explainx.ainewsletter3.4k
auth-security

DefectDojo

jamiesonio

by jamiesonio

Connect with DefectDojo for powerful vulnerability management and seamless threat and vulnerability management integrati

Bridges to the DefectDojo vulnerability management system, enabling interaction with security findings, products, and engagements for streamlined security workflow integration.

github stars

11

GitHubnpm
0 commentsdiscussion

Both formats append explainx.ai attribution and the canonical URL for this MCP server listing.

Direct DefectDojo API integrationRequires API token authentication

best for

  • / Security teams managing vulnerability workflows
  • / DevSecOps automation and reporting
  • / Security assessment tracking

capabilities

  • / Query security findings and vulnerabilities
  • / Search and filter DefectDojo findings
  • / Create and update security findings
  • / Manage engagement lifecycles
  • / List products and engagements
  • / Add notes to security findings

what it does

Connects to DefectDojo vulnerability management systems to retrieve, create, and manage security findings, products, and engagements through the DefectDojo API.

about

DefectDojo is a community-built MCP server published by jamiesonio that provides AI assistants with tools and capabilities via the Model Context Protocol. Connect with DefectDojo for powerful vulnerability management and seamless threat and vulnerability management integrati It is categorized under auth security.

how to install

You can install DefectDojo in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

license

MIT

DefectDojo is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

readme

DefectDojo MCP Server

PyPI version <!-- Add this badge if/when published to PyPI -->

This project provides a Model Context Protocol (MCP) server implementation for DefectDojo, a popular open-source vulnerability management tool. It allows AI agents and other MCP clients to interact with the DefectDojo API programmatically.

Features

This MCP server exposes tools for managing key DefectDojo entities:

  • Findings: Fetch, search, create, update status, and add notes.
  • Products: List available products.
  • Engagements: List, retrieve details, create, update, and close engagements.

Installation & Running

There are a couple of ways to run this server:

Using uvx (Recommended)

uvx executes Python applications in temporary virtual environments, installing dependencies automatically.

uvx defectdojo-mcp

Using pip

You can install the package into your Python environment using pip.

# Install directly from the cloned source code directory
pip install .

# Or, if the package is published on PyPI
pip install defectdojo-mcp

Once installed via pip, run the server using:

defectdojo-mcp

Configuration

The server requires the following environment variables to connect to your DefectDojo instance:

  • DEFECTDOJO_API_TOKEN (required): Your DefectDojo API token for authentication.
  • DEFECTDOJO_API_BASE (required): The base URL of your DefectDojo instance (e.g., https://your-defectdojo-instance.com).

You can configure these in your MCP client's settings file. Here's an example using the uvx command:

{
  "mcpServers": {
    "defectdojo": {
      "command": "uvx",
      "args": ["defectdojo-mcp"],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

If you installed the package using pip, the configuration would look like this:

{
  "mcpServers": {
    "defectdojo": {
      "command": "defectdojo-mcp",
      "args": [],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

Available Tools

The following tools are available via the MCP interface:

  • get_findings: Retrieve findings with filtering (product_name, status, severity) and pagination (limit, offset).
  • search_findings: Search findings using a text query, with filtering and pagination.
  • update_finding_status: Change the status of a specific finding (e.g., Active, Verified, False Positive).
  • add_finding_note: Add a textual note to a finding.
  • create_finding: Create a new finding associated with a test.
  • list_products: List products with filtering (name, prod_type) and pagination.
  • list_engagements: List engagements with filtering (product_id, status, name) and pagination.
  • get_engagement: Get details for a specific engagement by its ID.
  • create_engagement: Create a new engagement for a product.
  • update_engagement: Modify details of an existing engagement.
  • close_engagement: Mark an engagement as completed.

(See the original README content below for detailed usage examples of each tool)

Usage Examples

(Note: These examples assume an MCP client environment capable of calling use_mcp_tool)

Get Findings

# Get active, high-severity findings (limit 10)
result = await use_mcp_tool("defectdojo", "get_findings", {
    "status": "Active",
    "severity": "High",
    "limit": 10
})

Search Findings

# Search for findings containing 'SQL Injection'
result = await use_mcp_tool("defectdojo", "search_findings", {
    "query": "SQL Injection"
})

Update Finding Status

# Mark finding 123 as Verified
result = await use_mcp_tool("defectdojo", "update_finding_status", {
    "finding_id": 123,
    "status": "Verified"
})

Add Note to Finding

result = await use_mcp_tool("defectdojo", "add_finding_note", {
    "finding_id": 123,
    "note": "Confirmed vulnerability on staging server."
})

Create Finding

result = await use_mcp_tool("defectdojo", "create_finding", {
    "title": "Reflected XSS in Search Results",
    "test_id": 55, # ID of the associated test
    "severity": "Medium",
    "description": "User input in search is not properly sanitized, leading to XSS.",
    "cwe": 79
})

List Products

# List products containing 'Web App' in their name
result = await use_mcp_tool("defectdojo", "list_products", {
    "name": "Web App",
    "limit": 10
})

List Engagements

# List 'In Progress' engagements for product ID 42
result = await use_mcp_tool("defectdojo", "list_engagements", {
    "product_id": 42,
    "status": "In Progress"
})

Get Engagement

result = await use_mcp_tool("defectdojo", "get_engagement", {
    "engagement_id": 101
})

Create Engagement

result = await use_mcp_tool("defectdojo", "create_engagement", {
    "product_id": 42,
    "name": "Q2 Security Scan",
    "target_start": "2025-04-01",
    "target_end": "2025-04-15",
    "status": "Not Started"
})

Update Engagement

result = await use_mcp_tool("defectdojo", "update_engagement", {
    "engagement_id": 101,
    "status": "In Progress",
    "description": "Scan initiated."
})

Close Engagement

result = await use_mcp_tool("defectdojo", "close_engagement", {
    "engagement_id": 101
})

Development

Setup

  1. Clone the repository.
  2. It's recommended to use a virtual environment: 
    python -m venv .venv
source .venv/bin/activate # On Windows use `.venv\Scripts\activate`
  3. Install dependencies, including development dependencies: 
    pip install -e ".[dev]"

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to open an issue for bugs, feature requests, or questions. If you'd like to contribute code, please open an issue first to discuss the proposed changes.

FAQ

What is the DefectDojo MCP server?
DefectDojo is a Model Context Protocol (MCP) server profile on explainx.ai. MCP lets AI hosts (e.g. Claude Desktop, Cursor) call tools and resources through a standard interface; this page summarizes categories, install hints, and community ratings.
How do MCP servers relate to agent skills?
Skills are reusable instruction packages (often SKILL.md); MCP servers expose live capabilities. Teams frequently combine both—skills for workflows, MCP for APIs and data. See explainx.ai/skills and explainx.ai/mcp-servers for parallel directories.
How are reviews shown for DefectDojo?
This profile displays 31 aggregated ratings (sample rows for discoverability plus signed-in user reviews). Average score is about 4.6 out of 5—verify behavior in your own environment before production use.

Use Cases

Extended AI Capabilities

Add new capabilities to Claude beyond text generation

Example

Access external data sources, execute code, interact with tools and services

Transform Claude from chatbot to action-taking agent

Context Enhancement

Provide Claude with access to relevant context and data

Example

Load project documentation, access knowledge bases, query databases

Get more accurate, context-aware responses

Workflow Automation

Automate multi-step workflows combining AI and external tools

Example

Research → Summarize → Create document → Send notification

Complete complex tasks end-to-end without manual steps

Implementation Guide

Prerequisites

  • Claude Desktop 0.7.0+ or Cursor IDE with MCP support
  • Basic understanding of MCP architecture and capabilities
  • Access credentials for integrated services (if required)
  • Willingness to experiment and iterate on configuration

Time Estimate

15-60 minutes depending on server complexity

Installation Steps

  1. 1.Install MCP server: npm install -g [package-name] or via GitHub
  2. 2.Add server configuration to ~/.claude/mcp.json
  3. 3.Provide required credentials and configuration
  4. 4.Restart Claude Desktop to load new server
  5. 5.Test basic functionality with simple prompts
  6. 6.Explore capabilities and experiment with use cases
  7. 7.Document successful patterns for reuse

Troubleshooting

  • MCP server not loading: Check config syntax, verify installation
  • Connection errors: Check network, firewall, credentials
  • Feature not working: Read server docs, check required parameters
  • Performance issues: Monitor resource usage, check for network latency
  • Conflicts with other servers: Check port assignments, namespace collisions

Best Practices

✓ Do

  • +Read server documentation thoroughly before setup
  • +Start with simple use cases to validate functionality
  • +Test in non-production environment first
  • +Monitor resource usage and performance
  • +Keep servers updated for bug fixes and new features
  • +Document configuration for team members
  • +Use environment variables for sensitive configuration

✗ Don't

  • Don't grant overly permissive access to MCP servers
  • Don't skip reading security considerations in docs
  • Don't expose sensitive data without proper controls
  • Don't run untrusted MCP servers without code review
  • Don't ignore error messages—investigate root cause

💡 Pro Tips

  • Combine multiple MCP servers for powerful workflows
  • Create custom MCP servers for your specific needs
  • Share successful configurations with team
  • Use MCP inspector for debugging
  • Join MCP community for tips and troubleshooting

Technical Details

Architecture

Model Context Protocol standardizes how AI hosts (Claude, Cursor) communicate with external tools and data sources through server implementations.

Protocols

  • Model Context Protocol (MCP)
  • JSON-RPC 2.0
  • stdio or HTTP transport

Compatibility

  • Claude Desktop
  • Cursor IDE
  • Custom MCP clients

When to Use This

✓ Use When

Use when you need Claude to access external data, execute actions, or integrate with tools. Best for extending AI capabilities beyond conversation.

✗ Avoid When

Avoid when native integrations exist (use official APIs directly), for real-time critical systems, or when security/compliance requires zero external dependencies.

Integration

  • Tool composition: Chain multiple MCP tools in workflows
  • Context augmentation: Provide AI with relevant external data
  • Action delegation: Let AI execute tasks on external systems
  • Bidirectional sync: Keep AI context and external systems in sync

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.

List & Promote Your MCP Server

Share your MCP server with the developer community

GET_STARTED →
MCP server reviews

Ratings

4.631 reviews
  • Emma Rahman· Dec 28, 2024

    DefectDojo is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.

  • Jin Liu· Dec 20, 2024

    I recommend DefectDojo for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.

  • Alexander Farah· Dec 8, 2024

    Strong directory entry: DefectDojo surfaces stars and publisher context so we could sanity-check maintenance before adopting.

  • William Jain· Nov 19, 2024

    Useful MCP listing: DefectDojo is the kind of server we cite when onboarding engineers to host + tool permissions.

  • Min Singh· Oct 10, 2024

    DefectDojo reduced integration guesswork — categories and install configs on the listing matched the upstream repo.

  • Sakshi Patil· Sep 25, 2024

    We wired DefectDojo into a staging workspace; the listing’s GitHub and npm pointers saved time versus hunting across READMEs.

  • Hana Perez· Sep 25, 2024

    DefectDojo is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.

  • Rahul Santra· Sep 5, 2024

    I recommend DefectDojo for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.

  • Min Mensah· Sep 1, 2024

    DefectDojo is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.

  • Pratham Ware· Aug 24, 2024

    Strong directory entry: DefectDojo surfaces stars and publisher context so we could sanity-check maintenance before adopting.

showing 1-10 of 31

1 / 4