diff --git a/docs/assets/images/integrators_1.png b/docs/assets/images/integrators_1.png new file mode 100644 index 00000000000..26779018867 Binary files /dev/null and b/docs/assets/images/integrators_1.png differ diff --git a/docs/assets/images/integrators_2.png b/docs/assets/images/integrators_2.png new file mode 100644 index 00000000000..52fdb1e5d1e Binary files /dev/null and b/docs/assets/images/integrators_2.png differ diff --git a/docs/assets/images/integrators_3.png b/docs/assets/images/integrators_3.png new file mode 100644 index 00000000000..9b81ad527e8 Binary files /dev/null and b/docs/assets/images/integrators_3.png differ diff --git a/docs/assets/images/integrators_4.png b/docs/assets/images/integrators_4.png new file mode 100644 index 00000000000..9dcecb244d7 Binary files /dev/null and b/docs/assets/images/integrators_4.png differ diff --git a/docs/content/en/share_your_findings/integrations.md b/docs/content/en/share_your_findings/integrations.md new file mode 100644 index 00000000000..ea18f545b02 --- /dev/null +++ b/docs/content/en/share_your_findings/integrations.md @@ -0,0 +1,82 @@ +--- +title: "Integrations Guide (Pro)" +weight: 1 +--- + +DefectDojo Pro's Integrations let you push your Findings and Finding Groups to ticket tracking systems to easily integrate security remediation with your teams existing development workflow. + +Supported Integrations: +- [Azure Devops](/en/share_your_findings/integrations_toolreference/#azure-devops-boards) +- [GitHub](/en/share_your_findings/integrations_toolreference/#github) +- [GitLab Boards](/en/share_your_findings/integrations_toolreference/#gitlab) +- ServiceNow (Coming Soon) + +## Opening the Integrations page + +The Integrations page can be found under **Settings > Integrations** in the sidebar. + +![image](images/integrators_3.png) + +## Setting up an Integration + +An Integrator is configured with three key components: + +- **Integration Instance**: This is the primary connection method that DefectDojo will use with a third-party system. The Instance will include details such as a label, location and credentials to connect with, along with any other information that may be required by the vendor. +- **Issue Tracker Mapping**: This is where mapping information is stored - defining the details required to connect to a given "project" within the vendor. These details include the name or ID of the "project", and mappings from DefectDojo Finding severity and status to the corresponding field in the vendor "ticket". You may have multiple mappings configured if you are trying to push Findings to multiple "project" locations. +- **Issue Tracker Assignment**: This is where DefectDojo Products and Engagements are assigned to a given Issue Tracker Mapping, with per-Product/Engagement options to to define how a Finding will be pushed to a given vendor system. + +These components are hierarchical: Each **Instance** has one or more **Mappings**, which then have one or more **Tracker Assignments**. + +![image](images/integrators_2.png) + +## Pushing Findings and Finding Groups + +Once these components are configured, Findings and Finding Groups can be sent to a given Issue Tracker in two ways; manually, or automatically. + +- **Manually**: Findings and Finding Groups contained in a Product/Engagement with an assigned **Issue Tracker Mapping** will have an option to "Push to Integrators". This will then create an Issue in the Issue Tracker with the corresponding Finding/Finding Group information. Push To Integrators can also be used to update an existing Issue. + +### Automatically Push Findings + +Findings can also be pushed automatically, with the **Issue Tracker Assignment** dictating how those objects will be pushed. These are the four options: + +- **Explicitly Publish Changes**: This option disables any automatic behavior in the assigned Product or Engagement. The only way to push a Finding or Finding Group will be explicitly, as mentioned above. +- **Automatically Link New Findings**: When new Findings or Finding Groups are **created** in the assigned Product or Engagement, DefectDojo will automatically push the object to the Issue Tracker. Once created, these Findings or Findings Groups will not be updated without a manual Push To Integrators action. +- **Automatically Update Existing Link**: When Findings or Finding Groups are **updated** in the assigned Product or Engagement, automatically push the object to the Issue Tracker if an existing link has already been created manually. +- **Automatically Link New and Update Existing Link**: When Findings or Finding Groups are created **or** updated in the assigned Product or Engagement, automatically push the object to the Issue Tracker. + +## Issue Tracker Ticket Representation + +Issue Tracker Tickets are represented by a series of icons under the "Integrator Tickets" column when viewing and listing +Findings and Finding Groups + +Icons from left to right: + +- **Integration Type**: The type of Issue Tracker the Ticket is associated with +- **Ticket ID**: The ID of the Ticket, as defined by the Issue Tracker +- **Ticket Link**: The direct link to the Ticket, as define by the Issue Tracker +- **Changelog**: Specifies when the Issue Tracker Ticket was associated with a Finding or Finding Group, as well as the last time DefectDojo made a change to the ticket + +![image](images/integrators_1.png) + +## Supported Project Integrations + +Project Integrations will have varying requirements for how DefectDojo will need to interact with them. This could be in the form of an authentication mechanism, additional fields on a per "project" basis, or severity/status mappings. + +For the complete list of requirements, please open the vendor specific pages below: + +- [Azure Devops](/en/share_your_findings/integrations_toolreference/#azure-devops-boards) +- [GitHub](/en/share_your_findings/integrations_toolreference/#github) +- [GitLab Boards](/en/share_your_findings/integrations_toolreference/#gitlab) +- ServiceNow (Coming Soon) + +## Error Handling and Debugging + +Integrations can produce errors for a variety of reasons such as connectivity, authentication, permissions, etc.. To assist +in debugging these errors, each Issue Tracker Mapping has a table of errors that list when the error occurred, the reason it +occurred, and the Finding or Finding Group that failed to be pushed. + +These errors can be found by looking at the Issue Tracker Mappings & Assignments page, under the ⚠️ Total Errors column. + +![image](images/integrators_4.png) + +Clicking on the Total Errors entry will bring you to a page with more detailed descriptions of errors associated with this Integration. diff --git a/docs/content/en/share_your_findings/integrations_toolreference.md b/docs/content/en/share_your_findings/integrations_toolreference.md new file mode 100644 index 00000000000..68799f6bdca --- /dev/null +++ b/docs/content/en/share_your_findings/integrations_toolreference.md @@ -0,0 +1,124 @@ +--- +title: "Integrators Tool Reference" +description: "Beta Feature" +weight: 1 +--- + +Here are specific instructions detailing how to set up a DefectDojo Integration with a third party Issue Tracker. + +## Azure DevOps Boards + +### Instance Setup + +- **Label** should be the label that you want to use to identify this integration. +- **Location** should be set to your Azure URL - for example `https://dev.azure.com/{your organization}` +- **Token** should be set to a personal access token from Azure. + +Authentication with Azure DevOps requires a [personal access token](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows) +with permissions set to "Read, Write and Manage" for "Work Items" for the Azure Project that you wish to work with. + +### Issue Tracker Mapping + +These details dictate how DefectDojo will map Finding or Finding Group attributes to a given Project in Azure DevOps: + +#### Issue Tracker Mapping Details + +The `Project ID` field corresponds to the name or the ID of the Project in Azure. + +#### Severity Mapping Details + +The attributes in the form are supplied as defaults, and are as follows: + +- **Severity Field Name**: `/fields/Microsoft.VSTS.Common.Priority` +- **Info Mapping**: `4` +- **Low Mapping**: `4` +- **Medium Mapping**: `3` +- **High Mapping**: `2` +- **Critical Mapping**: `1` + +#### Status Mapping Details + +The attributes in the form are supplied as defaults and are as follows: + +- **Status Field Name**: `/fields/System.State` +- **Active Mapping**: `To Do` +- **Closed Mapping**: `Done` +- **False Positive Mapping**: `Done` +- **Risk Accepted Mapping**: `Done` + +## GitHub + +The GitHub integration allows you to add issues to a [GitHub Project](https://docs.github.com/en/issues/planning-and-tracking-with-projects/learning-about-projects/about-projects), which also open Issues in an associated Repo. These Repos/Projects can be associated with either a GitHub Organization or a personal GitHub account. + +### Instance Setup + +- **Label** should be the label that you want to use to identify this integration. +- **Location** should be set to your GitHub User or Organization URL, depending on where you wish to create issues. for example `https://github.com/{your-organization}` +- **Token** should be set to a personal access token from GitHub. + +Personal access tokens for GitHub can be created at https://github.com/settings/tokens. The token must have Repo and Project scopes. + +### Issue Tracker Mapping + +- **Issue Tracker Mapping Label** should be set to identify the Project or Repo that you wish to create Issues in. +- **Project Number** should be the ID of a GitHub project that you want to send items to. You can get this from the URL while looking at a Project, for example `https://github.com/orgs/{your-org}/projects/{project number}`. +- **Repository Name** should be the name of a repo associated with your organization (or user) that you want to push Issues to. + + +### Severity Mapping Details + +**In order to set up the integration, the Project MUST have a custom field created to represent Issue Priority, otherwise Severity will not be mapped correctly and Issues will not push to GitHub.** + +Follow this guide to create a [custom field](https://docs.github.com/en/issues/planning-and-tracking-with-projects/learning-about-projects/quickstart-for-projects#creating-a-field-to-track-priority). +Each Severity will need to have a corresponding single-select option available. For example, out of the box DefectDojo suggests P0, P1, P2, P3, P4 as possible Priority values, and each of those will need to be added to the Priority custom field. + +- **Severity Field Name**: `Priority` +- **Info Mapping**: `P0` +- **Low Mapping**: `P1` +- **Medium Mapping**: `P2` +- **High Mapping**: `P3` +- **Critical Mapping**: `P4` + +### Status Mapping Details + +By default, new GitHub Projects will have Statuses for Issues of "In Progress" and "Done". Additional statuses can be added to the Project to track False Positive or Risk Accepted status if you wish. One of the ways this can be done is by adding a new Status Column to the Project Board. + +- **Status Field Name**: `Status` +- **Active Mapping**: `In Progress` +- **Closed Mapping**: `Done` +- **False Positive Mapping**: `Done` +- **Risk Accepted Mapping**: `Done` + +## GitLab + +The GitLab integration allows you to add issues to a [GitLab Project](https://docs.gitlab.com/ee/user/project/). + +### Instance Setup + +- **Label** should be the label that you want to use to identify this integration. +- **Location** should be set to the link to your GitLab server, for example `https://gitlab.com/`. +- **Token** should be set to a personal access token from GitLab. The token must have API scopes. See [GitLab’s guide to creating a personal access token](https://docs.gitlab.com/user/profile/personal_access_tokens/#create-a-personal-access-token). + +### Issue Tracker Mapping + +- **Project Name**: The name of the project in GitLab that you want to send issues to + +### Severity Mapping Details + +This maps to the GitLab Priority field. +- **Severity Field Name**: `Priority` +- **Info Mapping**: `1` +- **Low Mapping**: `2` +- **Medium Mapping**: `3` +- **High Mapping**: `4` +- **Critical Mapping**: `5` + +### Status Mapping Details + +By default, GitLab has statuses of 'opened' and 'closed'. Additional status labels can be added if you want to track False Positive or Risk Accepted status. See [GitLab Docs](https://docs.gitlab.com/user/work_items/status/) for details. + +- **Status Field Name**: `Status` +- **Active Mapping**: `opened` +- **Closed Mapping**: `closed` +- **False Positive Mapping**: `closed` +- **Risk Accepted Mapping**: `closed`