You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* delete redundant articles
* mv source-code article to new directory
* Add triageless info to import-scan article
* add SSO whitelist info to docs
* remove reference to deprecated async import
* Update import_scan_ui.md
* add OIDC to docs
---------
Co-authored-by: Paul Osinski <paul.m.osinski@gmail.com>
Copy file name to clipboardExpand all lines: docs/content/en/connecting_your_tools/import_scan_files/import_scan_ui.md
+22-4Lines changed: 22 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -65,9 +65,27 @@ This option is especially relevant when using the API to import data. If uploadi
65
65
***Source Code Management URI** can also be specified. This form option must be a valid URI.
66
66
***Group By:** if you want to create Finding Groups out of this File, you can specify the grouping method here.
67
67
68
-
### Next Steps
68
+
### Triage-less scanners: Do Not Reactivate field
69
69
70
-
Once your upload has completed, you should be redirected to the Test Page which contains the Findings found in the scan file. You can start working with those results right away, but feel free to consult the following articles:
70
+
Some scanners might not include triage information in their reports (e.g. tfsec). They simply scan code or dependencies, flag issues, and return everything, regardless of whether a vulnerability has already been triaged or not.
71
71
72
-
* Learn how to organize your Product Hierarchy to manage different contexts for your Findings and Tests: [Product Hierarchy Overview](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/).
73
-
* Learn how to extend a Test with additional Findings and reports: [Reimport Guide](../using_reimport/)
72
+
To handle this case, DefectDojo also includes a "Do not reactivate" checkbox in uploading reports (also in the reimport API), so you can use DefectDojo as the source of truth for triage, instead of reactivating your triaged Findings on each import / reimport.
73
+
74
+
### Using the Scan Completion Date (API: `scan_date`) field
75
+
76
+
DefectDojo offers a plethora of supported scanner reports, but not all of them contain the
77
+
information most important to a user. The `scan_date` field is a flexible smart feature that
78
+
allows users to set the completion date of the a given scan report, and have it propagate
79
+
down to all the findings imported. This field is **not** mandatory, but the default value for
80
+
this field is the date of import (whenever the request is processed and a successful response is returned).
81
+
82
+
Here are the following use cases for using this field:
83
+
84
+
1. The report **does not** set the date, and `scan_date` is **not** set at import
85
+
- Finding date will be the default value of `scan_date`
86
+
2. The report **sets** the date, and the `scan_date` is **not** set at import
87
+
- Finding date will be whatever the report sets
88
+
3. The report **does not** set the date, and the `scan_date` is **set** at import
89
+
- Finding date will be whatever the user set for `scan_date`
90
+
4. The report **sets** the date, and the `scan_date` is **set** at import
91
+
- Finding date will be whatever the user set for `scan_date`
Copy file name to clipboardExpand all lines: docs/content/en/customize_dojo/user_management/configure_sso.md
+55Lines changed: 55 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -16,6 +16,8 @@ Users can connect to DefectDojo with a Username and Password, but if you prefer,
16
16
17
17
All of these methods can only be configured by a Superuser in DefectDojo. DefectDojo Pro users can quickly set up SSO through their system settings, while Open Source users will need to configure these settings on the back-end by setting an environment variable within Docker. This article covers both methods of configuration.
18
18
19
+
**NOTE: DefectDojo Pro users will all need to add the IP addresses of SAML or SSO services to their Firewall whitelist. See [Firewall Rules](/en/cloud_management/using-cloud-manager/#changing-your-firewall-settings) for more information.**
20
+
19
21
## Disable username / password use
20
22
You may wish to disable traditional username/password login on your instance.
21
23
@@ -513,6 +515,59 @@ GET parameter starts with `http://` instead of
513
515
514
516
2. Restart DefectDojo, and 'Login With Okta' should appear on the login screen.
515
517
518
+
## OIDC (OpenID Connect)
519
+
520
+
Adding OIDC gives you the option to authenticate users using a generic OIDC provider.
521
+
522
+
### Pro Configuration
523
+
524
+
In DefectDojo Pro, OIDC can be configured from the OIDC settings page:
525
+
526
+
527
+
528
+
Fill out the form as follows
529
+
530
+
1. Enter your OIDC endpoint in the Endpoint field. This is the base URL of your OIDC instance (you do not need to include `/.well-known/open-id-configuration/`)
531
+
532
+
2. Enter your OIDC Client ID in the Client ID field.
533
+
534
+
3. Enter the OIDC Client Secret in the Client Secret field.
535
+
536
+
4. Check the box for Enable OIDC.
537
+
538
+
Once the form has been submitted, Log In With OIDC should be added as an option to the DefectDojo login page.
539
+
540
+
541
+
### Open-Source
542
+
543
+
The minimum configuration requires you to set the following environment variables:
Once these variables have been set, restart DefectDojo. Log In With OIDC should now be added to the DefectDojo login page.
570
+
516
571
## SAML Configuration
517
572
518
573
<span style="background-color:rgba(242, 86, 29, 0.3)">DefectDojo Pro</span> users can follow this guide to set up a SAML configuration using the DefectDojo UI. Open-Source users can set up SAML via environment variables, using the following [guide](./#open-source-saml).
0 commit comments