Prerequisites
- A DefectDojo instance (self-hosted or Cloud) that Gecko can reach over HTTPS. For self-hosted instances behind a firewall, allow Gecko’s egress IPs.
- A DefectDojo API v2 key to authenticate the connection.
- The Admin or Manager role in Gecko. See Teams & permissions.
Connect DefectDojo
Copy your DefectDojo API v2 key
In DefectDojo, open your user profile and go to API v2 Key. Copy the
token. The key inherits that user’s permissions, so use an account that can
create products and import findings.
Add the connection in Gecko
Go to Settings > DefectDojo, then enter your instance URL (for
example
https://defectdojo.example.com) and paste the API v2 key.
Click Connect.Gecko verifies the connection immediately. If the URL is unreachable or the
key is rejected, Gecko shows the error inline. Confirm the instance is
reachable from Gecko’s egress IPs and that the
key is still valid, then try again.Map a repository to a product
Choose a connected repository and map it to a DefectDojo product. Gecko
creates the product if it doesn’t exist yet. Assign the repository’s
ASVS level and sections while you’re here, or
adjust them later.
Run a scan to verify
Open the repository and run a scan. When it completes,
Gecko pushes the findings to the mapped product. Open it in DefectDojo to
confirm they landed.
How it works
Each connected repository maps to a DefectDojo product. When a scan completes, Gecko pushes that repository’s findings into its product so DefectDojo reflects the current state of the codebase:- Push on scan complete: Gecko syncs findings to DefectDojo automatically after every scan. Turn it off to pause exports.
- Include resolved findings: when a finding is resolved in Gecko, it’s marked as mitigated in DefectDojo instead of being left open.
ASVS compliance tracking
Beyond pushing findings, Gecko tracks each repository against the OWASP ASVS so you can see which verification areas each product is expected to meet. Gecko auto-detects which ASVS chapters apply to a repository from what the code does, so you don’t map them by hand:- Standard version: choose which ASVS version Gecko tracks against, set on the
DefectDojo connection. New connections default to the latest, ASVS 5.0. Match
this to the version your DefectDojo benchmark uses (DefectDojo can run an older
set such as 4.0.3), since the chapter numbers differ between versions. For
example, Authentication is
V6in 5.0 butV2in 4.0.3. - Level: every repository is assigned an ASVS level (L1, L2, or L3) reflecting how much rigor its risk profile demands.
- Sections: each repository carries the ASVS chapters relevant to it (for
example,
V6Authentication andV7Session Management for an auth service under ASVS 5.0).
- View vulnerabilities: jump to the repository’s findings in Gecko.
- Edit sections: adjust which ASVS sections apply to the repository.
- Remove mapping: stop mapping the repository to a DefectDojo product.
Troubleshooting
Connection fails when saving the API key
Connection fails when saving the API key
Gecko couldn’t reach DefectDojo or the key was rejected. Confirm the instance
URL is correct and served over HTTPS, that the API v2 key hasn’t been rotated,
and, for self-hosted instances behind a firewall, that Gecko’s
egress IPs are allowed.
Findings aren't appearing in DefectDojo
Findings aren't appearing in DefectDojo
Check that Push on scan complete is enabled and that the repository is
mapped to a product. Findings are pushed when a scan finishes, so run a fresh
scan if the mapping was added after the last one.
Resolved findings stay open in DefectDojo
Resolved findings stay open in DefectDojo
Enable Include resolved findings so Gecko marks resolved findings as
mitigated instead of leaving them open.