diff --git a/docs/assets/images/beta-ui-overview.png b/docs/assets/images/beta-ui-overview.png
deleted file mode 100644
index 14ef167956b..00000000000
Binary files a/docs/assets/images/beta-ui-overview.png and /dev/null differ
diff --git a/docs/assets/images/external-tools.png b/docs/assets/images/external-tools.png
index 053563989b5..ceb2ce670ee 100644
Binary files a/docs/assets/images/external-tools.png and b/docs/assets/images/external-tools.png differ
diff --git a/docs/assets/images/pro_import_methods.png b/docs/assets/images/pro_import_methods.png
new file mode 100644
index 00000000000..27c05e1e139
Binary files /dev/null and b/docs/assets/images/pro_import_methods.png differ
diff --git a/docs/assets/images/pro_ui_overview.png b/docs/assets/images/pro_ui_overview.png
new file mode 100644
index 00000000000..86dd40ac91a
Binary files /dev/null and b/docs/assets/images/pro_ui_overview.png differ
diff --git a/docs/assets/images/pro_ui_sams_filter.png b/docs/assets/images/pro_ui_sams_filter.png
new file mode 100644
index 00000000000..9c60d7ecbf8
Binary files /dev/null and b/docs/assets/images/pro_ui_sams_filter.png differ
diff --git a/docs/content/en/about_defectdojo/about_docs.md b/docs/content/en/about_defectdojo/about_docs.md
index 581cf3e66c3..ddc1baf94d2 100644
--- a/docs/content/en/about_defectdojo/about_docs.md
+++ b/docs/content/en/about_defectdojo/about_docs.md
@@ -13,25 +13,25 @@ weight: 1
## What is DefectDojo?
-DefectDojo is a DevSecOps platform. DefectDojo streamlines DevSecOps by serving as an aggregator and single pane of glass for your security tools.
+DefectDojo is a Developer Security Operations (DevSecOps) platform. DefectDojo streamlines DevSecOps by serving as an automatic aggregator for your suite of security tools, allowing you to easily organize your security work and report your organization’s security posture to other stakeholders.
-DefectDojo has smart features to enhance and tune the results from your security tools including the ability to merge findings, remember false positives, and distill duplicates.
-
-DefectDojo also integrates with JIRA, provides metrics / reports, and can also be used for traditional pen test management.
+While security process automation and integrated development pipelines are the end goals of DefectDojo, at its core this software is a bug tracker for security vulnerabilities, which is meant to ingest, organize and standardize reports from many security tools.
### What does DefectDojo do?
-Whether you're a one-person security team for a small organization, or a CISO overseeing a large amount of software projects, DefectDojo allows you to organize your security work, and easily report your organization's security posture to other stakeholders.
-
-While security process automation and integrated development pipelines are the ultimate end goals of DefectDojo, this software is a bug tracker at its core for security vulnerabilities, which is meant to ingest, organize and standardize reports from many security tools.
+DefectDojo has smart features to enhance and tune the results from your security tools, including the ability to:
-DefectDojo's Product:Engagement model enables allows you to take inventory of your development environment and immediately place new security Findings in context.
+- Track and report on security Findings in context
+- Enforce SLAs in context
+- Handle False Positives, Risk Acceptances and other triage decisions
+- Distill duplicates using DefectDojo's deduplication algorithm
+- Integrate with external Project Tracking software.
+- Provide metrics/reports across repositories and development branches using CI/CD integration.
+- Coordinate traditional Pen test management.
+- Set and enforce SLAs for vulnerability remediation procedures.
+- Create and track Risk Acceptances for security vulnerabilities.
-- Track and report on vulnerabilities and test results across repositories and development branches, using CI/CD integration
-- Ingest Pen tester reports and capture point-in-time snapshots of your security profile
-- Create and track Risk Acceptances for security vulnerabilities
-- Set and enforce SLAs to reflect your organization's policies for vulnerability remediation
-- Filter out redundant data using DefectDojo's deduplication algorithm
+Ultimately, DefectDojo's Product:Engagement model allows you to take inventory of your development environment and immediately place new security Findings in context.
---
Here are some examples of ways DefectDojo can be implemented, with DefectDojo co-founder and CTO Matt Tesauro:
@@ -39,58 +39,82 @@ Here are some examples of ways DefectDojo can be implemented, with DefectDojo co
---
+## DefectDojo Open-Source
-### How does DefectDojo work?
+DefectDojo's core functionality is available in DefectDojo Open-Source.
-Whether you're a Pro or an Open-Source user, we have many resources that can help you get started with DefectDojo.
+This edition of DefectDojo includes:
-- Our [New User Checklist](../new_user_checklist) covers the fundamentals of setting up your DefectDojo environment and setting up your import, triage and reporting workflows.
+- Import/Reimport for all 200+ Supported Tools
+- REST API
+- Deduplication features
+- Limited UI, metrics and reporting features
+- Jira integration capability
-- We support a large amount of [security tool integrations](/supported_tools/) to help fit DefectDojo in your DevSecOps program.
+For teams managing a smaller volume of Findings, DefectDojo Open-Source is a great starting point.
-- Our team maintains a [YouTube Channel](https://www.youtube.com/@defectdojo) which hosts tutorials, archived Office Hours events and other content. New subscribers are always welcome!
+### Installation Guides
-## Open-Source DefectDojo
+There are a few supported ways to install DefectDojo’s Open-Source edition ([available on Github](https://github.com/DefectDojo/django-DefectDojo)):
-The Open-Source edition of DefectDojo is [available on GitHub](https://github.com/DefectDojo/django-DefectDojo).
+[Docker Compose](https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md) is the easiest method to install the core program and services required to run DefectDojo.
+Our [Architecture](https://docs.defectdojo.com/en/open_source/installation/architecture/) guide gives you an overview of each service and component used by DefectDojo.
+[Running In Production](https://docs.defectdojo.com/en/open_source/installation/running-in-production/) lists system requirements, performance tweaks and maintenance processes for running DefectDojo on a production server (with Docker Compose).
-### Installation Guides
+Kubernetes is not fully supported at the Open-Source level, but this guide can be referenced and used as a starting point to integrate DefectDojo into Kubernetes architecture.
-There are a few supported ways to install DefectDojo's Open Source edition:
+If you run into trouble with an Open-Source install, we highly recommend asking questions on the [OWASP Slack](https://owasp.org/slack/invite). Our community members are active on the #defectdojo channel and can help you with issues you’re facing.
-- [Docker Compose](https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/DOCKER.md) is the easiest method to install the core program and services required to run DefectDojo.
-- [Kubernetes](https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/KUBERNETES.md) is not fully supported at the Open-Source level, but this guide can be referenced and used as a **starting point** to integrate DefectDojo into Kubernetes architecture.
+## 🟧 DefectDojo Pro Edition
-Other guides for working with an Open-Source install:
-- [Architecture](/en/open_source/installation/architecture/) gives you an overview of each service and component used by DefectDojo.
-- [Running In Production](/en/open_source/installation/running-in-production/) provides system requirements, performance tweaks and maintenance processes for running DefectDojo on a production server. Note that this guide strictly covers Docker Compose installs, not Kubernetes.
+
-If you run into trouble with an Open Source install, we highly recommend asking questions on the [OWASP Slack](https://owasp.org/slack/invite). Our community members are active on the **# defectdojo** channel and can help you with issues you’re facing.
+DefectDojo Inc. hosts a Pro edition of this software for commercial purposes. Along with a sleek, modern UI, DefectDojo Pro includes:
-Looking for cool DefectDojo laptop stickers? As a thank you for being a part of the DefectDojo community, you can sign up to get some free DefectDojo stickers. For more information, check out [this link](https://defectdojo.com/defectdojo-sticker-request).
+* [Connectors](/en/connecting_your_tools/connectors/about_connectors/): out-of-the-box API integrations with enterprise-level scanners (such as Checkmarx One, BurpSuite, Semgrep and more)
+* **Configurable Import Methods**: [Universal Parser](/supported_tools/parsers/universal_parser/), [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/)
+* **[CLI Tools](/en/connecting_your_tools/external_tools/)** for rapid integration with your systems
+* **[Additional Project Tracking Integrations](/en/share_your_findings/integrations/)**: ServiceNow, Azure DevOps, GitHub and GitLab
+* **[Improved Metrics](/en/customize_dojo/dashboards/pro_dashboards/)** for executive reporting and high-level analysis
+* **[Priority And Risk](/en/working_with_findings/finding_priority/)** to identify the Findings of highest urgency, system-wide
+* **Premium Support** and implementation guidance for your organization
-### Online Demo
+The Pro edition is available as a cloud-hosted SaaS offering, and is also available for installation on-premises.
-A running example of DefectDojo (Open-Source Edition) is available on [our demo server](https://demo.defectdojo.org), using the credentials `admin` / `1Defectdojo@demo#appsec`. The demo server is refreshed regularly and provisioned with some sample data.
+For more information on DefectDojo Pro, check out our [Pricing page](https://defectdojo.com/pricing).
-## 🟧 DefectDojo Pro Edition
+## Online Demos
-
+Online demos for both Open-Source and Pro versions of DefectDojo are available. Both can be accessed using the following credentials:
----
+- Username: `admin`
+- Password: `1Defectdojo@demo#appsec`
+
+These demos come loaded with sample data, and are reset on a daily basis.
+
+### Open-Source Demo
+
+A running example of DefectDojo (Open-Source Edition) is available at [https://demo.defectdojo.org/](https://demo.defectdojo.org/).
+
+### Pro Demo
+
+A running example of DefectDojo Pro is available at
+[https://pro.demo.defectdojo.com/](https://pro.demo.defectdojo.com/).
+
+## Learning DefectDojo
+
+Whether you’re a Pro or an Open-Source user, we have many resources to help you get started with DefectDojo.
-DefectDojo Inc. hosts a commercial edition of this software, which includes:
+* Our [New User Checklist](/en/about_defectdojo/new_user_checklist/) covers the fundamentals of setting up your DefectDojo environment and establishing your import, triage and reporting workflows.
+* Review our supported [security tool integrations](/en/connecting_your_tools/parsers/) to help fit DefectDojo in your DevSecOps program.
+* Our team maintains a [YouTube Channel](https://www.youtube.com/@defectdojo) which hosts tutorials, archived Office Hours events, and other content.
-- [additional features](../pro_features), smart features and UI improvements
-- cloud hosting, with regular backups, updates and maintenance
-- premium support and implementation guidance
+## Connect With Us
-For more information, check out our Pricing page at [defectdojo.com](https://defectdojo.com/pricing). After filling out a quick survey to assess your organization's needs we'll provide you with a custom quote for DefectDojo.
+To get in touch with the DefectDojo Inc team, you can always reach out to [hello@defectdojo.com](mailto:hello@defectdojo.com).
-DefectDojo Pro edition is available as a cloud-hosted SaaS offering but is also available for installation on-premises.
+We regularly on [LinkedIn](https://www.linkedin.com/company/33245534) and also host online presentations for AppSec professionals that can be accessed live or on demand. You can learn about upcoming events on our [Events page](https://defectdojo.com/events) or watch past presentations on our [YouTube Channel](https://www.youtube.com/@defectdojo).
-### Connect With Us
+### Stickers
-* To get in touch with our team, you can always reach out to **info@defectdojo.com**.
-* Follow DefectDojo Inc. on [LinkedIn](https://www.linkedin.com/company/33245534) for company updates.
-* DefectDojo hosts online presentations for AppSec professionals that can be accessed live or on demand - check us out on our [Events page](https://defectdojo.com/events). Many of these are also available on our [YouTube Channel](https://www.youtube.com/@defectdojo).
+Looking for cool DefectDojo laptop stickers? As a thank you for being a part of the DefectDojo community, you can sign up to get some free DefectDojo stickers. For more information, check out [this link](https://defectdojo.com/defectdojo-sticker-request).
\ No newline at end of file
diff --git a/docs/content/en/about_defectdojo/contact_defectdojo_support.md b/docs/content/en/about_defectdojo/contact_defectdojo_support.md
index c80732f3be4..521c2c47c4a 100644
--- a/docs/content/en/about_defectdojo/contact_defectdojo_support.md
+++ b/docs/content/en/about_defectdojo/contact_defectdojo_support.md
@@ -20,18 +20,18 @@ See our [Community Site](https://defectdojo.com/open-source) for more informatio
## DefectDojo Pro Support
-DefectDojo Pro subscriptions come with full support from the DefectDojo Inc team during the initial trial period and beyond.
+DefectDojo Pro subscriptions come with full support from the DefectDojo Inc. team during the initial trial period and beyond.
### Email
-Customers / Pro Users can always email our team directly at [support@defectdojo.com](mailto:support@defectdojo.com) for assistance.
+Customers/Pro Users can always email our team directly at [support@defectdojo.com](mailto:support@defectdojo.com) for assistance.
### Within DefectDojo
-You can contact us through the DefectDojo App:
+You can contact the Support team through the DefectDojo App in two ways:
-* by opening **Cloud Manager \> Contact Support** from the left sidebar
-* or through **{your\-instance}.defectdojo.com/cloud\_portal/support**.
+1. by opening **Cloud Manager > Contact Support** from the left sidebar
+2. through **{your-instance}.defectdojo.com/cloud_portal/support**.
@@ -39,7 +39,7 @@ You can contact us through the DefectDojo App:
You can also contact our support team through your Cloud Portal:
-* by clicking on **Contact Us** (on the left sidebar)
-* or via ****.
+1. by clicking on **Contact Us** (on the left sidebar)
+2. or via ****.
diff --git a/docs/content/en/about_defectdojo/examples_of_use.md b/docs/content/en/about_defectdojo/examples_of_use.md
index 9555cec2e49..450d28304b7 100644
--- a/docs/content/en/about_defectdojo/examples_of_use.md
+++ b/docs/content/en/about_defectdojo/examples_of_use.md
@@ -1,23 +1,24 @@
---
-title: "💡 Common Use-Cases"
+title: "💡 Common Use Cases"
description: "Use Cases and examples"
draft: "false"
weight: 2
chapter: true
---
-This article is based on DefectDojo Inc's February 2025 Office Hours: "Tackling Common-Use Cases".
+This article is based on DefectDojo Inc's February 2025 Office Hours: "Tackling Common Use Cases".
-## Examples of Use-Cases
+## Examples of Use Cases
-DefectDojo is designed handle any security implementation: no matter your security team size, IT complexity level, or reporting volume. These stories are intended as jumping-off points for your own needs, but they're based on real examples from our community and DefectDojo Pro team.
+DefectDojo is designed to handle any security implementation, no matter your security team size, IT complexity level, or reporting volume. The following stories are intended as jumping-off points for your own needs, but they’re based on real examples from our community and the DefectDojo Pro team.
### Large Enterprise: RBAC and Engagements
-'BigCorp' is a large multinational enterprise, with a CISO and a centralized IC security group that includes AppSec.
-Security at BICORP is highly centralized. Certain things are delegated out to BISOs (Business Information Security Officers).
+‘BigCorp’ is a large multinational enterprise, with a Chief Information Security Officer (CISO) and a centralized IT security group that includes AppSec.
+
+Security at BigCorp is highly centralized. Certain things are delegated out to Business Information Security Officers (BISO).
The key concerns for BigCorp are:
@@ -32,26 +33,24 @@ BigCorp handles security data from many sources:
- Third-party Pen testing for certain Products
- PCI compliance auditing for certain Products
-Each of these report categories can be handled by a separate Engagement, with a separate Test for each kind of test in DefectDojo.
+Each of these report categories can be handled by a separate Engagement, with a separate Test for each kind of scan in DefectDojo.
-- If a Product has a CI/CD pipeline, all of the results from that pipeline can be continuously imported into a single open-ended Engagement. Each tool used will create a separate Test within the 'CI/CD' Engagement, which can be continuously updated with new data.
+- If a Product has a CI/CD pipeline, all of the results from that pipeline can be continually imported into a single open-ended Engagement. Each tool used will create a separate Test within the CI/CD Engagement, which can be continuously updated with new data.
(See our guide to [Reimport](/en/connecting_your_tools/import_scan_files/using_reimport/))
-- Each Pen Test effort can have a separate Engagement created to contain all of the results: e.g. 'Q1 Pen Test 2024', 'Q2 Pen Test 2024', etc.
-- BigCorp will likely want to run their own mock PCI Audit so that they're prepared for the real thing when it happens. The results of those audits can also be stored as a separate Engagement.
-
-
+- Each Pen Test effort can have a separate Engagement created to contain all of the results: e.g. "Q1 Pen Test 2024," "Q2 Pen Test 2024," etc.
+- BigCorp will likely want to run their own mock PCI audit so that they're prepared for the real thing. The results of those audits can also be stored as a separate Engagement.
#### RBAC Model
- Each BISO has Reader access assigned for each business unit (Product Type) that they're in charge of.
-- Each Product Owner has Writer access for the Product that they're in charge of. Within their Product, these Product Owners can interact with DefectDojo - they can keep notes, set up [CI/CD pipelines](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling/), create Risk Acceptances or use other features.
-- Developers at BigCorp have no access to DefectDojo at all, and they don't need it - the Product Owner can push Jira tickets directly from DefectDojo which contain all of the relevant vulnerability information. The developers are already using Jira, so they don't have to track remediation any differently than a different development task.
+- Each Product Owner has Writer access for the Product that they're in charge of. Within their Product, Product Owners can interact with DefectDojo by keeping notes, setting up [CI/CD pipelines](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling/), creating Risk Acceptances and using other features.
+- Developers at BigCorp have no access to DefectDojo at all, and they don't need it. The Product Owner can push Jira tickets directly from DefectDojo which contain all of the relevant vulnerability information. The developers are already using Jira, so they don't have to track remediation any differently than a different development task.
### Embedded Systems: Version-Controlled Reporting
-Cyber Robotics is a company that sells manufacturing hardware that comes with embedded software systems. They have a Chief Product Officer that oversees both their product and cybersecurity as a whole.
+Cyber Robotics is a company that sells manufacturing hardware that comes with embedded software systems. They have a Chief Product Officer (CPO) that oversees both their product and cybersecurity as a whole.
Though they have less diverse security information to manage than BigCorp, it's still essential for them to properly contextualize their security information so that they can proactively respond to any significant Findings.
@@ -64,48 +63,48 @@ Key concerns for Cyber Robotics:
Cyber Robotics has a standardized testing process for all of their embedded systems:
-- CI/CD, SAST, and SCA tests are run.
+- CI/CD, SAST, and SCA tests are run
- Security Control Reviews
- Network Scans
- Third Party Code Review
-However, because each version of their software is isolated, they'll inevitably have a lot of data to organize, much of which is only useful in a single context (the particular version of the software they're running).
+However, because each version of their software is isolated, they’ll inevitably have a lot of data to organize, much of which is only useful in a single context (i.e., the particular version of the software they’re running).
-Cyber Robotics can solve this problem by using Product Types here to represent a single product line, and individual Products for each separate version. This will allow them to drill down to determine which Products are associated with a single vulnerability.
+Cyber Robotics can solve this problem by using Product Types to represent a single product line, and individual Products for each separate version. This will allow them to drill down to determine which Products are associated with a single vulnerability.
-Assigning software versions to Products, rather than Engagements allows Cyber Robotics to limit access to a particular software version, if necessary. Field technicians and Support staff can be granted access to a single version of the software without having to give them access to the entire product line.
+Assigning software versions to Products, rather than Engagements, allows Cyber Robotics to limit access to a particular software version, if necessary. Field technicians and Support staff can be granted access to a single version of the software without having to give them access to the entire product line.
#### RBAC Model
The AppSec team here has Global Roles assigned that govern their level of interaction.
-- The Chief Product Officer has Global Reader access to DefectDojo, as with the CISO in BigCorp.
+- The CPO has Global Reader access to DefectDojo, as with the CISO in BigCorp.
- Individual Product Owners have Global Reader access to any Product in DefectDojo, as well as Writer access to the Product that they own.
On the Support side:
-- Support Personnel are temporarily granted Reader access to specific Products that they're assigned to maintain, but they do not have access to all DefectDojo data.
+- Support personnel are temporarily granted Reader access to specific Products that they're assigned to maintain, but they do not have access to all DefectDojo data.
### Dynamic IT environments and microservices: Cloud Services company
Kate's Cloud Service operates a rapidly changing environment that uses Kubernetes, microservices, and automation. Kate's Cloud Service has a VP of Cloud that oversees Cloud Security issues. They also have a CISO who manages the software development on offer, but for this example we will focus specifically on their Cloud security concerns.
-Kate's Cloud Service has fully automated all of their reporting, and ingests data into DefectDojo as soon as reports are produced.
+Kate's Cloud Service has fully automated all of their reporting and ingests data into DefectDojo as soon as reports are produced.
Key Concerns for Kate's Cloud Service:
-- managing multi-tenant cloud security, preventing cross-customer interaction while enabling shared service delivery
-- handling rapid changes in their cloud environment
+- Managing multi-tenant cloud security, preventing cross-customer interaction while enabling shared service delivery.
+- Handling rapid changes in their cloud environment.
#### Tagging Shared Services
-Because Kate's model contains many shared services that can impact other Products, the team [Tags](/en/working_with_findings/organizing_engagements_tests/tagging_objects/) the results to indicate which cloud offerings rely on those services. This allows any issues with shared services to be traced back to the relevant teams, and reports in DefectDojo. Each of these Shared Services are in a single Product Type that separates them from the main Cloud offerings.
+Because Kate's model contains many shared services that can impact other Products, the team [Tags](/en/working_with_findings/organizing_engagements_tests/tagging_objects/) their Products to indicate which cloud offerings rely on those services. This allows any issues with shared services to be filtered across Products and reported to the relevant teams. Each of these shared services are in a single Product Type that separates them from the main cloud offerings.
-Because the company is rapidly growing, with frequently changing tech leads, Kate can use Tags to track which tech lead is currently responsible for each cloud product, avoiding the need for constant manual updates to their DefectDojo system. These Tech Lead associations are tracked by a service that's external to DefectDojo and can govern the import pipelines or call the DefectDojo API.
+Because the company is rapidly growing and tech leads are changing frequently, Kate can use Tags to track which tech lead is currently responsible for each cloud product, avoiding the need for constant manual updates to their DefectDojo system. These tech lead associations are tracked by a service that’s external to DefectDojo and can govern the import pipelines or call the DefectDojo API.
For more information on Tagging, see our guide to [Tags](/en/working_with_findings/organizing_engagements_tests/tagging_objects/).
@@ -118,30 +117,30 @@ On the Security/Compliance side:
On the development side:
-- Tech Leads for each specific cloud product (e.g., compute, storage, shared services) have **Maintainer access** to their assigned Product, to triage the security results related to their specific cloud product offering. They can review Findings and take action within their Product, and can also reorganize their Finding data significantly.
+- Tech Leads for each specific cloud product (e.g., compute, storage, shared services) have **Maintainer access** to their assigned Product in order to triage the security results related to their specific cloud product offering. They can review Findings and take action within their Product and can also reorganize their Finding data significantly.
- Developers working on specific Products are given **Writer Access** to the Product they're working on, enabling them to comment on Findings, request Peer Reviews, and create Risk Acceptances.
### Onboarding New Acquisitions: SaaSy Software
-SaaSy software is a rapidly growing firm which frequently acquires other software companies. Every time a new company is acquired, the Director Of Quality engineering and the AppSec team is suddenly in charge of many new code repos, developers and processes. Their DefectDojo model ensures that they can get up to speed as soon as possible.
+SaaSy software is a rapidly growing firm which frequently acquires other software companies. Every time a new company is acquired, the Director Of Quality engineering and the AppSec team is suddenly in charge of many new code repos, developers, and processes. Their DefectDojo model ensures that they can get up to speed as soon as possible.
Key Concerns for SaaSy Software:
-- avoiding public security issues while maintaining compliance programs (such as SOC2)
-- ability to confidently onboard tools and processes from new products
-- ability to report and categorize vulnerabilities on both in-production and in-development branches
+- Avoiding public security issues while maintaining compliance programs (such as SOC2).
+- Ability to confidently onboard tools and processes from new products.
+- Ability to report and categorize vulnerabilities on both in-production and in-development branches.
#### Testing Model
-Testing at SaaSy is focused on broad strokes rather than standardized tool use, since each acquisition comes with their own tools and processes for AppSec. SaaSy needs to perform both internal assessments (CI/CD, DAST, Container scans, Threat Modeling) and external assessments (3rd party Pen Tests, Compliance audits.)
+Testing at SaaSy is focused on broad strokes rather than standardized tool use, since each acquisition comes with their own tools and processes for AppSec. SaaSy needs to perform both internal assessments (CI/CD, DAST, container scans, and threat modeling) and external assessments (Third party pen tests, compliance audits).
-To assist with onboarding new applications, SaaSy software has a standard approach to their data model. Each time SaaSy onboards a new application, they create a new Product Type for that app, and create sub-products for the repositories that make it up; (Front-End, Backend API, etc.)
+To assist with onboarding new applications, SaaSy software has a standard approach to their data model: each time SaaSy onboards a new application, they create a new Product Type for that app, and create sub-products for the repositories that make it up (Front-End, Backend API, etc).
Each of these Products is further subdivided into Engagements, one for the main branch and one for each branch of development. Tests within these Engagements are used to categorize the testing efforts. Development branches have separate Tests which store the results of CI/CD and SCA scans. The Main branch has those as well, but also adds Tests which store Manual Code Review and Threat Model reports.
-All of these Tests are open-ended and can be updated on a regular basis using Reimport. Deduplication is only handled at the Engagement level, which prevents Findings in one Code branch from closing Findings in another.
+All of these Tests are open-ended and can be updated on a regular basis using Reimport. [Deduplication](/en/working_with_findings/finding_deduplication/about_deduplication/) is only handled at the Engagement level, which prevents Findings in one Code branch from closing Findings in another.
By applying this model consistently, SaaSy has a model that they can apply to any new software acquisition, and the AppSec team can quickly begin monitoring the data to ensure compliance.
diff --git a/docs/content/en/about_defectdojo/faq.md b/docs/content/en/about_defectdojo/faq.md
index e97bc10f82a..f94ebceab3d 100644
--- a/docs/content/en/about_defectdojo/faq.md
+++ b/docs/content/en/about_defectdojo/faq.md
@@ -16,14 +16,34 @@ While DefectDojo can support any security or testing environment, everyone’s s
### What are the recommended workflows for security testing in DefectDojo?
-DefectDojo is meant to be the central source of truth for your organization's security posture, and it can fill different needs depending on your organization's requirements:
+DefectDojo is meant to be the central source of truth for your organization's security posture, and it can fill different needs depending on your organization's requirements, such as:
-- DefectDojo can enforce SLAs on vulnerabilities, ensuring that your organization handles each within an appropriate timeframe.
-- DefectDojo can [push tickets to Jira](/en/share_your_findings/jira_guide/), allowing your development team to integrate issue remediation into their standard release process without requiring them to learn another project management tool.
-- DefectDojo can be integrated into automated [CI/CD pipelines](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling/) to automatically ingest report data from repositories - even down to the branch level.
-- DefectDojo can [create a report](/en/share_your_findings/pro_reports/using_the_report_builder/) on any set of vulnerabilities or software context, to quickly share many scan results or status updates with stakeholders.
+- Allowing users to identify duplicate findings across scans and tools, minimizing alert fatigue.
+- Enforcing SLAs on vulnerabilities, ensuring that your organization handles each Finding within an appropriate timeframe.
+- Sending tickets to [Jira](/en/share_your_findings/jira_guide/), ServiceNow or other Project Tracking software, allowing your development team to integrate issue remediation into their standard release process without requiring them to learn another project management tool.
+- Integrating into automated [CI/CD pipelines](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling/) to automatically ingest report data from repositories, even down to the branch level.
+- Creating [reports](/en/share_your_findings/pro_reports/using_the_report_builder/) on any set of vulnerabilities or software context, to quickly share scan results or status updates with stakeholders.
+- Establishing acceptance and mitigation workflows, supporting formal risk-management tracking.
-DefectDojo is designed to support and standardize your current security workflow. All of these methods can be used to enhance your team's processes, depending on how you currently operate.
+
+DefectDojo is designed to support and standardize your current security workflow. All of these methods can be used to enhance your team’s processes and adapt to how you currently operate.
+
+### What features are available in DefectDojo Pro?
+
+DefectDojo Pro expands on the above workflows further, adding:
+
+- An [improved UI](/en/about_defectdojo/ui_pro_vs_os/) designed for speed and efficiency when navigating through enterprise-level data volumes. It also includes a dark mode.
+- The ability to [pre-triage your Findings](/en/working_with_findings/finding_priority/) by Priority and Risk, allowing your team to identify and fix your most critical issues first.
+- A [Rules Engine](/en/customize_dojo/rules_engine/) to script automated bulk actions and build custom workflows to handle Findings and other objects, no programming experience required.
+- [Enhanced report and metrics generation capabilities](/en/about_defectdojo/ui_pro_vs_os/#new-dashboards) to easily share the security posture of your apps and repos.
+- [Advanced deduplication settings](/en/working_with_findings/finding_deduplication/tune_deduplication/) to fine-tune how DefectDojo identifies and manages duplicate findings.
+- Streamlined import capabilities, such as:
+ - An optimized upload method which processes Findings in the background.
+ - The ability to quickly build a [command-line pipeline](/en/connecting_your_tools/external_tools/) using our Universal Importer and DefectDojo CLI apps, allowing you to easily import, reimport, and export data to your DefectDojo Pro instance.
+ - A [Universal Parser](/en/connecting_your_tools/parsers/universal_parser/) to turn any .json or .csv report into an actional set of Findings and have DefectDojo Pro will parse the data however you like.
+ - [Connectors](/en/connecting_your_tools/connectors/about_connectors/), which provide an instant connection to supported tools to import new Finding data so you can get an automated Import pipeline established without the need to set up any API calls or cron jobs.
+
+Further information regarding DefectDojo Pro’s capabilities can be found [here](/en/about_defectdojo/pro_features/).
### How does DefectDojo handle access control?
@@ -31,63 +51,74 @@ DefectDojo can be used by large teams, and setting up [RBAC (Rule Based Access C
Role and permission assignment generally happens at the Product Type / Product level. Each team member can be assigned to one or more Products or Product Types, and can be given a role which governs how they can interact with the vulnerability data within (read only, read-write, or full control). For more information, see our [RBAC guide](/en/customize_dojo/user_management/about_perms_and_roles/).
+### How does DefectDojo handle access control for a team of users?
+
+Whether you’re a one-person security team for a small organization or a CISO overseeing a swath of software projects,you can easily organize [Role-Based Access Control (RBAC)](/en/customize_dojo/user_management/about_perms_and_roles/) in order to properly establish context for each team member and control access to certain parts of Infrastructure.
+
+Generally, role and permission assignment happens at the [Product Type/Product level](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/). Each team member can be given a role pertaining to one or more Products or Product Types that governs how they can interact with the vulnerability data within (e.g., read only, read-write, or full control).
+
## Import Workflows
### What tools are supported by DefectDojo?
-DefectDojo supports reports from over 200 security tools, both commercial and Open Source. See our [Parser List](/supported_tools/) for more information on these tools.
+DefectDojo supports reports from [over 200](/en/connecting_your_tools/parsers/) commercial and open-source security security tools.
-If you're looking to add a new tool to your suite, we have a list of recommended Open Source tools which you can check out [here](https://defectdojo.com/blog/announcing-the-defectdojo-open-source-security-awards).
+If you're looking to add a new tool to your suite, we have a list of recommended Open-Source tools which you can check out [here](https://defectdojo.com/blog/announcing-the-defectdojo-open-source-security-awards).
### What is the different between Import and Reimport?
-There are two different methods to import a report from a security tool into DefectDojo:
+There are two different methods to import a single report from a security tool:
+
+- **[Import](/en/connecting_your_tools/import_scan_files/import_scan_ui/)** handles the report as a single point-in-time record. Importing a report creates a Test containing the resulting Findings.
+- **[Reimport](/en/connecting_your_tools/import_scan_files/using_reimport/)** is used to update an existing Test with a new set of results. If you have a more open-ended approach to your testing process, you can continuously Reimport the latest version of your report to an existing Test. DefectDojo will compare the results of the incoming report to your existing data, record any changes, and then adjust the Findings in the Test to match the latest report.
-- **Import** handles the report as a single point-in-time record. Importing a report creates a Test within DefectDojo that holds the Findings rendered from that report.
-- **Reimport** is used to extend an existing Test. If you have a more open-ended approach to your testing process, you continuously Reimport the latest version of your report to an existing Test. DefectDojo will compare the results of the incoming report to your existing data, record any changes, and then adjust the Findings in the Test so that they match the latest report.
+To understand the difference, it’s helpful to think of Import as recording a single instance of a scan event, and Reimport as updating a continual record of scanning.
-Both methods also use **Deduplication** differently: while two discrete Imported Tests in the same Product will identify and label duplicate Findings, Reimport will skip duplicates in uploaded reports as theses Findings already exist in Defect Dojo.
+Here is an analogy; if you were an accountant, you could use Import to track a single receipt, while you would use Reimport to track a continuous ledger of expenses
-Generally speaking - if a point-in-time report is what you need, Import is the best method to use. If you are continuously running and ingesting reports from a tool, Reimport is the better method for keeping things organized.
+Both methods also use Deduplication differently: while two discrete Imported Tests in the same Product will identify and label duplicate Findings separately, Reimport will not create any Findings it identifies as [duplicates](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/avoiding_duplicates_via_reimport/) within the Test.
-For more information on Reimport, see our [article](/en/connecting_your_tools/import_scan_files/using_reimport/).
+Generally speaking, if a point-in-time report is what you need, Import is the best method to use. If you are continuously running and ingesting reports from a tool, Reimport is the better method for keeping things organized.
### How can I troubleshoot Import errors?
-DefectDojo supports a wide variety of tools. If you're seeing inconsistent behavior when importing a report, we recommend checking to see if the file structure matches what the tool is expecting. See our [Parser List](/supported_tools/) to see if your tool is supported, and check to make sure that the file format matches what the tool expects. You can also compare the structure to our Unit Tests.
+DefectDojo supports a wide variety of tools. If you’re seeing inconsistent behavior when importing a report, we recommend checking if the file structure matches what the tool is expecting. See our [Parser List](/en/connecting_your_tools/parsers/) to confirm that your tool is supported, and check to make sure that the file format matches what the tool expects. You can also compare the structure to our Unit Tests.
-**DefectDojo Pro** has a Universal Parser import method which allows you to handle any JSON, CSV or XML file. **DefectDojo OS** users can write custom parsers for the same purpose.
+DefectDojo Pro has a Universal Parser import method which allows you to handle any JSON, CSV or XML file. DefectDojo OS users can write custom parsers for the same purpose.
-Finally, third-party report formats have been known to change without warning, and our Open Source community greatly appreciates [PRs and contributions](/en/open_source/contributing/how-to-write-a-parser/) to keep our parsers up to date.
+Finally, third-party report formats have been known to change without warning: Our OS community greatly appreciates [PRs and contributions](/en/open_source/contributing/how-to-write-a-parser/) to keep our parsers up to date.
### How should I handle large scan files?
-Importing a large report into DefectDojo can be a lengthy process. Reports of 2MB contain substantial amounts of data which can take a long time to translate into Findings. This depends on the security tool's report format itself.
+Importing a large report into DefectDojo can be a lengthy process. Reports of 2MB contain substantial amounts of data, which can take a long time to translate into Findings depending on the security tool’s report format.
-Our recommended approach is to break a large report up before import - rather than ingesting a report of **all** a tool's vulnerabilities at once, split them up by software project, application or by another context. This makes it much easier for DefectDojo to handle and categorize the data, and has the added benefit of proactively organizing your Findings, which makes for more relevant and faster report generation.
+Our recommended approach is to break down large reports before import to reflect different subsections of available data. If your security tool can filter results by software project, application, or other context, exporting smaller reports makes it easier for DefectDojo to handle and categorize the data. This also has the added benefit of proactively organizing your Findings based on how the data was broken down, which makes for more relevant and faster report generation.
-**DefectDojo Pro** can process reports in the background, which makes this process easier. However, files still need to be uploaded and validated by DefectDojo before the background Finding creation process can begin.
+DefectDojo Pro can process reports in the background. However, files still need to be uploaded and validated by DefectDojo before the background Finding creation process can begin.
### How do I connect a CI/CD pipeline to DefectDojo?
-Many of DefectDojo's core features can be completely automated. CI/CD (or any kind of automated import) can be handled by calling the [DefectDojo REST API](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling/). **DefectDojo Pro** users also have access to the **Universal Importer / DefectDojo CLI** [command-line tools](/en/connecting_your_tools/external_tools/), which can be installed to run in many automated environments.
+Many of DefectDojo's core features can be completely automated. CI/CD (or any kind of automated import) can be handled by calling the [DefectDojo REST API](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling/).
+
+**DefectDojo Pro** users also have access to the **Universal Importer / DefectDojo CLI** [command-line tools](/en/connecting_your_tools/external_tools/), which can be installed to run in many automated environments.
## Finding Management
### What does the status of a Finding mean?
-Findings can have many statuses which indicate their status. A status of Active or Inactive is always set on a Finding, while other statuses such as Verified, False Positive, or Out Of Scope can be applied at your discretion.
+Findings can have many statuses. A status of Active or Inactive is always set on a Finding, while other statuses such as Verified, False Positive, or Out Of Scope can be applied at your discretion.
These statuses are described in more detail in our [Finding Status Definitions](/en/working_with_findings/findings_workflows/finding_status_definitions/) guide, along with information about how they can be used.
### How can I delete Findings from DefectDojo?
-It's important to maintain historical records in AppSec work, so generally speaking, we recommend retaining Closed Findings as 'Inactive' rather than deleting them outright. Deleting a Finding will remove all notes and metric-tracking from that Finding outright, which can lead to inaccurate reports or an incomplete archive.
+Generally speaking, we recommend retaining Closed Findings as ‘Inactive’ rather than deleting them outright, as it’s important to maintain historical records in AppSec work. Deleting a Finding will remove all notes and metric-tracking from that Finding outright, which can lead to inaccurate reports or an incomplete archive.
Findings from DefectDojo can be deleted in a few ways:
-- by running a [Bulk Delete](/en/working_with_findings/findings_workflows/editing_findings/#bulk-delete-findings) action on the Findings that you want to delete
-- by calling `DELETE /findings/{id}` through the API
-- by deleting a parent object, such as a Test, Engagement, Product Type or Product.
+- By running a [Bulk Delete](/en/working_with_findings/findings_workflows/editing_findings/#bulk-delete-findings) action on the Findings that you want to delete
+- By calling `DELETE /findings/{id}` through the API
+- By deleting a parent object, such as a Test, Engagement, Product Type or Product.
+ - Note that subclasses are not preserved independently of their parent object: Deleting a parent object such as a Product Type will delete any Products, Engagements, Tests, Findings, and Endpoints within the Product Type. Conversely, deleting an Engagement will preserve the Products, and Product Types that precede it.
## Reporting and Jira
@@ -97,6 +128,8 @@ You can quickly create a customized report in DefectDojo using the [Report Build
DefectDojo Pro users also have access to [executive-level Metrics dashboards](/en/about_defectdojo/ui_pro_vs_os/#new-dashboards) that can report on Product Types, Products or other data in real-time.
-### How can I integrate Jira with DefectDojo?
+### How can I integrate a project management tool with DefectDojo?
+
+In both Pro and Open-Source editions of DefectDojo, Findings in DefectDojo can be pushed to Jira as Issues, which allows you to integrate issue remediation with your development team. We have a [complete guide to Jira](/en/share_your_findings/jira_guide/) written which describes the process in detail.
-Findings in DefectDojo can be pushed to Jira as Issues, which allows you to integrate issue remediation with your development team. We have a [complete guide to Jira](/en/share_your_findings/jira_guide/) written which describes the process in detail.
\ No newline at end of file
+DefectDojo Pro adds support for [Additional Project Tracking Integrations](/en/share_your_findings/integrations/)**: ServiceNow, Azure DevOps, GitHub and GitLab.
\ No newline at end of file
diff --git a/docs/content/en/about_defectdojo/new_user_checklist.md b/docs/content/en/about_defectdojo/new_user_checklist.md
index ca61207e326..d2e93499da9 100644
--- a/docs/content/en/about_defectdojo/new_user_checklist.md
+++ b/docs/content/en/about_defectdojo/new_user_checklist.md
@@ -6,22 +6,38 @@ weight: 3
chapter: true
---
-Here's a quick reference you can use to ensure successful implementation - from a blank canvas to a fully functional app.
+Here's a quick reference you can use to ensure successful implementation, from a blank canvas to a fully functional app.
-### The Basics
+The essence of DefectDojo is to import security data, organize it, and present it to the folks who need to know. Here are ways to achieve those things in DefectDojo Pro and Open-Source:
-1. Start by [importing a file](/en/connecting_your_tools/import_scan_files/import_scan_ui) using the UI. This is generally the quickest way to see how your data fits into the DefectDojo model. (note: OS users will need to set up a Product Type and Product before they can import data)
+### DefectDojo Pro
-2. Now that you have data in DefectDojo, learn more about how to organize it with the [Product Hierarchy Overview](/en/working_with_findings/organizing_engagements_tests/product_hierarchy). The Product Hierarchy creates a working inventory of your apps, which helps you divide your data up into logical categories. These categories can be used to apply access control rules, or to segement your reports to the correct team.
+1. Start by [importing a file](/en/connecting_your_tools/import_scan_files/import_scan_ui) using the UI. This is generally the quickest way to see how your data fits into the DefectDojo model.
-3. Try [creating a Report](/en/share_your_findings/pro_reports/using_the_report_builder/) to summarize the data you've imported. Reports can be used to quickly share Findings with stakeholders such as Product Owners.
+2. Now that you have data in DefectDojo, learn more about how to organize it with the [Product Hierarchy Overview](/en/working_with_findings/organizing_engagements_tests/product_hierarchy). The Product Hierarchy creates a working inventory of your apps, which helps you divide your data into logical categories, apply access control rules, sort Findings by [Priority and Risk](/en/working_with_findings/finding_priority/) or to segment your reports to the correct team.
-This is the essence of DefectDojo - import security data, organize it, and present it to the folks who need to know.
+3. Check out your [Metrics pages](/en/customize_dojo/dashboards/pro_dashboards/) which can be used to quickly share Finding reports with key stakeholders.
-All of these features can be automated, and because DefectDojo can handle over 190 tools (at time of writing) you should be all set to create a functional security inventory of your entire organizational output.
+### DefectDojo Open-Source
-### Other guides
+1. Open-Source users can start by creating their first [Product Type and Product](/en/working_with_findings/organizing_engagements_tests/product_hierarchy). Once those are created, they can [import a file](/en/connecting_your_tools/import_scan_files/import_scan_ui) to one of those Products using the UI.
+2. Now that you have data in DefectDojo, consider expanding your Product layout [Product Hierarchy Overview](/en/working_with_findings/organizing_engagements_tests/product_hierarchy). The Product Hierarchy creates a working inventory of your apps, which helps you divide your data up into logical categories. These categories can be used to apply access control rules, or to segment your reports to the correct team.
+
+3. Use the [Report Builder](/en/share_your_findings/pro_reports/using_the_report_builder/#opening-the-report-builder) to summarize the data you've imported. Reports can be used to quickly share Findings with stakeholders such as Product Owners.
+
+This is the essence of DefectDojo - import security data, organize it, and present it to the folks who need to know.
+
+All of these features can be automated, and because DefectDojo can handle over 200 tools (at time of writing) you should be all set to create a functional security inventory of your entire organizational output.
+
+## Other guides
+
+### Pro Features
+- If your organization uses ServiceNow, AzureDevops, GitHub or GitLab for issue tracking, check out our [documentation](/en/share_your_findings/integrations/) on those integrations.
+- Customize your [main Dashboard](/en/customize_dojo/dashboards/introduction_dashboard/) with filtered tiles to view your environment at a glance.
+- Learn how to rapidly import data and mirror your team's existing security environment with [Connectors](/en/connecting_your_tools/connectors/about_connectors/).
+
+### Open-Source Features
- Does your organization use Jira? Learn how to use our [Jira integration](/en/share_your_findings/jira_guide/) to create Jira tickets from the data you ingest.
- Are you expecting to share DefectDojo with many users in your organization? Check out our guides to [user management](/en/customize_dojo/user_management/about_perms_and_roles/) and set up role-based access control (RBAC).
-- Ready to dive into automation? Learn how to use the [DefectDojo API](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling) to automatically import new data, and build a robust CI / CD pipeline.
\ No newline at end of file
+- Ready to dive into automation? Learn how to use the [DefectDojo API](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling) to automatically import new data, and build a robust CI/CD pipeline.
\ No newline at end of file
diff --git a/docs/content/en/about_defectdojo/pro_features.md b/docs/content/en/about_defectdojo/pro_features.md
index ef2c09c1f48..8fd83333f07 100644
--- a/docs/content/en/about_defectdojo/pro_features.md
+++ b/docs/content/en/about_defectdojo/pro_features.md
@@ -7,47 +7,69 @@ chapter: true
exclude_search: true
---
-DefectDojo Pro comes with many additional features. Here is list of those features, along with links to documentation to see them in action:
+Here is a list of DefectDojo Pro’s many additional features, along with links to documentation to see them in action:
## Improved UX
### Pro UI
-DefectDojo's UI has been reworked in DefectDojo Pro to be faster, more functional, and to be better at navigating through enterprise-level data volume. It also includes a dark mode.
+
+DefectDojo's UI has been reworked in DefectDojo Pro to be faster, more functional, fully customizable, and better at navigating through enterprise-level data volume. It also includes a dark mode.
See our [Pro UI Guide](../ui_pro_vs_os) for more information.
### Finding Priority
+
DefectDojo Pro can pre-triage your Findings by Priority and Risk, allowing your team to identify and fix your most critical issues first.
See our [Finding Priority Guide](/en/working_with_findings/finding_priority/) for more details.
### Rules Engine
-DefectDojo Pro's Rules Engine allows you to set up a script of automated bulk actions - no programming experience required.
-Build custom workflows and bulk actions to handle Findings and other objects.
+
+DefectDojo Pro's Rules Engine allows you to script automated bulk actions and build custom workflows to handle Findings and other objects, no programming experience required.
+
See our [Rules Engine Guide](/en/customize_dojo/rules_engine) for more info.
### Pro Dashboards and Reporting
-Generate [instant reports and metrics](../ui_pro_vs_os/#new-dashboards) to share the security posture of your apps and repos. Evaluate your security tools and your team's performance in addressing security issues.
+
+Generate [instant reports and metrics](../ui_pro_vs_os/#new-dashboards) to share the security posture of your apps and repos, evaluate your security tools and analyze your team's performance in addressing security issues.
+
+The graphics on the landing page can be exported as SVG files, and the data used to create the graphics can also be exported as a table.
+
+Additionally, DefectDojo Pro includes several new [insights dashboards](/en/about_defectdojo/ui_pro_vs_os/#new-dashboards), offering enhanced metrics for various audiences of your security program.
### Deduplication Tuning
-Fine-tune how DefectDojo identifies and manages duplicate findings with advanced deduplication settings. Adjust same-tool, **cross-tool**, and reimport deduplication for precision matching between all your chosen security tools and vulnerability findings.
+
+Advanced Deduplication settings allow you to fine-tune how DefectDojo identifies and manages duplicate findings. Adjust same-tool, **cross-tool**, and reimport Deduplication for precision matching between all your chosen security tools and vulnerability findings.
+
See our [Deduplication Tuning Guide](/en/working_with_findings/finding_deduplication/tune_deduplication/) for more information.
## Streamlined import
+### More Import Options
+
+DefectDojo Pro includes four additional import methods: [Universal Importer](/en/connecting_your_tools/external_tools/), [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), [Universal Parser](/supported_tools/parsers/universal_parser/), and [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/).
+
+
+
+
### Background Imports
+
For enterprise-level reports, DefectDojo Pro offers an optimized upload method which processes Findings in the background.
### CLI Tools
-Quickly build a command-line pipeline to import, reimport, and export data to your DefectDojo Pro instance using our Universal Importer and DefectDojo CLI apps. These tools are maintained by the DefectDojo Pro team and can be run in Windows, Macintosh, or Linux environments.
+
+Quickly build a command-line pipeline to import, reimport, and export data to your DefectDojo Pro instance using our Universal Importer and DefectDojo-CLI apps; no API scripting necessary (available for Windows, Macintosh, or Linux).
+
See our [External Tools Guide](/en/connecting_your_tools/external_tools/) for more information.
### Connectors
-DefectDojo can instantly connect to supported tools to import new Finding data - get an automated Import pipeline working out-of-the-box, without the need to set up any API calls or cron jobs.
+
+DefectDojo can instantly connect to enterprise-level scanning tools to import new Finding data, creating an automated Import pipeline that works out-of-the-box without the need to set up any API calls or cron jobs.
+
See our [Connectors Guide](/en/connecting_your_tools/connectors/about_connectors/) for more information.
@@ -66,10 +88,18 @@ Supported tools for Connectors include:
* Tenable
* Wiz
-### Universal Parser
-Are you using an unsupported or customized scanning tool? Or do you just wish DefectDojo handled a report slightly differently?
+### Universal Parser (Beta)
+
+If you’re using an unsupported/customized scanning tool, or just wish that DefectDojo handled a report slightly differently, use DefectDojo Pro's Universal Parser to turn any .json or .csv report into an actionable set of Findings. Your parser will parse and map the data however you like.
-Use DefectDojo Pro's Universal Parser to turn any .json or .csv report into an actionable set of Findings, and have DefectDojo parse the data however you like.
See our [Universal Parser Guide](/en/connecting_your_tools/universal_parser/) for more information.
+
+## Support
+
+DefectDojo Pro subscriptions include world-class support for both on-premise and Cloud installations. Our team is available to help your organization implement and maximize your use of DefectDojo Pro. Your subscription includes:
+
+- **Comprehensive Support**: Unlimited support tickets and seats are available to assist your entire team.
+- **Dedicated Engineering Focus**: User-reported issues, bugs, and feature requests receive priority attention from our engineering team.
+- **SaaS Management**: We provide monitoring, maintenance, and backups for all SaaS instances.
diff --git a/docs/content/en/about_defectdojo/request_a_trial.md b/docs/content/en/about_defectdojo/request_a_trial.md
index b0a23ea9073..18cc2094a93 100644
--- a/docs/content/en/about_defectdojo/request_a_trial.md
+++ b/docs/content/en/about_defectdojo/request_a_trial.md
@@ -6,11 +6,11 @@ weight: 6
pro-feature: true
---
-If your team requires an on\-premise DefectDojo installation, please connect with our Sales team by emailing \-\> [info@defectdojo.com](mailto:info@defectdojo.com) . This trial setup process only applies to DefectDojo Cloud users.
+If your team requires an on-premise DefectDojo installation, please connect with our Sales team by emailing → [hello@defectdojo.com](mailto:hello@defectdojo.com) . This trial setup process only applies to DefectDojo Cloud users.
-All DefectDojo plans include a free 2\-week trial, which you can use to evaluate our software. DefectDojo Trial instances are fully\-featured and can be immediately converted to our team into paid instances \- no need to set everything up again, or reupload any data when your trial period ends.
+All DefectDojo plans include a free 2-week trial, which you can use to evaluate our software. DefectDojo Trial instances are fully-featured and can be immediately converted into paid instances by our team; no need to set everything up again, or reupload any data when your trial period ends.
-At the end of this process, you'll be put in touch with our Sales team, who will follow up to receive your billing information, and authorize and set up your company's trial instance.
+At the end of this process, you'll be put in touch with our Sales team who will follow up to receive your billing information and authorize your company's trial instance.
# **Requesting your Trial**
@@ -29,7 +29,7 @@ Enter your company's **Name** and the **Server Label** you want to use with Defe
-Normally, DefectDojo will name your domain according to your Company Name., but if you select "Use Server Label in Domain", DefectDojo will instead label your domain according to the Server Label you chose. This approach may be preferred if you plan to use multiple DefectDojo instances (such as a Production instance and a Test instance, for example). Please contact our Sales team \-\> [info@defectdojo.com](mailto:info@defectdojo.com) if you require multiple instances.
+Normally, DefectDojo will name your domain according to your company name, but if you select "Use Server Label in Domain" DefectDojo will instead label your domain according to the Server Label you chose. This approach may be preferred if you plan to use multiple DefectDojo instances (such as a Production instance and a Test instance, for example). Please contact our Sales team → [hello@defectdojo.com](mailto:hello@defectdojo.com) if you require multiple instances.
## Step 3: Select a Server Location
@@ -43,11 +43,11 @@ Enter the IP address ranges, subnet mask and labels that you want to allow to ac
-If you want to use external services with DefectDojo (GitHub or JIRA), check the appropriate boxes listed under **Select External Services.**
+If you want to use external services with DefectDojo (e.g., GitHub or JIRA), check the appropriate boxes listed under **Select External Services.**
## Step 5: Confirm your Plan type and Billing Frequency
-Before you complete the process, please confirm the plan you want to use along with your billing frequency \- monthly or annually.
+Before you complete the process, please confirm the plan you want to use along with your billing frequency (monthly or annually).
@@ -60,8 +60,8 @@ We'll prompt you to look over your request one more time. Once submitted, only F
After reviewing and accepting DefectDojo's License and Support Agreement, you can click **Checkout With Stripe** or **Contact Sales**.
* Checkout With Stripe will take you to a Stripe page where you can enter your billing information.
-* If you do not wish to enter your billing info at this time, you can click Contact Sales - our Sales team will be in touch to set up your trial.
+* If you do not wish to enter your billing info at this time, you can click Contact Sales, and our Sales team will be in touch to help you finalize your trial subscription.
# Once your trial has been approved
-Our Support team will send you a Welcome email with links and an initial password to access your DefectDojo instance. You can always reach out to [support@defectdojo.com](mailto:support@defectdojo.com) for product assistance once your trial begins.
+Our Support team will send you a Welcome email with links and an initial password to access your DefectDojo instance. You can always reach out to [support@defectdojo.com](mailto:support@defectdojo.com) for DefectDojo Pro assistance once your trial begins.
diff --git a/docs/content/en/about_defectdojo/ui_pro_vs_os.md b/docs/content/en/about_defectdojo/ui_pro_vs_os.md
index 43ba8dcc7ab..99378ee987b 100644
--- a/docs/content/en/about_defectdojo/ui_pro_vs_os.md
+++ b/docs/content/en/about_defectdojo/ui_pro_vs_os.md
@@ -6,16 +6,14 @@ weight: 5
pro-feature: true
---
-Note: The Pro UI and associated features are only available in DefectDojo Pro.
-
-In late 2023, DefectDojo Inc. released a new UI for DefectDojo Pro, which has since been in Pro for Pro customers to test and experiment with.
+In late 2023, DefectDojo Inc. released a new UI for DefectDojo Pro, which is now the default UI for this edition.
The Pro UI brings the following enhancements to DefectDojo:
-- Modern and sleek design, built using Vue.js
-- Optimized data delivery and load times, especially for large datasets
-- Access to new Pro features, including [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), [Universal Importer](/en/connecting_your_tools/external_tools/), and Pro Metrics views
-- Improved UI workflows: better filtering, dashboards, and navigation
+- Modern and sleek design using Vue.js.
+- Optimized data delivery and load times, especially for large datasets.
+- Access to new Pro features, including [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), [Universal Importer](/en/connecting_your_tools/external_tools/), and [Pro Metrics](https://docs.defectdojo.com/en/customize_dojo/dashboards/pro_dashboards/) views.
+- Improved UI workflows: better filtering, dashboards, and navigation.
## Switching To The Pro UI
@@ -25,34 +23,38 @@ To access the Pro UI, open your User Options menu from the top-right hand corner
## Navigational Changes
-
+
+
+1. The **Sidebar** has been reorganized into four parent categories: Dashboards, Import, Manage, and Settings.
-1. The **Sidebar** has been reorganized: Pro Metrics and the Homepage can be found in the first section.
+2. The Homepage, [AI-powered native API connection capabilities](/en/ai/mcp_server_pro/), Pro Metrics, and the Calendar view are all accessible under Dashboards.
-2. Import methods can be found in the **Import** section: set up [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), use the Import Scan form to [Add Findings](/en/connecting_your_tools/import_scan_files/import_scan_ui/), or use [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/) to handle infrastructure scanning tools.
+4. Import methods can be found in the Import section: set up [API Connectors](/en/connecting_your_tools/connectors/about_connectors/), use the [Import Scan](/en/connecting_your_tools/import_scan_files/import_scan_ui/) form to Add Findings, use [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/) to handle infrastructure scanning tools, or use our external tools—[Universal Importer and DefectDojo CLI](/en/connecting_your_tools/external_tools/)—to streamline both the import and reimport processes of Findings and associated objects.
-3. The **Manage** section allows you to view different objects in the [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/), with views for Product Types, Products, Engagements, Tests, Findings, Risk Acceptances, Endpoints and Components.
+5. The **Manage** section allows you to view different objects in the [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/), with views for Product Types, Products, Engagements, Tests, Findings, Risk Acceptances, Endpoints, and Components. There are additional sections for generating reports (Report Builder), using surveys (Surveys), as well as a [Rules Engine](/en/customize_dojo/rules_engine/).
-4. The **Settings** section allows you to configure your DefectDojo instance, including your License, Cloud Settings, Users, Feature Configuration and admin-level Enterprise Settings.
+5. The **Settings** section allows you to configure your DefectDojo instance, including your Integrations, License, Cloud Settings, Users, Feature Configuration and admin-level Enterprise Settings.
-The Enterprise settings section contains the System Settings, Jira Instances, Deduplication Settings, SAML, OAuth, Login and MFA forms.
+6. The **Pro Settings** section contains the System Settings, Banner Settings, Notification Settings, Jira Instances, Deduplication Settings, and Authentication Settings, including SAML, OIDC, OAuth, Login, and MFA forms.
-5. The Pro UI also has a **new table format** to help with navigation. This table is used with all [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/). Each column can be clicked on to apply a relevant filter, and columns can be reordered to present data however you like.
+7. The Pro UI also has a **new table format**, used in the [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/) to help with navigation. Each column can be clicked on to apply a relevant filter, and columns can be reordered to present data however you like.
-6. The table also has a **"Toggle Columns"** menu which can add or remove columns from the table.
+8. The table also has a **"Toggle Columns"** menu which can add or remove columns from the table.
## Filtering the Table
-In this screenshot we are filtering for all Findings that are in 'Product One'. Once we apply this filter (by clicking outside of the Filters menu), the contents of this Finding list will automatically update to reflect the filter applied.
-
+In this screenshot we are filtering for all Findings that are in “Sam’s Awesome Product.” Once we click Apply, the contents of this Finding list will update to reflect the chosen filter.
+
+
## New Dashboards
-New metrics visualizations are included in the Pro UI. All of these reports can be filtered and exported as PDF to share them with a wider audience.
+New Metrics visualizations are included in the Pro UI. All of these reports can be filtered and exported as PDFs to share them with a wider audience.
- The **Executive Insights** dashboard displays the current state of your Products and Product Types.
-- **Program Insights** dashboard displays the effectiveness of your security team and the cost savings associated with separating duplicates and false positives from actionable Findings.
-- **Remediation Insights** displays your effectiveness at remediating Findings.
+- **Priority Insights** show the most critical findings with the option to filter for various timelines, Product Types, Products, and Tags.
+- The **Program Insights** dashboard displays the effectiveness of your security team and the cost savings associated with separating duplicates and false positives from actionable Findings.
+- **Remediation Insights** displays your team's effectiveness at remediating Findings.
- **Tool Insights** displays the effectiveness of your tool suite (and Connectors pipelines) at detecting and reporting vulnerabilities.
diff --git a/docs/content/en/api/api-v2-docs.md b/docs/content/en/api/api-v2-docs.md
index 557b7cbc63a..819138bf43a 100644
--- a/docs/content/en/api/api-v2-docs.md
+++ b/docs/content/en/api/api-v2-docs.md
@@ -177,4 +177,107 @@ Example for importing a scan result:
| [.Net/C# library](https://www.nuget.org/packages/DefectDojo.Api/) | working (2021-06-08) | |
| [dd-import](https://github.com/MaibornWolff/dd-import) | working (2021-08-24) | dd-import is not directly an API wrapper. It offers some convenience functions to make it easier to import findings and language data from CI/CD pipelines. |
-Some of the api wrappers contain quite a bit of logic to ease scanning and importing in CI/CD environments. We are in the process of simplifying this by making the DefectDojo API smarter (so api wrappers / script can be dumber).
\ No newline at end of file
+Some of the api wrappers contain quite a bit of logic to ease scanning and importing in CI/CD environments. We are in the process of simplifying this by making the DefectDojo API smarter (so api wrappers / script can be dumber).
+
+## API Notes
+
+### Import / Reimport
+
+**Reimport** is actually the easiest way to get started as it will create any entities on the fly if needed and it will automatically detect if it is a first time upload or a re-upload.
+
+## Import
+Importing via the API is performed via the [import-scan](https://demo.defectdojo.org/api/v2/doc/) endpoint.
+
+As described in the [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy), Test gets created inside an Engagement, inside a Product, inside a Product Type.
+
+An import can be performed by specifying the names of these entities in the API request:
+
+
+```JSON
+{
+ "minimum_severity": 'Info',
+ "active": True,
+ "verified": True,
+ "scan_type": 'ZAP Scan',
+ "test_title": 'Manual ZAP Scan by John',
+ "product_type_name": 'Good Products',
+ "product_name": 'My little product',
+ "engagement_name": 'Important import',
+ "auto_create_context": True,
+}
+```
+
+When `auto_create_context` is `True`, the product, engagement, and environment will be created if needed. Make sure your user has sufficient [permissions](/en/customize_dojo/user_management/about_perms_and_roles/) to do this.
+
+A classic way of importing a scan is by specifying the ID of the engagement instead:
+
+```JSON
+{
+ "minimum_severity": 'Info',
+ "active": True,
+ "verified": True,
+ "scan_type": 'ZAP Scan',
+ "test_title": 'Manual ZAP Scan by John',
+ "engagement": 123,
+}
+```
+
+## Reimport
+ReImporting via the API is performed via the [reimport-scan](https://demo.defectdojo.org/api/v2/doc/) endpoint.
+
+A reimport can be performed by specifying the names of these entities in the API request:
+
+
+```JSON
+{
+ "minimum_severity": 'Info',
+ "active": True,
+ "verified": True,
+ "scan_type": 'ZAP Scan',
+ "test_title": 'Manual ZAP Scan by John',
+ "product_type_name": 'Good Products',
+ "product_name": 'My little product',
+ "engagement_name": 'Important import',
+ "auto_create_context": True,
+ "do_not_reactivate": False,
+}
+```
+
+When `auto_create_context` is `True`, the Product Type, Product and Engagement will be created if they do not already exist. Make sure your user has sufficient [permissions](/en/customize_dojo/user_management/about_perms_and_roles/) to create a Product/Product Type.
+
+When `do_not_reactivate` is `True`, the importing/reimporting will ignore uploaded active findings and not reactivate previously closed findings, while still creating new findings if there are new ones. You will get a note on the finding to explain that it was not reactivated for that reason.
+
+A reimport will automatically select the latest test inside the provided engagement that satisifes the provided `scan_type` and (optionally) provided `test_title`.
+
+If no existing Test is found, the reimport endpoint will use the import function to import the provided report into a new Test. This means a (CI/CD) script using the API doesn't need to know if a Test already exists, or if it is a first time upload for this Product / Engagement.
+
+A classic way of reimporting a scan is by specifying the ID of the test instead:
+
+```JSON
+{
+ "minimum_severity": 'Info',
+ "active": True,
+ "verified": True,
+ "scan_type": 'ZAP Scan',
+ "test": 123,
+}
+```
+
+## Using the Scan Completion Date (API: `scan_date`) field
+
+DefectDojo offers a plethora of supported scanner reports, but not all of them contain the
+information most important to a user. The `scan_date` field is a flexible smart feature that
+allows users to set the completion date of the a given scan report, and have it propagate
+down to all the findings imported. This field is **not** mandatory, but the default value for
+this field is the date of import (whenever the request is processed and a successful response is returned).
+
+Here are the following use cases for using this field:
+
+1. The report **does not** set the date, and `scan_date` is **not** set at import
+ - Finding date will be the default value of `scan_date`
+2. The report **sets** the date, and the `scan_date` is **not** set at import
+ - Finding date will be whatever the report sets
+3. The report **does not** set the date, and the `scan_date` is **set** at import
+ - Finding date will be whatever the user set for `scan_date`
+4. The report **sets** the date, and the `scan_date` is **set** at import
+ - Finding date will be whatever the user set for `scan_date`
diff --git a/docs/content/en/connecting_your_tools/external_tools.md b/docs/content/en/connecting_your_tools/external_tools.md
index fcc27eca29f..18f39813091 100644
--- a/docs/content/en/connecting_your_tools/external_tools.md
+++ b/docs/content/en/connecting_your_tools/external_tools.md
@@ -9,20 +9,19 @@ weight: 2
## About External Tools
-`defectdojo-cli` and `universal-importer` are command-line tools designed to seamlessly upload scan results into DefectDojo. They streamline both the import and re-import processes of findings and associated objects. These tools are flexible and support importing and re-importing scan results, making it ideal for users who want to quickly set up these interactions with the DefectDojo API.
+`defectdojo-cli` and `universal-importer` are command-line tools designed to streamline both the import and re-import processes of Findings and associated objects, making it ideal for users who want to quickly set up these interactions with the DefectDojo API.
DefectDojo-CLI has the same functionality as Universal Importer, but also includes the ability to export Findings from DefectDojo to JSON or CSV.
## Installation
-1. Use the DefectDojo UI to download the appropriate binary for your operating system from the platform.
+1. Locate “External Tools” from your User Profile menu:
-2. Locate “External Tools” from your User Profile menu:
+2. Download the appropriate binary for your operating system from the platform.
-3. Extract the downloaded archive within a directory of your choice.
-Optional: Add the directory containing the extracted binary to your system's $PATH for repeat access.
+3. Extract the downloaded archive within a directory of your choice. Optionally, add the directory containing the extracted binary to your system's $PATH for repeat access.
**Note that Macintosh users may be blocked from running DefectDojo-CLI or Universal Importer as they are apps from an unidentified developer. See [Apple Support](https://support.apple.com/en-ca/guide/mac-help/mh40616/mac) for instructions on how to override the block from Apple.**
@@ -50,10 +49,10 @@ in the user dropdown in the top-right corner:
**For Universal Importer:**
`export DD_IMPORTER_DOJO_API_TOKEN=YOUR_API_KEY`
-
Note: On Windows, use `set` instead of `export`.
### Windows: Using PowerShell
+
1. Open PowerShell (Windows Key, then search for "PowerShell").
2. Set the environment variables:
- **Temporary:**
@@ -156,16 +155,17 @@ defectdojo-cli [global options] import [optional flags]
* Create an Engagement inside the product
* Provide the id of the Engagement in the engagement parameter
-In this scenario a new Test will be created inside the Engagement.
+In this scenario, a new Test will be created inside the Engagement.
**By Name:**
+
* Create a Product (or use an existing product)
* Create an Engagement inside the product
* Provide product-name
* Provide engagement-name
* Optionally provide product-type-name
-In this scenario DefectDojo will look up the Engagement by the provided details.
+In this scenario, DefectDojo will look up the Engagement by the provided details.
When using names you can let the importer automatically create Engagements, Products and Product-types by using `auto-create-context=true`.
You can use `deduplication-on-engagement` to restrict deduplication for imported Findings to the newly created Engagement.
@@ -284,7 +284,7 @@ By Names:
- Provide engagement-name
- Optional: Provide test-name
-In this scenario DefectDojo will look up the Test by the provided details. If no test-name is provided, the latest test inside the engagement will be chosen based on scan-type.
+In this scenario, DefectDojo will look up the Test by the provided details. If no test-name is provided, the latest test inside the engagement will be chosen based on scan-type.
When using names you can let the importer automatically create Engagements, Products and Product-types by using `auto-create-context=true`.
You can use `deduplication-on-engagement` to restrict deduplication for imported Findings to the newly created Engagement.
@@ -601,7 +601,7 @@ defectdojo-cli interactive
`universal-importer` seamlessly integrates scan results into DefectDojo, streamlining both the import and reimport processes of findings and associated objects. Designed for ease of use, the tool supports various endpoints, catering to both initial imports and subsequent reimports — ideal for users requiring robust and flexible interaction with the DefectDojo API.
-Usage of Universal Importer is similar to DefectDojo-CLI, however Universal Importer does not have the Export functionality, and environment variables are encoded differently.
+While similar to DefectDojo-CLI, Universal Importer does not have the Export functionality, and environment variables are encoded differently.
### Commands
diff --git a/docs/content/en/open_source/archived_docs/importing.md b/docs/content/en/open_source/archived_docs/importing.md
deleted file mode 100644
index 601b025d507..00000000000
--- a/docs/content/en/open_source/archived_docs/importing.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-title: "Importing"
-description: "How DefectDojo imports and reimports security tool reports."
-draft: false
-weight: 1
-exclude_search: true
----
-
-## Import
-
-The importers analyze each report and create new Findings for each item
-reported. DefectDojo collapses duplicate Findings by capturing the
-individual hosts vulnerable.
-
-
-
-This approach will create a new Test for each upload. This can result in a lot of findings. If deduplication is enabled, new Findings that are identical to existing Findings get marked as a duplicate.
-
-## Reimport
-
-Additionally, DefectDojo allows for re-imports of previously uploaded
-reports. This greatly reduces the amount of findings as no duplicates are created for findings that already exist.
-
-
-
-DefectDojo will attempt to capture the deltas between the
-original and new import and automatically add or mitigate findings as
-appropriate.
-
-
-
-This behaviour can be controled via the `closed_old_findings` parameter on the reupload form.
-
-The history of a test will be shown with the delta's for each reimported scan report.
-
-
-Clicking on a reimport changset will show the affected findings, as well as a status history per finding.
-
-
-### Triage-less scanners
-Some scanners might not include triage information in their reports (e.g. tfsec). They simply scan code or dependencies, flag issues, and return everything. Removing some findings requires you to add comments in your code perhaps, but there is no simple way to filter out findings from the reports.
-
-That is why DefectDojo also includes a "Do not reactivate" checkbox in uploading reports (also in the reimport API), so you can persist the triages that have been done in Defectdojo without reactivating Findings on every upload.
-
-For context, see [#6892](https://github.com/DefectDojo/django-DefectDojo/issues/6892)
-
-# API
-This section focuses on Import and Reimport via the API. Please see the [full documentation details of all API Endpoints](/en/api/api-v2-docs/) for more details.
-Reimport is actually the easiest way to get started as it will create any entities on the fly if needed and it will automatically detect if it is a first time upload or a re-upload.
-
-## Import
-Importing via the API is performed via the [import-scan](https://demo.defectdojo.org/api/v2/doc/) endpoint.
-
-As described in the [Product Hierarchy](/en/working_with_findings/organizing_engagements_tests/product_hierarchy), a test gets created inside an Engagement, inside a Product, inside a Product Type.
-
-An import can be performed by specifying the names of these entities in the API request:
-
-
-```JSON
-{
- "minimum_severity": 'Info',
- "active": True,
- "verified": True,
- "scan_type": 'ZAP Scan',
- "test_title": 'Manual ZAP Scan by John',
- "product_type_name": 'Good Products',
- "product_name": 'My little product',
- "engagement_name": 'Important import',
- "auto_create_context": True,
-}
-```
-
-When `auto_create_context` is `True`, the product, engagement, and environment will be created if needed. Make sure your user has sufficient [permissions](../usage/permissions) to do this.
-
-A classic way of importing a scan is by specifying the ID of the engagement instead:
-
-```JSON
-{
- "minimum_severity": 'Info',
- "active": True,
- "verified": True,
- "scan_type": 'ZAP Scan',
- "test_title": 'Manual ZAP Scan by John',
- "engagement": 123,
-}
-```
-
-
-## Reimport
-ReImporting via the API is performed via the [reimport-scan](https://demo.defectdojo.org/api/v2/doc/) endpoint.
-
-A reimport can be performed by specifying the names of these entities in the API request:
-
-
-```JSON
-{
- "minimum_severity": 'Info',
- "active": True,
- "verified": True,
- "scan_type": 'ZAP Scan',
- "test_title": 'Manual ZAP Scan by John',
- "product_type_name": 'Good Products',
- "product_name": 'My little product',
- "engagement_name": 'Important import',
- "auto_create_context": True,
- "do_not_reactivate": False,
-}
-```
-
-When `auto_create_context` is `True`, the product and engagement will be created if needed. Make sure your user has sufficient [permissions](../usage/permissions) to do this.
-
-When `do_not_reactivate` is `True`, the importing/reimporting will ignore uploaded active findings and not reactivate previously closed findings, while still creating new findings if there are new ones. You will get a note on the finding to explain that it was not reactivated for that reason.
-
-A reimport will automatically select the latest test inside the provided engagement that satisifes the provided `scan_type` and (optionally) provided `test_title`.
-
-If no existing Test is found, the reimport endpoint will use the import function to import the provided report into a new Test. This means a (CI/CD) script using the API doesn't need to know if a Test already exists, or if it is a first time upload for this Product / Engagement.
-
-A classic way of reimporting a scan is by specifying the ID of the test instead:
-
-```JSON
-{
- "minimum_severity": 'Info',
- "active": True,
- "verified": True,
- "scan_type": 'ZAP Scan',
- "test": 123,
-}
-```
-
-## Using the Scan Completion Date (API: `scan_date`) field
-
-DefectDojo offers a plethora of supported scanner reports, but not all of them contain the
-information most important to a user. The `scan_date` field is a flexible smart feature that
-allows users to set the completion date of the a given scan report, and have it propagate
-down to all the findings imported. This field is **not** mandatory, but the default value for
-this field is the date of import (whenever the request is processed and a successful response is returned).
-
-Here are the following use cases for using this field:
-
-1. The report **does not** set the date, and `scan_date` is **not** set at import
- - Finding date will be the default value of `scan_date`
-2. The report **sets** the date, and the `scan_date` is **not** set at import
- - Finding date will be whatever the report sets
-3. The report **does not** set the date, and the `scan_date` is **set** at import
- - Finding date will be whatever the user set for `scan_date`
-4. The report **sets** the date, and the `scan_date` is **set** at import
- - Finding date will be whatever the user set for `scan_date`
diff --git a/docs/content/en/working_with_findings/finding_deduplication/deduplication_algorithms.md b/docs/content/en/working_with_findings/finding_deduplication/deduplication_algorithms.md
index 0d354d784ee..5b5d56ca85d 100644
--- a/docs/content/en/working_with_findings/finding_deduplication/deduplication_algorithms.md
+++ b/docs/content/en/working_with_findings/finding_deduplication/deduplication_algorithms.md
@@ -13,7 +13,7 @@ DefectDojo supports four deduplication algorithms that can be selected per parse
- **Unique ID From Tool or Hash Code**: Prefer the tool’s unique ID; fall back to hash when no matching unique ID is found.
- **Legacy**: Historical algorithm with multiple conditions; only available in the Open Source version.
-Algorithm selection per parser is controlled by `DEDUPLICATION_ALGORITHM_PER_PARSER` (see the [OS tuning page](deduplication_tuning_os) for configuration details).
+Algorithm selection per parser is controlled by `DEDUPLICATION_ALGORITHM_PER_PARSER` (see the [Open-Source tuning page](/en/working_with_findings/finding_deduplication/deduplication_tuning_os/) for configuration details).
## How endpoints are assessed per algorithm
@@ -60,6 +60,4 @@ The endpoints also have to match for the findings to be considered duplicates, s
- During import/reimport, the `Service` field entered in the UI can override the parser-provided service. Changing it can change the hash and therefore affect deduplication outcomes.
- If you want service to have no impact on deduplication, configure `HASH_CODE_FIELDS_ALWAYS` accordingly (see the OS tuning page). Removing `service` from the always-included list will stop it from affecting hashes.
-See also: the [Open Source tuning guide](deduplication_tuning_os) for configuration details and examples.
-
-
+See also: the [Open Source tuning guide](/en/working_with_findings/finding_deduplication/deduplication_tuning_os/) for configuration details and examples.
diff --git a/docs/content/en/working_with_findings/finding_deduplication/deduplication_tuning_os.md b/docs/content/en/working_with_findings/finding_deduplication/deduplication_tuning_os.md
index 162b683d4c0..2acf22e0e08 100644
--- a/docs/content/en/working_with_findings/finding_deduplication/deduplication_tuning_os.md
+++ b/docs/content/en/working_with_findings/finding_deduplication/deduplication_tuning_os.md
@@ -6,7 +6,7 @@ weight: 5
This page explains how to tune deduplication in the Open Source (OS) edition of DefectDojo. For a visual, feature-rich tuning UI, see the Pro documentation. The OS edition uses settings files and environment variables.
-See also: [Configuration](../../open_source/installation/configuration) for details on environment variables and `local_settings.py` overrides.
+See also: [Configuration](/en/open_source/installation/configuration) for details on environment variables and `local_settings.py` overrides.
## What you can configure
diff --git a/docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md b/docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md
index 7e79f82669c..d551f07de0b 100644
--- a/docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md
+++ b/docs/content/en/working_with_findings/organizing_engagements_tests/tagging_objects.md
@@ -9,7 +9,7 @@ exclude_search: false
Tags are ideal for grouping objects in a manner that can be filtered out into smaller, more digestible chunks. They can be used to denote status, or to create custom sets of Product Type, Products, Engagements or Findings across the data model.
In DefectDojo, tags are a first class citizen and are recognized as the facilitators
-of organization within each level of the [data model](../Product_hierarchy).
+of organization within each level of the [data model](../product_hierarchy).
Here is an example with a Product with two tags and four findings each with a single tag: