Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.41.1: docs maintenance #11413

Merged
merged 8 commits into from
Dec 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/content/en/about_defectdojo/new_user_checklist.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,18 @@ Here's a quick reference you can use to ensure successful implementation - from

### The Basics

1. Start by [importing a file](../../connecting_your_tools/import_scan_files/import_scan_ui) using the UI. This is generally the quickest way to see how your data fits into the DefectDojo model. (note: OS users will need to set up a Product Type and Product before they can import data)
1. Start by [importing a file](/en/connecting_your_tools/import_scan_files/import_scan_ui) using the UI. This is generally the quickest way to see how your data fits into the DefectDojo model. (note: OS users will need to set up a Product Type and Product before they can import data)

2. Now that you have data in DefectDojo, learn more about how to organize it with the [Product Hierarchy Overview](../../working_with_findings/organizing_engagements_tests/product-hierarchy-overview). The Product Hierarchy creates a working inventory of your apps, which helps you divide your data up into logical categories. These categories can be used to apply access control rules, or to segement your reports to the correct team.
2. Now that you have data in DefectDojo, learn more about how to organize it with the [Product Hierarchy Overview](/en/working_with_findings/organizing_engagements_tests/product_hierarchy). The Product Hierarchy creates a working inventory of your apps, which helps you divide your data up into logical categories. These categories can be used to apply access control rules, or to segement your reports to the correct team.

3. Try [creating a Report](../../pro_reports/using-the-report-builder/) to summarize the data you've imported. Reports can be used to quickly share Findings with stakeholders such as Product Owners.
3. Try [creating a Report](/en/pro_reports/using_the_report_builder/) to summarize the data you've imported. Reports can be used to quickly share Findings with stakeholders such as Product Owners.

This is the essence of DefectDojo - import security data, organize it, and present it to the folks who need to know.

All of these features can be automated, and because DefectDojo can handle over 190 tools (at time of writing) you should be all set to create a functional security inventory of your entire organizational output.

### Other guides

- Does your organization use Jira? Learn how to use our [Jira integration](../jira_integration/Connect%20DefectDojo%20to%20Jira.md) to create Jira tickets from the data you ingest.
- Are you expecting to share DefectDojo with many users in your organization? Check out our guides to [user management](../user_management/about-permissions-roles) and set up role-based access control (RBAC).
- Ready to dive into automation? Learn how to use the [DefectDojo API](../connecting_your_tools/import_scan_files/api_pipeline_modelling) to automatically import new data, and build a robust CI / CD pipeline.
- Does your organization use Jira? Learn how to use our [Jira integration](/en/jira_integration/connect_to_jira) to create Jira tickets from the data you ingest.
- Are you expecting to share DefectDojo with many users in your organization? Check out our guides to [user management](/en/user_management/about_perms_and_roles/) and set up role-based access control (RBAC).
- Ready to dive into automation? Learn how to use the [DefectDojo API](/en/connecting_your_tools/import_scan_files/api_pipeline_modelling) to automatically import new data, and build a robust CI / CD pipeline.
4 changes: 2 additions & 2 deletions docs/content/en/connecting_your_tools/connectors/_index.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
---
title: "Set Up API Connectors"
title: "API Connectors"
description: "Seamlessly connect DefectDojo to your security tools suite"
summary: ""
date: 2023-09-07T16:06:50+02:00
lastmod: 2023-09-07T16:06:50+02:00
draft: false
weight: 2
weight: 3
chapter: true
sidebar:
collapsed: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ seo:
pro-feature: true
---

<span style="background-color:rgba(242, 86, 29, 0.3)">Note: Connectors are a DefectDojo Pro-only feature.</span>

DefectDojo allows users to build sophisticated API integrations, and gives users full control over how their vulnerability data is organized.

But everyone needs a starting point, and that's where Connectors come in. Connectors are designed to get your security tools connected and importing data to DefectDojo as quickly as possible.
Expand All @@ -39,9 +41,9 @@ These Connectors provide an API\-speed integration with DefectDojo, and can be u

If you're using DefectDojo's **Auto\-Map** settings, you can have your first Connector up and running in no time.

1. Set up a [Connector](https://docs.defectdojo.com/en/connecting_your_tools/connectors/add_edit_connectors/) from a supported tool.
2. [Discover](https://docs.defectdojo.com/en/connecting_your_tools/connectors/operations_discover/) your tool's data hierarchy.
3. [Sync](https://docs.defectdojo.com/en/connecting_your_tools/connectors/operations_sync/) the vulnerabilities found with your tool into DefectDojo.
1. Set up a [Connector](../add_edit_connectors/) from a supported tool.
2. [Discover](../manage_operations/#discover-operations) your tool's data hierarchy.
3. [Sync](../operations_sync/#sync-operations) the vulnerabilities found with your tool into DefectDojo.

That's all, really! And remember, even if you create your Connector the 'easy' way, you can easily change the way things are set up later, without losing any of your work.

Expand All @@ -59,10 +61,10 @@ When you're ready to add more tools to DefectDojo, you can easily rearrange your

## My Connector isn't supported

Fortunately, DefectDojo can still handle manual import for a wide range of security tools. Please see our [Supported Tool List](https://docs.defectdojo.com/en/connecting_your_tools/parsers/), as well as our guide to Importing data.
Fortunately, DefectDojo can still handle manual import for a wide range of security tools. Please see our [Supported Tool List](../../parsers/), as well as our guide to Importing data.

# **Next Steps**

* Check out the Connectors page by switching to DefectDojo's **Beta UI**.
* Follow our guide to [create your first Connector](https://docs.defectdojo.com/en/connecting_your_tools/connectors/add_edit_connectors/).
* Check out the process of [Discovering \& Mapping](https://docs.defectdojo.com/en/connecting_your_tools/connectors/operations_discover/) your security tools and see how they can be configured to import data.
* Follow our guide to [create your first Connector](../add_edit_connectors/).
* Check out the process of [Running Operations](../manage_operations/) with your Connected security tools and see how they can be configured to import data.
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,24 @@ title: "Add or Edit a Connector"
description: "Connect to a supported security tool"
---

<span style="background-color:rgba(242, 86, 29, 0.3)">Note: Connectors are a DefectDojo Pro-only feature.</span>

The process for adding and configuring a connector is similar, regardless of the tool you’re trying to connect. However, certain tools may require you to create API keys or complete additional steps.

Before you begin this process, we recommend checking our [tool-specific reference](https://docs.defectdojo.com/en/connecting_your_tools/connectors/connectors_tool_reference/) to find the API resources for the tool you're trying to connect.
Before you begin this process, we recommend checking our [Tool-Specific Reference](../connectors_tool_reference/) to find the API resources for the tool you're trying to connect.

1. If you haven't already, start by **switching to the Beta UI** in DefectDojo.
2. From the left\-side menu, click on the **API Connectors** menu item. This is nested under the **Import** header.
![image](images/add_edit_connectors.png)

3. Choose a new Connector you want to add to DefectDojo in **Available Connections**, and click the **Add Configuration** underneath the tool.
You can also edit an existing Connection under the **Configured Connections** header. Click **Manage Configuration \> Edit Configuration** for the Configured Connection you want to Edit.
![image](images/add_edit_connectors_2.png)

4. You will need an accessible URL **Location** for the tool, along with an API **Secret** key. The location of the API key will depend on the tool you are trying to configure. See our [Tool\-Specific Reference](https://docs.defectdojo.com/en/connecting_your_tools/connectors/connectors_tool_reference/) for more details.
4. You will need an accessible URL **Location** for the tool, along with an API **Secret** key. The location of the API key will depend on the tool you are trying to configure. See our [Tool\-Specific Reference](../connectors_tool_reference/) for more details.
5. Set a **Label** for this connection to help you identify it in DefectDojo.
Expand All @@ -31,4 +34,4 @@ You can also edit an existing Connection under the **Configured Connections** he

## Next Steps

* Now that you've added a connector, you can confirm everything is set up correctly by running a [Discover](https://docs.defectdojo.com/en/connecting_your_tools/connectors/operations_discover/) operation.
* Now that you've added a connector, you can confirm everything is set up correctly by running a [Discover](../manage_operations/#discover-operations) operation.
Original file line number Diff line number Diff line change
@@ -1,58 +1,42 @@
---
title: "Tool-Specific API Reference (Connectors)"
title: "Tool-Specific Connector Setup"
description: "Our list of supported Connector tools, and how to set them up with DefectDojo"
---

When setting up a Connector for a supported tool, you'll need to give DefectDojo specific information related to the tool's API. At a base level, you'll need:
<span style="background-color:rgba(242, 86, 29, 0.3)">Note: Connectors are a DefectDojo Pro-only feature.</span>

When setting up a Connector for a supported tool, you'll need to give DefectDojo specific information related to the tool's API. At a base level, you'll need:

* **Location** \-a field whichgenerallyrefers to your tool's URL in your network,
* **Secret** \- generally an API key.

Some tools will require additional API\-related fields beyond **Location** and **Secret**. They may also require you to make changes on their side to accommodate an incoming Connector from DefectDojo.



![image](images/connectors_tool_reference.png)
Each tool has different API requirements, and this guide is intended to help you set up the tool's API so that DefectDojo can connect.


Each tool has a different API configuration, and this guide is intended to help you set up the tool's API so that DefectDojo can connect.

Whenever possible, we recommend creating a new 'DefectDojo Bot' account within your Security Tool which will only be used by the Connector. This will help you better differentiate between actions manually taken by your team, and automated actions taken by the Connector.




# **Supported Connectors**



## **AWS Security Hub**


The AWS Security Hub connector uses an AWS access key to interact with the Security Hub APIs.


#### Prerequisites


Rather than use the AWS access key from a team member, we recommend creating an IAM User in your AWS account specifically for DefectDojo, with that user's permissions limited to those necessary for interacting with Security Hub.



AWS's "**[AWSSecurityHubReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSecurityHubReadOnlyAccess.html)**policy" provides the required level of access for a connector. If you would like to write a custom policy for a Connector, you will need to include the following permissions:


* [DescribeHub](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeHub.html)
* [GetFindingAggregator](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindingAggregator.html)
* [GetFindings](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html)
* [ListFindingAggregators](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListFindingAggregators.html)

A working policy definition might look like the following:




```
{
"Version": "2012-10-17",
Expand All @@ -72,93 +56,63 @@ A working policy definition might look like the following:
}
```


**Please note:** we may need to use additional API actions in the future to provide the best possible experience, which will require updates to this policy.


Once you have created your IAM user and assigned it the necessary permissions using an appropriate policy/role, you will need to generate an access key, which you can then use to create a Connector.



#### Connector Mappings


1. Enter the appropriate [AWS API Endpoint for your region](https://docs.aws.amazon.com/general/latest/gr/sechub.html#sechub_region) in the **Location** field**:** for example, to retrieve results from the `us-east-1` region, you would supply


`https://securityhub.us-east-1.amazonaws.com`
2. Enter a valid **AWS Access Key** in the **Access Key** field.
3. Enter a matching **Secret Key** in the **Secret Key** field.

DefectDojo can pull Findings from more than one region using Security Hub's **cross\-region aggregation** feature. If [cross\-region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) is enabled, you should supply the API endpoint for your "**Aggregation Region**". Additional linked regions will have ProductRecords created for them in DefectDojo based on your AWS account ID and the region name.




## **BurpSuite**


DefectDojo’s Burp connector calls Burp’s GraphQL API to fetch data.


#### Prerequisites



Before you can set up this connector, you will need an API key from a Burp Service Account. Burp user accounts don’t have API keys by default, so you may need to create a new user specifically for this purpose.



See [Burp Documentation](https://portswigger.net/burp/documentation/enterprise/user-guide/api-documentation/create-api-user) for a guide on setting up a Service Account user with an API key.


#### Connector Mappings


1. Enter Burp’s root URL in the **Location** field: this is the URL where you access the Burp tool.
2. Enter a valid API Key in the Secret field. This is the API key associated with your Burp Service account.

See the official [Burp documentation](https://portswigger.net/burp/extensibility/enterprise/graphql-api/index.html) for more information on the Burp API.




## **Checkmarx ONE**


DefectDojo's Checkmarx ONE connector calls the Checkmarx API to fetch data.


#### **Connector Mappings**


1. Enter your **Tenant Name** in the **Checkmarx Tenant** field. This name should be visible on the Checkmarx ONE login page in the top\-right hand corner:
" Tenant: \<**your tenant name**\> "


![image](images/connectors_tool_reference_2.png)

2. Enter a valid API key. You may need to generate a new one: see [Checkmarx API Documentation](https://docs.checkmarx.com/en/34965-68618-generating-an-api-key.html#UUID-f3b6481c-47f4-6cd8-9f0d-990896e36cd6_UUID-39ccc262-c7cb-5884-52ed-e1692a635e08) for details.
3. Enter your tenant location in the **Location** field. This URL is formatted as follows:
​`https://<your-region>.ast.checkmarx.net/` . Your Region can be found at the beginning of your Checkmarx URL when using the Checkmarx app. **<https://ast.checkmarx.net>** is the primary US server (which has no region prefix).


## Dependency\-Track


This connector fetches data from a on\-premise Dependency\-Track instance, via REST API.



​**Connector Mappings**


1. Enter your local Dependency\-Track server URL in the **Location** field.
2. Enter a valid API key in the **Secret** field.

To generate a Dependency\-Track API key:


1. **Access Management**: Navigate to Administration \> Access Management \> Teams in the Dependency\-Track interface.
2. **Teams Setup**: You can either create a new team or select an existing one. Teams allow you to manage API access based on group membership.
3. **Generate API Key**: In the selected team's details page, find the "API Keys" section. Click the \+ button to generate a new API key.
Expand All @@ -167,102 +121,67 @@ To generate a Dependency\-Track API key:

For more information, see **[Dependency\-Track Documentation](https://docs.dependencytrack.org/integrations/rest-api/)**.




## Probely


This connector uses the Probely REST API to fetch data.



​**Connector Mappings**


1. Enter the appropriate API server address in the **Location** field. (either <https://api.us.probely.com/> or <https://api.eu.probely.com/> )
2. Enter a valid API key in the **Secret** field.

You can find an API key under the User \> API Keys menu in Probely.
See [Probely documentation](https://help.probely.com/en/articles/8592281-how-to-generate-an-api-key) for more info.




## **SemGrep**


This connector uses the SemGrep REST API to fetch data.


#### Connector Mappings


Enter https://semgrep.dev/api/v1/in the **Location** field.


1. Enter a valid API key in the **Secret** field. You can find this on the Tokens page:
"Settings" in the left navbar \> Tokens \> Create new token ([https://semgrep.dev/orgs/\-/settings/tokens](https://semgrep.dev/orgs/-/settings/tokens))

See [SemGrep documentation](https://semgrep.dev/docs/semgrep-cloud-platform/semgrep-api/#tag__badge-list) for more info.




## SonarQube


The SonarQube Connector can fetch data from either a SonarCloud account or from a local SonarQube instance.



**For SonarCloud users:**


1. Enter https://sonarcloud.io/ in the Location field.
2. Enter a valid **API key** in the Secret field.

**For SonarQube (on\-premise) users:**


1. Enter the base url of your SonarQube instance in the Location field: for example `https://my.sonarqube.com/`
2. Enter a valid **API key** in the Secret field. This will need to be a **[User](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/)** [API Token Type](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/).

API tokens can be found and generated via **My Account \-\> Security \-\> Generate Token** in the SonarQube app. For more information, [see SonarQube documentation](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/).




## **Snyk**


The Snyk connector uses the Snyk REST API to fetch data.


#### Connector Mappings


1. Enter **[https://api.snyk.io/rest](https://api.snyk.io/v1)** or **[https://api.eu.snyk.io/rest](https://api.eu.snyk.io/v1)** (for a regional EU deployment) in the **Location** field.
2. Enter a valid API key in the **Secret** field. API Tokens are found on a user's **[Account Settings](https://docs.snyk.io/getting-started/how-to-obtain-and-authenticate-with-your-snyk-api-token)** [page](https://docs.snyk.io/getting-started/how-to-obtain-and-authenticate-with-your-snyk-api-token) in Snyk.

See the [Snyk API documentation](https://docs.snyk.io/snyk-api) for more info.




## Tenable


The Tenable connector uses the **Tenable.io** REST API to fetch data.


On\-premise Tenable Connectors are not available at this time.


#### **Connector Mappings**


1. Enter <https://cloud.tenable.com> in the Location field.
2. Enter a valid **API key** in the Secret field.

Expand Down
Loading
Loading