aicoolies logo
DefectDojo logo

DefectDojo

Open-source vulnerability management aggregator

Share
open-sourceOpen Source
Visit Website →

DefectDojo is an open-source vulnerability management platform with 4.7K+ GitHub stars that aggregates findings from 200+ security tools into a single view for ranking, triaging, and tracking remediation. It serves as the operating system for security teams by normalizing data from SAST, DAST, container scanners, and dependency checkers into a unified workflow with deduplication and metrics.

We have a review for this tool

A detailed review by the aicoolies team — click to read

DefectDojo solves the fragmentation problem in application security by providing a centralized platform where findings from any security scanner can be imported, normalized, and managed. The platform supports over 200 supported security tool integrations out of the box, including tools like Semgrep, Trivy, Bandit, ZAP, Burp Suite, and custom parsers. Each finding is deduplicated, tagged, and assigned a severity level, allowing security teams to focus on unique vulnerabilities rather than drowning in duplicate reports.

The workflow engine enables teams to assign findings to developers, track remediation progress, set SLA timelines, and generate compliance reports. AI-assisted triage helps prioritize findings by risk level, considering factors like asset criticality, exploit availability, and historical fix rates. Product and engagement hierarchies map vulnerabilities to business units and release cycles for executive-level visibility.

As a Django-based open-source project under the OWASP umbrella with 4.7K+ stars, DefectDojo has a mature and active community. It deploys via Docker Compose or Helm charts for Kubernetes, with both self-hosted and cloud-hosted options available. The platform is used by security teams at organizations of all sizes as their central vulnerability management hub, integrating with Jira, Slack, and CI/CD pipelines for automated workflows.

Pricing

Free open-source; cloud-hosted option available

Platforms

Docker, Kubernetes, Jira, Slack, 200+ security tool integrations

Categories

Tags

Use Cases

Alternatives

Related Tools

KubeAI

Kubernetes operator for serving AI inference workloads

KubeAI is an Apache-2.0 Kubernetes operator for deploying and scaling AI inference workloads, including LLMs, embeddings, reranking, and speech-to-text. It gives platform teams OpenAI-compatible endpoints, model proxy/controller primitives, model caching, scale-from-zero behavior, and cluster-native resource management for self-hosted inference on Kubernetes.

open-sourceOpen Source
Agent Governance Toolkit logo

Agent Governance Toolkit

Microsoft’s public-preview runtime governance toolkit for policy, identity, sandboxing, audit, and MCP security around AI agents.

Agent Governance Toolkit is Microsoft’s MIT-licensed public-preview toolkit for governing AI agent runtimes. It adds policy enforcement, zero-trust identity, execution sandboxing, audit, reliability, and MCP security-gateway patterns around tool calls and autonomous actions, helping platform teams move beyond prompt-only guardrails while preserving architecture review requirements.

open-sourceOpen SourceTelemetry

CLIProxyAPI

Self-hosted proxy API for routing AI CLI accounts into OpenAI-compatible endpoints

CLIProxyAPI is an open-source Go proxy server that wraps Gemini CLI, Claude Code, OpenAI Codex, Grok Build, and related CLI account flows behind OpenAI/Gemini/Claude-compatible API endpoints. Use it carefully: it can touch OAuth sessions, auth files, logs, and provider account policies, so production use needs credential and ToS review.

open-sourceOpen SourceTelemetry
Baz logo

Baz

Telemetry-aware AI code reviewer that checks how pull requests may affect real services.

Baz is an AI code-review platform focused on production-aware pull requests. Instead of only reading the diff, Baz connects code changes to application telemetry so reviewers can understand what endpoints, services, and runtime behavior may be affected. That makes it a useful complement to existing AI PR bots when the question is not just whether a change looks correct, but whether it could break a live system.

freemiumTelemetry
rampart

Rampart

Microsoft’s pytest-native red teaming framework for turning AI agent safety findings into CI tests.

RAMPART is an open-source Microsoft framework for safety and security testing of agentic AI applications. It brings red-team findings into a pytest-native workflow so teams can turn prompt injection, unsafe tool use, and behavioral boundary failures into repeatable regression tests. The strongest aicoolies angle is developer workflow: RAMPART makes agent safety part of CI/CD instead of a one-off security review.

open-sourceOpen Source
Statewright logo

Statewright

State-machine guardrails for controlling which tools AI coding agents can use at each phase.

Statewright is a guardrail layer for AI coding agents that uses explicit state machines to control what an agent can do at each stage of a workflow. Instead of relying only on prompt instructions, teams can model phases such as plan, implement, test, and review, then constrain tool access for clients like Claude Code, Codex, Cursor, opencode, and related MCP workflows.

open-sourceOpen Source

Used in Stacks