Skip to main content
If your team runs DefectDojo as its vulnerability-management hub, Gecko can push findings into it so they sit alongside the rest of your AppSec program, and map each repository to a DefectDojo product with its own ASVS compliance profile. Configure it in Settings > DefectDojo. This is a one-way export, like the GitLab vulnerability export: Gecko keeps DefectDojo in sync as scans run, while triage in Gecko stays the source of truth for the rich call chain, proof of concept, and patch. When a finding is fixed in Gecko, the matching DefectDojo finding is updated too.

Prerequisites

  • A DefectDojo instance (self-hosted or Cloud) that Gecko can reach over HTTPS. For self-hosted instances behind a firewall, allow Gecko’s egress IPs.
  • A DefectDojo API v2 key to authenticate the connection.
  • The Admin or Manager role in Gecko. See Teams & permissions.

Connect DefectDojo

1

Copy your DefectDojo API v2 key

In DefectDojo, open your user profile and go to API v2 Key. Copy the token. The key inherits that user’s permissions, so use an account that can create products and import findings.
2

Add the connection in Gecko

Go to Settings > DefectDojo, then enter your instance URL (for example https://defectdojo.example.com) and paste the API v2 key. Click Connect.Gecko verifies the connection immediately. If the URL is unreachable or the key is rejected, Gecko shows the error inline. Confirm the instance is reachable from Gecko’s egress IPs and that the key is still valid, then try again.
3

Map a repository to a product

Choose a connected repository and map it to a DefectDojo product. Gecko creates the product if it doesn’t exist yet. Assign the repository’s ASVS level and sections while you’re here, or adjust them later.
4

Run a scan to verify

Open the repository and run a scan. When it completes, Gecko pushes the findings to the mapped product. Open it in DefectDojo to confirm they landed.

How it works

Each connected repository maps to a DefectDojo product. When a scan completes, Gecko pushes that repository’s findings into its product so DefectDojo reflects the current state of the codebase:
  • Push on scan complete: Gecko syncs findings to DefectDojo automatically after every scan. Turn it off to pause exports.
  • Include resolved findings: when a finding is resolved in Gecko, it’s marked as mitigated in DefectDojo instead of being left open.
The connection is shown at the top of the page along with your instance URL, the number of repositories mapped to products, and the total ASVS sections tracked across them.

ASVS compliance tracking

Beyond pushing findings, Gecko tracks each repository against the OWASP ASVS so you can see which verification areas each product is expected to meet. Gecko auto-detects which ASVS chapters apply to a repository from what the code does, so you don’t map them by hand:
  • Standard version: choose which ASVS version Gecko tracks against, set on the DefectDojo connection. New connections default to the latest, ASVS 5.0. Match this to the version your DefectDojo benchmark uses (DefectDojo can run an older set such as 4.0.3), since the chapter numbers differ between versions. For example, Authentication is V6 in 5.0 but V2 in 4.0.3.
  • Level: every repository is assigned an ASVS level (L1, L2, or L3) reflecting how much rigor its risk profile demands.
  • Sections: each repository carries the ASVS chapters relevant to it (for example, V6 Authentication and V7 Session Management for an auth service under ASVS 5.0).
The settings page lists every repository with its provider, level, and mapped sections. From the row menu you can:
  • View vulnerabilities: jump to the repository’s findings in Gecko.
  • Edit sections: adjust which ASVS sections apply to the repository.
  • Remove mapping: stop mapping the repository to a DefectDojo product.

Troubleshooting

Gecko couldn’t reach DefectDojo or the key was rejected. Confirm the instance URL is correct and served over HTTPS, that the API v2 key hasn’t been rotated, and, for self-hosted instances behind a firewall, that Gecko’s egress IPs are allowed.
Check that Push on scan complete is enabled and that the repository is mapped to a product. Findings are pushed when a scan finishes, so run a fresh scan if the mapping was added after the last one.
Enable Include resolved findings so Gecko marks resolved findings as mitigated instead of leaving them open.
This is distinct from connecting source control for scanning. DefectDojo is an export target for findings Gecko has already produced. Connect GitHub or GitLab first.