DefectDojo · manuel-sommer · Nov 3, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 3, 2025
@@ -15,13 +15,13 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.152.1' # renovate: datasource=github-releases depName=gohugoio/hugo
+          hugo-version: '0.152.2' # renovate: datasource=github-releases depName=gohugoio/hugo
           extended: true
 
       - name: Setup Node
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '24.11.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
+          node-version: '24.11.1' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

@@ -16,7 +16,7 @@ jobs:
           # databases, broker and k8s are independent, so we don't need to test each combination
           # lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
           # are tested (https://kubernetes.io/releases/)
-          - k8s: 'v1.34.0' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
+          - k8s: 'v1.34.2' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
             os: debian
           - k8s: 'v1.31.13' # renovate: datasource=custom.endoflife-oldest-maintained depName=kubernetes
             os: debian

@@ -77,7 +77,7 @@ jobs:
           echo "chart_version=$(ls build | cut -d '-' -f 2,3 | sed 's|\.tgz||')" >> $GITHUB_ENV
 
       - name: Create release ${{ inputs.release_number }}
-        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
         with:
           name: '${{ inputs.release_number }} 🌈'
           tag_name: ${{ inputs.release_number }}

@@ -21,4 +21,4 @@ jobs:
         uses: suzuki-shunsuke/github-action-renovate-config-validator@c22827f47f4f4a5364bdba19e1fe36907ef1318e # v1.1.1
         with:
           strict: "true"
-          validator_version: 41.168.0 # renovate: datasource=github-releases depName=renovatebot/renovate
+          validator_version: 42.5.4 # renovate: datasource=github-releases depName=renovatebot/renovate
@@ -32,7 +32,7 @@ jobs:
              helm dependency update ./helm/defectdojo
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
         with:
           yamale_version: 6.0.0 # renovate: datasource=pypi depName=yamale versioning=semver
           yamllint_version: 1.37.1 # renovate: datasource=pypi depName=yamllint versioning=semver

@@ -12,13 +12,13 @@ jobs:
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
         with:
-          hugo-version: '0.152.1' # renovate: datasource=github-releases depName=gohugoio/hugo
+          hugo-version: '0.152.2' # renovate: datasource=github-releases depName=gohugoio/hugo
           extended: true
 
       - name: Setup Node
         uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: '24.11.0' # TODO: Renovate helper might not be needed here - needs to be fully tested
+          node-version: '24.11.1' # TODO: Renovate helper might not be needed here - needs to be fully tested
 
       - name: Cache dependencies
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

@@ -1,7 +1,7 @@
 
 # code: language=Dockerfile
 
-FROM openapitools/openapi-generator-cli:v7.16.0@sha256:e56372add5e038753fb91aa1bbb470724ef58382fdfc35082bf1b3e079ce353c AS openapitools
+FROM openapitools/openapi-generator-cli:v7.17.0@sha256:868b97eb4e5080d2cdfd5b3eeaa4d52e4bbb7c56f14e234b08b0b0bc4f38a78f AS openapitools
 # currently only supports x64, no arm yet due to chrome and selenium dependencies
 FROM python:3.13.7-slim-trixie@sha256:5f55cdf0c5d9dc1a415637a5ccc4a9e18663ad203673173b8cda8f8dcacef689 AS build
 WORKDIR /app

@@ -63,7 +63,7 @@ COPY dojo/ ./dojo/
 # always collect static for debug toolbar as we can't make it dependant on env variables or build arguments without breaking docker layer caching
 RUN env DD_SECRET_KEY='.' DD_DJANGO_DEBUG_TOOLBAR_ENABLED=True python3 manage.py collectstatic --noinput --verbosity=2 && true
 
-FROM nginx:1.29.2-alpine3.22@sha256:61e01287e546aac28a3f56839c136b31f590273f3b41187a36f46f6a03bbfe22
+FROM nginx:1.29.3-alpine3.22@sha256:b3c656d55d7ad751196f21b7fd2e8d4da9cb430e32f646adcf92441b72f82b14
 ARG uid=1001
 ARG appuser=defectdojo
 COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/

@@ -60,4 +60,4 @@ services:
         protocol: tcp
         mode: host
   "webhook.endpoint":
-    image: mccutchen/go-httpbin:2.18.3@sha256:3992f3763e9ce5a4307eae0a869a78b4df3931dc8feba74ab823dd2444af6a6b
+    image: mccutchen/go-httpbin:2.19.0@sha256:be41c6c3772393c097e15f9f8ac381de4ce9e9841c545556af98fbe2e707c619
@@ -120,7 +120,7 @@ services:
           source: ./docker/extra_settings
           target: /app/docker/extra_settings
   postgres:
-    image: postgres:18.0-alpine@sha256:48c8ad3a7284b82be4482a52076d47d879fd6fb084a1cbfccbd551f9331b0e40
+    image: postgres:18.1-alpine@sha256:154ea39af68ff30dec041cd1f1b5600009993724c811dbadde54126eb10bedd1
     environment:
       POSTGRES_DB: ${DD_DATABASE_NAME:-defectdojo}
       POSTGRES_USER: ${DD_DATABASE_USER:-defectdojo}

@@ -32,6 +32,10 @@ Any vulnerabilities which were not contained in the previous import will be adde
 
 If any incoming Findings match Findings that already exist, the incoming Findings will be discarded rather than recorded as Duplicates. These Findings have been recorded already \- no need to add a new Finding object. The Test page will show these Findings as **Left Untouched**.
 
+### Fields fix_available and fix_version
+
+If any incoming Findings match Findings that already exist, the incoming Finding is checked if the fields `fix_available` and `fix_version` differ and are updated if yes. These Findings have been recorded already \- no need to add a new Finding object. The Test page will show these Findings as **Left Untouched**.
+
 ### Close Findings
 
 If there are any Findings that already exist in the Test but which are not present in the incoming report, you can choose to automatically set those Findings to Inactive and Mitigated (on the assumption that those vulnerabilities have been resolved since the previous import). The Test page will show these Findings as **Closed**.

@@ -511,7 +511,7 @@ If during the login process you get the following error: *The
 in the client app settings.* and the `redirect_uri` HTTP
 GET parameter starts with `http://` instead of
 `https://` you need to add
-`SOCIAL_AUTH_REDIRECT_IS_HTTPS = True` to Docker environment variables, or to your `local_settings.py` file.
+`DD_SOCIAL_AUTH_REDIRECT_IS_HTTPS = True` to Docker Compose environment variables, or `SOCIAL_AUTH_REDIRECT_IS_HTTPS` to your `local_settings.py` file.
 
 2. Restart DefectDojo, and 'Login With Okta' should appear on the login screen.
 

@@ -0,0 +1,51 @@
+---
+title: 'Upgrading to DefectDojo Version 2.53.x'
+toc_hide: true
+weight: -20251103
+description: Helm chart changes for initializer annotations.
+---
+
+## Helm Chart Changes
+
+This release introduces an important change to the Helm chart configuration for the initializer job.
+
+### Breaking changes
+
+#### Initializer Annotation Handling
+
+- **Renamed initializer annotations**: The `initializer.annotations` field has been renamed to `initializer.podAnnotations` for clarity and consistency with other DefectDojo resources.
+- **Merged annotation support**: Global `extraAnnotations` are now automatically merged with the initializer's `podAnnotations` to ensure consistent annotation handling across all resources.
+
+> The previous implementation did not merge global `extraAnnotations` with the initializer job's pod annotations, causing inconsistencies in annotation management.
+
+#### Moved values
+
+The following Helm chart values have been modified in this release:
+
+- `initializer.annotations` → `initializer.podAnnotations` (applies to Pod template metadata within the Job)
+
+Note: `initializer.jobAnnotations` affects the Job spec metadata, while `initializer.podAnnotations` affects the Pod template metadata within the Job.
+
+#### Migration
+
+If you were using:
+
+```yaml
+initializer:
+  annotations:
+    foo: bar
+```
+
+Update to:
+
+```yaml
+initializer:
+  podAnnotations:
+    foo: bar
+```
+
+Both `extraAnnotations` and `initializer.podAnnotations` will now be properly applied to the initializer pod.
+
+## Reimport updates fields fix_available and fix_version
+
+Reimport will update existing findings `fix_available` and `fix_version` fields based on the incoming scan report.
@@ -11,14 +11,21 @@ All parsers that use API pull have common basic configuration steps, but with di
 
 Follow these steps to set up API importing:
 
+## Tool Configuration
+
 1.  Configure the API authentication details by navigating to
     `Configuration -> Tool Configuration -> Add Tool Configuration`. Enter a `Name`,
     selecting the related `Tool Type` and `Authentication Type` "API Key". Paste your credentials
-    to the proper fields based on definitions below.
+    into the proper fields based on the selected parser.
+
+## Product-Level Configuration
+
+1.  Navigate to `Products -> All Products` and select a product from the list.
+
+2.  Click on `Settings` and select `Add API Scan Configuration`
 
-2.  In the `Product` settings select `Add API Scan Configuration` and select the
-    previously added `Tool Configuration`. Provide values based on definitions below.
+3.  Select the previously added `Tool Configuration` and provide additional values based on the selected parser.
 
-3.  After this is done, you can import the findings on the `Product` page through
-    `Findings -> Import Scan Results`. As the `Scan type`, select the related type,
-    the API scan configuration from the last step, and click `Import`.
+4.  After this is done, you can import the findings on the `Product` page through
+    `Findings -> Import Scan Results`. As the `Scan type`, select the related type
+    (the `API Scan Configuration` created above) and click `Import`.
@@ -2,20 +2,24 @@
 title: "SonarQube API Import"
 toc_hide: true
 ---
-All parsers which using API have common basic configuration step but with different values. Please, [read these steps](../) at first.
+All parsers that use API pull have common basic configuration steps, but with different values. Please, [read these steps](../) first.
 
-In `Tool Configuration`, select `Tool Type` to "SonarQube" and `Authentication Type` "API Key".
-Note the url must be in the format of `https://<sonarqube_host>/api`
+## Tool Configuration
+
+In `Tool Configuration`, select `Tool Type` "SonarQube" and `Authentication Type` "API Key".
+The URL must be in the format of `https://<sonarqube_host>/api`
 Paste your SonarQube API token in the "API Key" field.
-By default the tool will import vulnerabilities issues
-and security hotspots only, but additional filters can be setup using the 
-Extras field separated by commas (e.g. `BUG,VULNERABILITY,CODE_SMELL`). When using
-SonarCloud, you must also specify the Organization ID in the Extras field as follows
-`OrgID=sonarcloud-organzation-ID`. If also specifying issue type filters, please 
-seperate the items in the Extras field by a vertical bar as follows
-`BUG,VULNERABILITY,CODE_SMELL|OrgID=sonarcloud-organzation-ID`
-
-In "Add API Scan Configuration"
+By default, the tool will import vulnerability issues
+and security hotspots only, but additional filters can be applied using the 
+"Extras" field separated by commas (e.g. `BUG,VULNERABILITY,CODE_SMELL`). When using
+SonarCloud, you must also specify the Organization ID in the "Extras" field (e.g. 
+`OrgID=sonarcloud-organzation-ID`). When also specifying issue type filters, please 
+separate the items in the "Extras" field by a vertical bar (e.g. 
+`BUG,VULNERABILITY,CODE_SMELL|OrgID=sonarcloud-organzation-ID`)
+
+## Product-Level Configuration
+
+In `Add API Scan Configuration`
 -   `Service key 1` must
     be the SonarQube project key, which can be found by navigating to a specific project and
     selecting the value from the url
@@ -24,23 +28,29 @@ In "Add API Scan Configuration"
     use the name of the Product as the project key in SonarQube. If you would like to
     import findings from multiple projects, you can specify multiple keys as
     separated `API Scan Configuration` in the `Product` settings.
--   If using SonarCloud, the orginization ID can be used from step 1, but it
-    can be overiden by supplying a different orginization ID in the `Service key 2` input field.
+-   If using SonarCloud, the organization ID can be used from step 1, but it
+    can be overridden by supplying a different organization ID in the `Service key 2` input field.
 
 ## Multiple SonarQube API Configurations
 
-In the import or re-import dialog you can select which `API Scan
+In the import or re-import dialog, you can select which `API Scan
 Configuration` shall be used. If you do not choose
 any, DefectDojo will use the `API Scan Configuration` of the Product if there is
 only one defined or the SonarQube `Tool Configuration` if there is only one.
 
-## Multi Branch Scanning
+## Multi-Branch Scanning
 
-If using a version of SonarQube with multi branch scanning, the branch tha be scanned can
-be supplied in the `branch_tag` fieild at import/re-import time. If the branch does not exist,
-a notification will be generated in the alerts table indicating that branch to be imported
+If using a version of SonarQube with multi-branch scanning, the branch to be scanned can
+be supplied in the `branch_tag` field at import/re-import time. If the branch does not exist,
+a notification will be generated in the alerts table, indicating that branch to be imported
 does not exist. If a branch name is not supplied during import/re-import, the default branch
 of the SonarQube project will be used.
 
-**Note:**: If `https` is used for the SonarQube, the certificate must be
-trusted by the DefectDojo instance.
+## Custom Trust
+
+If you are connecting to SonarQube via HTTPS, the issuer of the certificate that is presented by
+SonarQube must be trusted.
+
+One way of achieving this is by defining the `REQUESTS_CA_BUNDLE` environment variable to point
+to a PEM-encoded certificate file in the container (e.g. `REQUESTS_CA_BUNDLE=/app/media/cacerts.pem`).
+To ensure the certificate is persisted, the file should be in a mounted volume.
@@ -0,0 +1,18 @@
+---
+title: "n0s1 Scanner"
+toc_hide: true
+---
+
+### File Types
+Parser n0s1 expects a JSON file of scanner n0s1.
+
+### Sample Scan Data
+Sample n0s1 scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/n0s1).
+
+### Link To Tool
+See n0s1 on GitHub: https://github.com/spark1security/n0s1
+
+### Default Deduplication Hashcode Fields
+By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
+
+- description