DefectDojo · rossops · Nov 10, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 5, 2025
@@ -22,6 +22,11 @@
     "commitMessageExtra": "from {{currentVersion}} to {{#if isMajor}}v{{{newMajor}}}{{else}}{{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}{{/if}}",
     "commitMessageSuffix": "({{packageFile}})",
     "labels": ["dependencies"]
+  },{
+    "description": "Update renovate weekly (sundays) - They are releasing new versions too often, so it is a bit noisy, and keeping renovating a bit older does not create vulnerabilities in DD",
+    "matchDatasources": "github-releases",
+    "matchPackageNames": "renovatebot/renovate",
+    "schedule": ["* * * * 0"]
   }],
   "customDatasources": {
     "endoflife-oldest-maintained": {

@@ -107,6 +107,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Update values in HELM chart
         if: startsWith(github.head_ref, 'renovate/') || startsWith(github.head_ref, 'dependabot/')

@@ -5,7 +5,7 @@
 
 [[main]]
   name = "Supported Tools"
-  url = "/en/connecting_your_tools/parsers/"
+  url = "/supported_tools/"
   weight = 11
 
 [[main]]

@@ -44,7 +44,7 @@ mainSections = ["docs"]
   bootstrapJavascript = false # false (default) or true
 
   # Nav
-  sectionNav = ["docs", "en"] # ["docs"] (default) or list of sections (e.g. ["docs", "guides"])
+  sectionNav = ["docs", "en", "supported_tools"] # ["docs"] (default) or list of sections (e.g. ["docs", "guides"])
   toTopButton = false # false (default) or true
   breadcrumbTrail = true # false (default) or true
   headlineHash = true # true (default) or false

@@ -46,7 +46,7 @@ Whether you're a Pro or an Open-Source user, we have many resources that can hel
 
 - Our [New User Checklist](../new_user_checklist) covers the fundamentals of setting up your DefectDojo environment and setting up your import, triage and reporting workflows.
 
-- We support a large amount of [security tool integrations](/en/connecting_your_tools/parsers/) to help fit DefectDojo in your DevSecOps program.
+- We support a large amount of [security tool integrations](/supported_tools/) to help fit DefectDojo in your DevSecOps program.
 
 - Our team maintains a [YouTube Channel](https://www.youtube.com/@defectdojo) which hosts tutorials, archived Office Hours events and other content. New subscribers are always welcome!
 

@@ -12,9 +12,7 @@ Here are some frequently asked questions about working with DefectDojo - both in
 
 ### How should I organize my security testing in DefectDojo?
 
-DefectDojo can support any security testing or reporting environment, but to optimize your use of DefectDojo you'll need to make sure things are in the right place.
-
-There's no one-size-fits-all solution for DefectDojo, because everyone's security team and operations look different.  We have a very detailed article on [common use cases](/en/about_defectdojo/examples_of_use/) that has examples of how different organizations apply RBAC and the DefectDojo data model to support their needs.
+While DefectDojo can support any security or testing environment, everyone’s security team and operations look different, so there’s no one-size-fits-all approach to using it. We have a very detailed article on [common use cases](/en/about_defectdojo/examples_of_use) that has examples of how different organizations apply RBAC and the DefectDojo data model to support their needs.
 
 ### What are the recommended workflows for security testing in DefectDojo?
 
@@ -37,7 +35,7 @@ Role and permission assignment generally happens at the Product Type / Product l
 
 ### What tools are supported by DefectDojo?
 
-DefectDojo supports reports from over 200 security tools, both commercial and Open Source.  See our [Parser List](/en/connecting_your_tools/parsers/) for more information on these tools.
+DefectDojo supports reports from over 200 security tools, both commercial and Open Source.  See our [Parser List](/supported_tools/) for more information on these tools.
 
 If you're looking to add a new tool to your suite, we have a list of recommended Open Source tools which you can check out [here](https://defectdojo.com/blog/announcing-the-defectdojo-open-source-security-awards).
 
@@ -56,15 +54,15 @@ For more information on Reimport, see our [article](/en/connecting_your_tools/im
 
 ### How can I troubleshoot Import errors?
 
-DefectDojo supports a wide variety of tools.  If you're seeing inconsistent behavior when importing a report, we recommend checking to see if the file structure matches what the tool is expecting.  See our [Parser List](/en/connecting_your_tools/parsers/) to see if your tool is supported, and check to make sure that the file format matches what the tool expects.  You can also compare the structure to our Unit Tests.
+DefectDojo supports a wide variety of tools.  If you're seeing inconsistent behavior when importing a report, we recommend checking to see if the file structure matches what the tool is expecting.  See our [Parser List](/supported_tools/) to see if your tool is supported, and check to make sure that the file format matches what the tool expects.  You can also compare the structure to our Unit Tests.
 
 **DefectDojo Pro** has a Universal Parser import method which allows you to handle any JSON, CSV or XML file.  **DefectDojo OS** users can write custom parsers for the same purpose.
 
 Finally, third-party report formats have been known to change without warning, and our Open Source community greatly appreciates [PRs and contributions](/en/open_source/contributing/how-to-write-a-parser/) to keep our parsers up to date.
 
 ### How should I handle large scan files?
 
-Importing a large report into DefectDojo can be a lengthy process.  Reports of 2MB contain substantial amounts of data which can take a long time to translate into Findings.  This depends on the security tool's report format itself
+Importing a large report into DefectDojo can be a lengthy process.  Reports of 2MB contain substantial amounts of data which can take a long time to translate into Findings.  This depends on the security tool's report format itself.
 
 Our recommended approach is to break a large report up before import - rather than ingesting a report of **all** a tool's vulnerabilities at once, split them up by software project, application or by another context.  This makes it much easier for DefectDojo to handle and categorize the data, and has the added benefit of proactively organizing your Findings, which makes for more relevant and faster report generation.
 

@@ -70,6 +70,6 @@ Supported tools for Connectors include:
 Are you using an unsupported or customized scanning tool?  Or do you just wish DefectDojo handled a report slightly differently?
 
 Use DefectDojo Pro's Universal Parser to turn any .json or .csv report into an actionable set of Findings, and have DefectDojo parse the data however you like.  
-See our [Universal Parser Guide](/en/connecting_your_tools/parsers/universal_parser/) for more information.
+See our [Universal Parser Guide](/en/connecting_your_tools/universal_parser/) for more information.
 
 ![image](images/universal_parser_3.png)
@@ -63,7 +63,7 @@ When you're ready to add more tools to DefectDojo, you can easily rearrange your
 
 ## My Connector isn't supported
 
-Fortunately, DefectDojo can still handle manual import for a wide range of security tools. Please see our [Supported Tool List](../../parsers/), as well as our guide to Importing data.
+Fortunately, DefectDojo can still handle manual import for a wide range of security tools. Please see our [Supported Tool List](/supported_tools), as well as our guide to Importing data.
 
 # **Next Steps**
 

@@ -921,4 +921,4 @@ If you encounter any issues with these tools, please check the following:
 - Ensure you're using the correct binary for your operating system and CPU architecture.
 - Verify that the API key is set correctly in your environment variables.
 - Check that the DefectDojo URL is correct and accessible.
-- When importing, confirm that the report file exists and is in the supported format for the specified scan type.  You can review the supported scanners for DefectDojo on our [supported tools list](../parsers). 
+- When importing, confirm that the report file exists and is in the supported format for the specified scan type.  You can review the supported scanners for DefectDojo on our [supported tools list](/supported_tools). 
@@ -29,7 +29,7 @@ There are two main ways that DefectDojo can upload Finding reports.
 
 |  | **UI Import** | **API** | **Connectors** <span style="background-color:rgba(242, 86, 29, 0.3)">(Pro)</span> | **Smart Upload**  <span style="background-color:rgba(242, 86, 29, 0.3)">(Pro)</span>|
 | --- | --- | --- | --- | --- |
-| **Supported Scan Types** | All: see [Supported Tools](/en/connecting_your_tools/parsers) | All: see [Supported Tools](/en/connecting_your_tools/parsers) | Snyk, Semgrep, Burp Suite, AWS Security Hub, Probely, Checkmarx, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable |
+| **Supported Scan Types** | All: see [Supported Tools](/supported_tools/) | All: see [Supported Tools](/supported_tools/) | Snyk, Semgrep, Burp Suite, AWS Security Hub, Probely, Checkmarx, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable |
 | **Automation?** | Available via API: `/reimport` `/import` endpoints | Triggered from [CLI Importer](../external_tools) or external code | Connectors is inherently automated | Available via API: `/smart_upload_import` endpoint |
 
 ### Product Hierarchy and organization

@@ -6,4 +6,4 @@ description: Tag invalid character cleanup
 ---
 
 ## Tag Formatting Update
-In [2.46.0](../2.46.md) tag validation was added to disallow commas, spaces and quotes in tags. Some parsers were still creating tags with invalid characters. This is fixed in this release and this release will run another data migration to replace any invalid character in tag with an underscore '`_`'.
+In [2.46.0](../2.46) tag validation was added to disallow commas, spaces and quotes in tags. Some parsers were still creating tags with invalid characters. This is fixed in this release and this release will run another data migration to replace any invalid character in tag with an underscore '`_`'.
@@ -0,0 +1,76 @@
+---
+title: "SLA Configuration"
+description: "Configure Service Level Agreements for different Products"
+weight: 2
+---
+
+Each Product in DefectDojo can have its own Service Level Agreement (SLA) configuration, which represents the days your organization has to remediate or otherwise manage a Finding.
+
+SLA can be set based on either **[Finding Severity](/en/working_with_findings/organizing_engagements_tests/product_hierarchy/#findings)** or **[Finding Risk](/en/working_with_findings/finding_priority/)** (in DefectDojo Pro).
+
+![image](images/sla_multiple.png)
+
+SLAs apply a countdown of days to a Finding based on the day that the Finding was created in DefectDojo.  If a Finding is not Closed within the countdown, the Finding will be labeled as in breach of SLA.
+
+## Working with SLAs
+
+You can use SLAs as a way to represent your organizations remediation policies.  You can also use them as a way to prioritize the longest-active, most critical Findings in your DefectDojo instance.  
+
+* You can sort or filter Finding tables by SLA days.
+* SLA violations can be configured to trigger [Notifications](/en/customize_dojo/notifications/about_notifications/) to DefectDojo users assigned to the related Product.
+* In **DefectDojo Pro**, SLA performance is also tracked on the [Executive Insights and Remediation](/en/customize_dojo/dashboards/pro_dashboards/) Metrics Dashboards.
+* SLA compliance can also be used to create custom [Dashboard Tiles](/en/customize_dojo/dashboards/about_custom_dashboard_tiles/#sla-violation-tile) in **DefectDojo Pro**.
+
+### Mitigated Within SLA status
+
+If a Finding is successfully Mitigated by the SLA deadline, the Finding will record a ✅ green check mark in the Mitigated Within SLA column.
+
+![image](images/sla_mitigated_within.png)
+
+If a Finding was Mitigated, but not before the SLA was violated, the Finding will record a ❌ red X in the Mitigated Within SLA column.
+
+### Breaching SLAs
+
+When an SLA for a given Finding is violated (the Finding is not Closed within the SLA timeline) the ✅ green check will switch to a ❌ red X.  The SLA will continue to be tracked with a negative number, to represent how many days the SLA has been breached by.
+
+![image](images/sla_breached.png)
+
+## Managing SLA Configurations (Pro)
+
+In DefectDojo Pro, one or more SLA Configurations are managed under the **Configuration > Service Level Agreements** part of the sidebar.  You can create a **New Service Level Agreement** or work with existing SLA configurations from the **All Service Level Agreements** page.
+
+![image](images/pro_sla_risk.png)
+
+SLA Configurations can only be edited by Superusers or by a user with the corresponding [Configuration Permission](/en/customize_dojo/user_management/user_permission_chart/#configuration-permission-chart).
+
+### Configuring SLA
+
+SLA configurations contain the days assigned to each **Severity** or **Risk** value of DefectDojo.
+
+![image](images/pro_new_sla.png)
+
+Each Service Level Agreement can have a unique name, along with an optional description.
+
+**Restart SLA on Finding Reactivation**: if enabled, this option will start an SLA over when a Finding is Reopened.  Otherwise, the SLA will be based on when the Finding was created.
+
+When editing an SLA, you can choose whether that SLA will use **Severity** or **Risk** as a benchmark for assigning Days To Remediate.  This is done by selecting the related option from the **Service Level configuration Type** section of the form.
+
+From here, you can set the number of days allowed for each **Severity** or **Risk** level.  You can also selectively enforce SLAs; by unchecking the **Enforce ___ Finding Days** you can ignore SLA calculation for those levels of Severity or Risk.
+
+## Apply an SLA Configuration to a Product (Pro)
+
+Newly created Products in DefectDojo will always apply the **Default SLA Configuration**, which can be set to different values if you wish.
+
+If you have SLA configurations, you can choose which of these is applied to your Product from the **Edit Product** form.  
+
+![image](images/pro_sla_product.png)
+
+### SLA Recalculation
+
+Once a new SLA has been selected for a Product, all of the associated Findings' SLAs will need to be recalculated by DefectDojo.  While this process is running, a Product's SLA cannot be changed.
+
+## Notes on SLAs
+
+* SLAs can be optionally restarted once a [Risk Accepted](/en/working_with_findings/findings_workflows/risk_acceptances/) Finding reactivates.  This is set when creating the Risk Acceptance by setting the **Restart SLA Expired** field.
+* Reimporting a Finding does not restart the SLA - SLAs are always calculated from when a Finding was first detected unless **Restart SLA on Finding Reactivation** is enabled.
+* Risk Acceptance expiry or reactivation of a Closed Finding are the only ways to reset or recalculate an SLA for a Finding once it is created (without changing the Product's SLA configuration).
@@ -0,0 +1,37 @@
+---
+title: "Index"
+date: 2021-02-02T20:46:29+01:00
+draft: false
+type: docs
+
+cascade:
+- type: "blog"
+  # set to false to include a blog section in the section nav along with docs
+  toc_root: true
+  _target:
+    path: "/blog/**"
+- type: "docs"
+  _target:
+    path: "/**"
+exclude_search: true
+---
+DefectDojo can parse data from 200+ security reports and counting.
+
+## DefectDojo Pro Methods
+<span style="background-color:rgba(242, 86, 29, 0.3)">DefectDojo Pro</span> users have enhanced methods of import available for certain tools.
+
+**Connectors** allow you to automatically import and sync vulnerabilities from certain tools.
+
+**Smart Upload** allows you to split infrastructure-wide scan files up by component or endpoint, and easily combine those results with other Findings from the same location.
+
+| [Connectors](/en/connecting_your_tools/connectors/about_connectors/): supported tools | [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/): supported tools |
+| --- | --- |
+| AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
+
+# All Supported Tools
+
+All of these listed reports can be ingested via [Import/Reimport](/en/connecting_your_tools/import_intro) methods. This means that they can be imported to both Open-Source and Pro instances using the UI or API.
+
+If your tool is not in this list, there's a good chance that DefectDojo can still import a report from the tool.  Consider the [Generic Findings Import](/supported_tools/parsers/generic_findings_import/) method.
+
+<span style="background-color:rgba(242, 86, 29, 0.3)">DefectDojo Pro</span> users can import any JSON or CSV report using the [Universal Parser](/en/connecting_your_tools/universal_parser).
@@ -1,8 +1,18 @@
 ---
-title: "Supported Report Types"
-description: "DefectDojo has the ability to import scan reports from a large number of security tools."
+title: "Supported Tools"
+date: 2021-02-02T20:46:29+01:00
 draft: false
-weight: 5
+type: docs
+
+cascade:
+- type: "blog"
+  # set to false to include a blog section in the section nav along with docs
+  toc_root: true
+  _target:
+    path: "/blog/**"
+- type: "docs"
+  _target:
+    path: "/**"
 exclude_search: true
 ---
 
@@ -15,14 +25,14 @@ DefectDojo can parse data from 180+ security reports and counting.
 
 **Smart Upload** allows you to split infrastructure-wide scan files up by component or endpoint, and easily combine those results with other Findings from the same location.
 
-| [Connectors](../connectors/about_connectors): supported tools | [Smart Upload](../import_scan_files/smart_upload/): supported tools |
+| [Connectors](/en/connecting_your_tools/connectors/about_connectors/): supported tools | [Smart Upload](/en/connecting_your_tools/import_scan_files/smart_upload/): supported tools |
 | --- | --- |
-| Anchore, AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
+| AWS Security Hub, BurpSuite, Checkmarx ONE, Dependency-Track, Probely, Semgrep, SonarQube, Snyk, Tenable | Nexpose, NMap, OpenVas, Qualys, Tenable, Wiz | 
 
 # All Supported Tools
 
-All of these listed reports can be ingested via [Import/Reimport](../import_intro) methods. This means that they can be imported to both Open-Source and Pro instances using the UI or API.
+All of these listed reports can be ingested via [Import/Reimport](/en/connecting_your_tools/import_intro) methods. This means that they can be imported to both Open-Source and Pro instances using the UI or API.
 
-If your tool is not in this list, there's a good chance that DefectDojo can still import a report from the tool.  Consider the [Generic Findings Import](./generic_findings_import/) method.
+If your tool is not in this list, there's a good chance that DefectDojo can still import a report from the tool.  Consider the [Generic Findings Import](/supported_tools/parsers/generic_findings_import/) method.
 
-<span style="background-color:rgba(242, 86, 29, 0.3)">DefectDojo Pro</span> users can import any JSON or CSV report using the [Universal Parser](./universal_parser).
+<span style="background-color:rgba(242, 86, 29, 0.3)">DefectDojo Pro</span> users can import any JSON or CSV report using the [Universal Parser](/en/connecting_your_tools/universal_parser).