with tools and capabilities via the Model Context Protocol. Connect with DefectDojo for powerful vulnerability management and seamless threat and vulnerability management integrati It is categorized under auth security.
How to install
You can install DefectDojo in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
License
DefectDojo is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
DefectDojo MCP Server
This project provides a Model Context Protocol (MCP) server implementation for DefectDojo, a popular open-source vulnerability management tool. It allows AI agents and other MCP clients to interact with the DefectDojo API programmatically.
Features
This MCP server exposes tools for managing key DefectDojo entities:
- Findings: Fetch, search, create, update status, and add notes.
- Products: List available products.
- Engagements: List, retrieve details, create, update, and close engagements.
Installation & Running
There are a couple of ways to run this server:
Using uvx (Recommended)
uvx executes Python applications in temporary virtual environments, installing dependencies automatically.
uvx defectdojo-mcp
Using pip
You can install the package into your Python environment using pip.
# Install directly from the cloned source code directory
pip install .
# Or, if the package is published on PyPI
pip install defectdojo-mcp
Once installed via pip, run the server using:
defectdojo-mcp
Configuration
The server requires the following environment variables to connect to your DefectDojo instance:
DEFECTDOJO_API_TOKEN(required): Your DefectDojo API token for authentication.DEFECTDOJO_API_BASE(required): The base URL of your DefectDojo instance (e.g.,https://your-defectdojo-instance.com).
You can configure these in your MCP client's settings file. Here's an example using the uvx command:
{
"mcpServers": {
"defectdojo": {
"command": "uvx",
"args": ["defectdojo-mcp"],
"env": {
"DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
"DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
}
}
}
}
If you installed the package using pip, the configuration would look like this:
{
"mcpServers": {
"defectdojo": {
"command": "defectdojo-mcp",
"args": [],
"env": {
"DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
"DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
}
}
}
}
Available Tools
The following tools are available via the MCP interface:
get_findings: Retrieve findings with filtering (product_name, status, severity) and pagination (limit, offset).search_findings: Search findings using a text query, with filtering and pagination.update_finding_status: Change the status of a specific finding (e.g., Active, Verified, False Positive).add_finding_note: Add a textual note to a finding.create_finding: Create a new finding associated with a test.list_products: List products with filtering (name, prod_type) and pagination.list_engagements: List engagements with filtering (product_id, status, name) and pagination.get_engagement: Get details for a specific engagement by its ID.create_engagement: Create a new engagement for a product.update_engagement: Modify details of an existing engagement.close_engagement: Mark an engagement as completed.
(See the original README content below for detailed usage examples of each tool)
Usage Examples
(Note: These examples assume an MCP client environment capable of calling use_mcp_tool)
Get Findings
# Get active, high-severity findings (limit 10)
result = await use_mcp_tool("defectdojo", "get_findings", {
"status": "Active",
"severity": "High",
"limit": 10
})
Search Findings
# Search for findings containing 'SQL Injection'
result = await use_mcp_tool("defectdojo", "search_findings", {
"query": "SQL Injection"
})
Update Finding Status
# Mark finding 123 as Verified
result = await use_mcp_tool("defectdojo", "update_finding_status", {
"finding_id": 123,
"status": "Verified"
})
Add Note to Finding
result = await use_mcp_tool("defectdojo", "add_finding_note", {
"finding_id": 123,
"note": "Confirmed vulnerability on staging server."
})
Create Finding
result = await use_mcp_tool("defectdojo", "create_finding", {
"title": "Reflected XSS in Search Results",
"test_id": 55, # ID of the associated test
"severity": "Medium",
"description": "User input in search is not properly sanitized, leading to XSS.",
"cwe": 79
})
List Products
# List products containing 'Web App' in their name
result = await use_mcp_tool("defectdojo", "list_products", {
"name": "Web App",
"limit": 10
})
List Engagements
# List 'In Progress' engagements for product ID 42
result = await use_mcp_tool("defectdojo", "list_engagements", {
"product_id": 42,
"status": "In Progress"
})
Get Engagement
result = await use_mcp_tool("defectdojo", "get_engagement", {
"engagement_id": 101
})
Create Engagement
result = await use_mcp_tool("defectdojo", "create_engagement", {
"product_id": 42,
"name": "Q2 Security Scan",
"target_start": "2025-04-01",
"target_end": "2025-04-15",
"status": "Not Started"
})
Update Engagement
result = await use_mcp_tool("defectdojo", "update_engagement", {
"engagement_id": 101,
"status": "In Progress",
"description": "Scan initiated."
})
Close Engagement
result = await use_mcp_tool("defectdojo", "close_engagement", {
"engagement_id": 101
})
Development
Setup
- Clone the repository.
- It's recommended to use a virtual environment:
python -m venv .venv source .venv/bin/activate # On Windows use `.venv\Scripts\activate` - Install dependencies, including development dependencies:
pip install -e ".[dev]"
License
This project is licensed under the MIT License - see the LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to open an issue for bugs, feature requests, or questions. If you'd like to contribute code, please open an issue first to discuss the proposed changes.
Alternatives
Related Skills
Browse all skillsExpert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.
Firebase gives you a complete backend in minutes - auth, database, storage, functions, hosting. But the ease of setup hides real complexity. Security rules are your last line of defense, and they're often wrong. Firestore queries are limited, and you learn this after you've designed your data model. This skill covers Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage, and Firebase Hosting. Key insight: Firebase is optimized for read-heavy, denormalized data. I
Comprehensive backend development skill for building scalable backend systems using NodeJS, Express, Go, Python, Postgres, GraphQL, REST APIs. Includes API scaffolding, database optimization, security implementation, and performance tuning. Use when designing APIs, optimizing database queries, implementing business logic, handling authentication/authorization, or reviewing backend code.
This skill should be used when the user requests to generate, create, or add Row-Level Security (RLS) policies for Supabase databases in multi-tenant or role-based applications. It generates comprehensive RLS policies using auth.uid(), auth.jwt() claims, and role-based access patterns. Trigger terms include RLS, row level security, supabase security, generate policies, auth policies, multi-tenant security, role-based access, database security policies, supabase permissions, tenant isolation.
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
Send and draft professional emails with seasonal HTML formatting, authentic writing style, contact lookup via Google Contacts, security-first approach, and Google Gmail API via Ruby CLI. This skill should be used for ALL email operations (mandatory per RULES.md).