GitHub Advanced Security (GHAS) - DefectDojo Integration

---

Hi developer 👋🏻! This repository is a Proof of Concept (PoC) to integrate GitHub Advanced Security (GHAS) with DefectDojo. I tried to make it as simple as possible, so you can easily adapt it to your needs.

📑 Table of Contents

• GitHub Advanced Security (GHAS) - DefectDojo Integration
  • 📑 Table of Contents
  • ✨ Features
  • 🆕 Recent Improvements
  • 🛠️ Technologies
  • 📋 Prerequisites
  • 🚀 Installation
    • Step 1: Clone this repository
    • Step 2: Set up DefectDojo
    • Step 3: Create Product and Engagement in DefectDojo
    • Step 4: Expose DefectDojo with a tunnel
    • Step 5: Configure GitHub Secrets
    • Step 6: Create a GitHub App (Optional)
  • 💻 Usage
    • Import Dependabot Alerts
    • Import Code Scanning Alerts
    • Import Secret Scanning Alerts
  • 📁 Project Structure
  • 🌐 Follow Me

✨ Features

• Full GHAS Integration: Import all three types of GitHub Advanced Security alerts into DefectDojo
• Automated Workflows: GitHub Actions workflows ready to use
• Dependabot Alerts: Import using GitHub Vulnerability Scan format
• Code Scanning Alerts: Import CodeQL results using SARIF format
• Secret Scanning Alerts: Create findings directly via DefectDojo API
• Sample Flask App: Includes a vulnerable Flask application for testing

🆕 Recent Improvements

• Manual Workflow Triggers: All workflows now support workflow_dispatch for manual execution
• Configurable Parameters:
  • engagement_id input for CodeQL and Dependabot workflows (default: 1)
  • test_id input for Secret Scanning workflow (default: 1)
• Updated GitHub Actions:
  • actions/checkout → v6
  • actions/upload-artifact → v7
  • github/codeql-action → v4

🛠️ Technologies

• Python 3.8+ - Main programming language
• Flask - Web framework for the sample vulnerable app
• GitHub Actions - CI/CD automation
• GitHub Advanced Security - Security scanning (Dependabot, CodeQL, Secret Scanning)
• DefectDojo - Vulnerability management platform
• Docker - Container support

📋 Prerequisites

• Git
• Docker & Docker Compose
• GitHub CLI (optional)
• A GitHub repository with GHAS enabled
• A GitHub App with read:security_events permission (for secrets and dependabot alerts)

🚀 Installation

Step 1: Clone this repository

git clone https://github.com/0GiS0/import-ghas-to-defectdojo.git
cd import-ghas-to-defectdojo

Step 2: Set up DefectDojo

Clone and run DefectDojo locally:

git clone https://github.com/DefectDojo/django-DefectDojo.git
cd django-DefectDojo
docker compose up -d
docker compose logs initializer | grep "Admin password:"

Then you can log in to DefectDojo at http://localhost:8080 with username admin and the password from the logs.

Step 3: Create Product and Engagement in DefectDojo

You need a Product and an Engagement created in DefectDojo. You can create them using the API. Check the file requests/create_defectDojo_artifacts.http for examples.

Step 4: Expose DefectDojo with a tunnel

Use a tunneling service like pinggy.io or ngrok:

# Using pinggy.io
ssh -p 443 -R0:localhost:8080 qr@a.pinggy.io

# Using ngrok
ngrok http 8080

Step 5: Configure GitHub Secrets

Add the following secrets to your GitHub repository:

Secret	Description
DEFECTDOJO_URL	The URL exposed by the tunnel
DEFECTDOJO_TOKEN	DefectDojo API token (create it in your user profile)

Step 6: Create a GitHub App (Optional)

To get secrets and dependabot alerts, create a GitHub App with the read:security_events permission. Follow the official documentation.

🎉 Congratulations! You are ready to go!

💻 Usage

Import Dependabot Alerts

Dependabot alerts are imported using the GitHub Vulnerability Scan format (available since DefectDojo 2.4.0).

The workflow .github/workflows/send_dependabot_security_alerts.yml retrieves alerts via GraphQL API and sends them to DefectDojo:

curl -X POST "$DEFECTDOJO_URL/import-scan/" \
  -H "Authorization: Token $DEFECTDOJO_TOKEN" \
  -F 'product_name=YOUR_PRODUCT_NAME' \
  -F 'engagement=ENGAGEMENT_ID' \
  -F 'scan_type=Github Vulnerability Scan' \
  -F 'file=@dependabot-security-alerts.json'

Import Code Scanning Alerts

Code Scanning alerts (CodeQL) are imported using the SARIF format.

The workflow .github/workflows/codeql_and_defectdojo.yml runs CodeQL analysis and uploads results:

curl -X POST "$DEFECTDOJO_URL/import-scan/" \
  -H "Authorization: Token $DEFECTDOJO_TOKEN" \
  -F 'product_name=YOUR_PRODUCT_NAME' \
  -F 'engagement=ENGAGEMENT_ID' \
  -F 'scan_type=SARIF' \
  -F 'file=@results/python.sarif'

Import Secret Scanning Alerts

Secret Scanning alerts are created directly as findings via the DefectDojo API.

The workflow .github/workflows/send_secrets_to_defectdojo.yml:

1. Fetches secrets from GitHub REST API
2. Transforms the data to DefectDojo format using jq
3. Creates findings via POST to /api/v2/findings/

# Get secrets from GitHub
curl -H "Authorization: Bearer $TOKEN" \
  https://api.github.com/repos/OWNER/REPO/secret-scanning/alerts > secrets.json

# Transform and send to DefectDojo
curl -X POST "$DEFECTDOJO_URL/findings/" \
  -H "Authorization: Token $DEFECTDOJO_TOKEN" \
  -H "Content-Type: application/json" \
  -d "$FINDING_DATA"

📁 Project Structure

import-ghas-to-defectdojo/
├── .github/
│   ├── dependabot.yml
│   └── workflows/
│       ├── codeql_and_defectdojo.yml      # CodeQL + SARIF upload
│       ├── get_alerts.yml                  # Get GHAS alerts
│       ├── send_dependabot_security_alerts.yml
│       └── send_secrets_to_defectdojo.yml
├── flask_webgoat/                          # Sample vulnerable Flask app
│   ├── actions.py
│   ├── auth.py
│   ├── status.py
│   ├── ui.py
│   ├── users.py
│   └── templates/
├── requests/                               # HTTP request examples
│   ├── create_defectDojo_artifacts.http
│   ├── defectDojo.http
│   ├── ghas_alerts_requests.http
│   └── send_*.http
├── app.py
├── Dockerfile
├── requirements.txt
└── README.md

🌐 Follow Me

If you found this project useful, don't forget to follow me on my social networks:

---

Happy hacking! 🐱‍👤