Skip to content

defectdojo

Metadata

Field Value
Service defectdojo
Purpose Vulnerability management platform and findings intake portal
Criticality Tier 2
Owner Platform / Security owner
Clusters homelab
Namespace defectdojo
Exposure internet
Stateful yes
Backup class snapshot
RPO / RTO Daily backup target, 4 to 8 hours to restore
Last reviewed 2026-05-23

1. Service Overview

DefectDojo provides the web UI, API, and background workers used to centralize vulnerability findings and security workflows.

Summary

If it fails, operators lose access to the findings portal, scan ingestion, and background processing for imports and notifications.

Dependencies

Dependency Type Why it matters
PostgreSQL database Stores users, findings, products, and application state
Valkey broker / cache Required by celery workers and async processing
Traefik ingress Exposes the HTTPS route
Kustomize-generated Secret defectdojo runtime secret Provides bootstrap admin password and Django runtime secrets

2. Architecture Diagram

[Browser / API client]
  -> [Traefik]
  -> [DefectDojo nginx]
  -> [DefectDojo uwsgi]
  -> [PostgreSQL]
  -> [Valkey]
  -> [Celery worker / beat]

3. Deployment Specifications

Item Value
Source path defectdojo/base and defectdojo/overlays/homelab
Deployment model Fleet Helm release plus Kustomize overlay resources
Namespace defectdojo
Workload kind Deployment, StatefulSets, and bootstrap Job
Chart or image version Helm chart defectdojo 1.9.28
Config files base/kustomization.yaml, overlays/homelab/kustomization.yaml, overlays/homelab/values.yaml, fleet.yaml

Cluster mapping

Cluster Overlay path Notes
homelab defectdojo/overlays/homelab Primary homelab deployment

4. Configuration Guide

Environment variables

Variable Source Purpose Secret?
DD_ADMIN_PASSWORD overlays/homelab/.defectdojo-secrets.env -> Secret defectdojo Initial superuser password at first bootstrap yes
DD_SECRET_KEY overlays/homelab/.defectdojo-secrets.env -> Secret defectdojo Django signing and session security yes
DD_CREDENTIAL_AES_256_KEY overlays/homelab/.defectdojo-secrets.env -> Secret defectdojo Encryption key for stored credentials yes
DD_CSRF_TRUSTED_ORIGINS overlays/homelab/values.yaml Trust the external HTTPS origin no

ConfigMaps

Resource Path Purpose
Helm-generated DefectDojo config defectdojo/overlays/homelab/values.yaml Runtime settings, URL, replicas, probes, and resources

Secrets management

  • Secret names: defectdojo, defectdojo-postgresql-specific, and defectdojo-valkey-specific.
  • Source of truth: local .env inputs under defectdojo/overlays/homelab plus generated Kustomize Secret objects.
  • Bootstrap guard: the initializer Job now has a required secretKeyRef for DD_ADMIN_PASSWORD so first boot fails fast if the Secret is missing, instead of generating a random password.
  • Recovery note: if the first bootstrap already ran without the expected password, use the runbook to reset dojo-admin or create a replacement superuser.

5. Access Protocols

Path URL or endpoint Audience Auth TLS terminates at
Internal Services inside the defectdojo namespace Cluster workloads namespace RBAC nginx / service
External https://defectdojo.home.mutana.fr Operators and security users DefectDojo auth Traefik

6. Operations and Observability

  • Primary health indicators: defectdojo-django ready, initializer Job completed, login page reachable, and PostgreSQL plus Valkey healthy.
  • Dashboards or alerts: shared cluster monitoring and ingress health.
  • Log locations: uwsgi, nginx, initializer Job, celery worker, celery beat, PostgreSQL, and Valkey logs.
  • Known failure modes: missing bootstrap secret, OOM on uwsgi, PVC attachment problems, or ingress / CSRF misconfiguration.

7. Backup and Recovery Notes

  • Backup method: PostgreSQL backup plus media PVC snapshot.
  • Restore prerequisites: database state, runtime secrets, and media PVC if user-uploaded files matter.
  • Related runbook: ../runbooks/defectdojo.md

8. Release and Change Notes

  • Current deployed app version: see the upstream chart appVersion for defectdojo 1.9.28.
  • Current chart version: 1.9.28.
  • Last significant change: bootstrap hardened so the initializer waits for DD_ADMIN_PASSWORD instead of falling back to a random password.
  • Rollback reference: previous Git revision of defectdojo/overlays/homelab and defectdojo/fleet.yaml.