DefectDojo · Maffooch · May 18, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
@@ -68,7 +68,6 @@ jobs:
           "tests/tool_type_test.py",
           "tests/user_profile_test.py",
           "tests/user_test.py",
-          # "tests/import_scanner_test.py",
           # "tests/zap.py",
         ]
         os: [debian]

@@ -44,6 +44,36 @@ jobs:
       - name: Check internal links
         uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
-          args: --offline --no-progress --root-dir docs/public './docs/public/**/*.html'
+          # --remap makes lychee resolve absolute docs.defectdojo.com URLs against
+          # the freshly built site, so absURL-rendered links (e.g. nav menu items)
+          # are verified as 404s instead of being skipped as remote URLs.
+          args: >-
+            --offline --no-progress
+            --root-dir ${{ github.workspace }}/docs/public
+            --remap "https://docs.defectdojo.com file://${{ github.workspace }}/docs/public"
+            './docs/public/**/*.html'
           fail: true
 
+      - name: Check in-app docs help links
+        # Find every file under dojo/ that hardcodes a docs.defectdojo.com URL
+        # (templates, settings, etc.) and check those links against the freshly
+        # built site. --remap turns the absolute docs URLs into local file lookups;
+        # --exclude '%7[BD]' drops URL-encoded Django template tags ({% ... %})
+        # so only real external docs URLs are checked. lychee is on $PATH from
+        # the previous lychee-action step.
+        run: |
+          set -euo pipefail
+          mapfile -t files < <(grep -rl 'docs\.defectdojo\.com' dojo/ \
+            --include='*.html' --include='*.py' --include='*.tpl')
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No files reference docs.defectdojo.com — pattern is stale." >&2
+            exit 1
+          fi
+          printf 'Checking in-app docs links in:\n'
+          printf '  %s\n' "${files[@]}"
+          lychee --offline --no-progress \
+            --root-dir "${GITHUB_WORKSPACE}/docs/public" \
+            --remap "https://docs.defectdojo.com file://${GITHUB_WORKSPACE}/docs/public" \
+            --exclude '%7[BD]' \
+            "${files[@]}"
+
@@ -67,7 +67,8 @@ RUN \
 	--no-cache-dir \
 	--no-index \
   --find-links=/tmp/wheels \
-  -r ./requirements.txt
+  -r ./requirements.txt && \
+  apt-get -y purge --auto-remove git
 
 COPY \
   docker/entrypoint-celery-beat.sh \

@@ -274,13 +274,6 @@ else
     # The below tests are commented out because they are still an unstable work in progress
     ## Once Ready they can be uncommented.
 
-    # echo "Import Scanner integration test"
-    # if python3 tests/import_scanner_test.py ; then
-    #     echo "Success: Import Scanner integration tests passed"
-    # else
-    #     echo "Error: Import Scanner integration test failed"; exit 1
-    # fi
-
     # echo "Zap integration test"
     # if python3 tests/zap.py ; then
     #     echo "Success: zap integration tests passed"

@@ -15,7 +15,7 @@
 
 [[main]]
   name = "Model Your Assets"
-  url = "/asset_modelling/hierarchy/pro__assets_organizations/"
+  url = "/asset_modelling/pro_hierarchy/assets_organizations/"
   weight = 13
 
 [[main]]

@@ -41,6 +41,19 @@ DefectDojo can use the SAML assertion to automatically assign users to [User Gro
 
 The **Group Name Attribute** field specifies which attribute in the SAML assertion contains the user's group memberships. When a user logs in, DefectDojo reads this attribute and assigns the user to any matching groups. To limit which groups from the assertion are considered, use the **Group Limiter Regex Expression** field.
 
+The value must match the attribute name your Identity Provider emits in the assertion exactly, including any namespace prefix. A short, friendly name like `groups` will only work if your IdP is configured to emit that literal attribute name — many IdPs use a fully qualified claim URI instead.
+
+### Group Name Attribute by Identity Provider
+
+| Identity Provider | Default attribute name to use |
+|---|---|
+| **Entra ID / Azure AD** | `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups` |
+| **Okta** | `groups` (the attribute name you configured on the SAML app's Group Attribute Statement) |
+| **Keycloak** | `groups` (or whatever you set as the "SAML Attribute Name" on the Group List mapper) |
+| **PingFederate / generic** | Whatever value you configured on the IdP side — check your IdP's assertion before assuming `groups` |
+
+If group mapping appears to do nothing — users log in successfully but no groups are created or assigned — the most common cause is a mismatch between this field and the attribute name your IdP is actually sending. Enable **Enable SAML Debugging** (see [Additional Options](#additional-options)) to see the raw attributes coming back from the IdP.
+
 If no group with a matching name exists, DefectDojo will automatically create one. Note that a newly created group will not have any permissions configured — those can be set later by a Superuser.
 
 To activate group mapping, check the **Enable Group Mapping** checkbox at the bottom of the form.

@@ -0,0 +1,41 @@
+---
+title: "Creating a new user"
+description: "How to onboard a new user onto your DefectDojo instance"
+audience: opensource
+weight: 1
+---
+
+This page describes the recommended onboarding workflow for adding new users to a DefectDojo instance.  DefectDojo users can be used as both standard, human-operated accounts and as service accounts.
+
+The admin who creates the account is responsible for delivering the initial credentials (username and password) to the new user.
+
+## Recommended workflow
+
+1. **Create the user account** in DefectDojo (Superuser only):
+   * Navigate to **👤 Users → Users** to open the All Users table.
+   * Click the 🛠️ (crossed wrench and screwdriver) icon.
+   * Enter the new user's name and email address.
+   * Set a temporary password.
+   * Submit the form.
+
+2. **Assign permissions** as appropriate — Product/Product Type membership, Configuration Permissions, Global Role, or Superuser status. See [Set a User's permissions](../set_user_permissions/) for details. A new user with no assignments will not be able to see any Products or Findings.
+
+3. **Send the credentials to the new user out-of-band** (over email, your team's chat tool, or however you normally share secrets). Include:
+   * The DefectDojo instance URL.
+   * The username (typically their email address).
+   * The temporary password you just set.
+   * A note that they should change the password and enable MFA (if your instance uses MFA) on first login.
+
+4. **The new user logs in and rotates the credential.** They can either:
+   * Log in with the temporary password and then change it from their profile menu, or
+   * Use the **I forgot my password** link on the login page to set a password directly without using the temporary one. The temporary password is still required for the initial account record to exist, but the user does not need to remember it if they use the password-reset flow.
+
+5. **The new user configures MFA** from their profile menu. We strongly recommend requiring MFA for all users on instances that aren't behind SSO.
+
+## SSO Users
+
+If your instance is configured with [SSO](../configure_sso/), the workflow is different — users are typically created on first login from the Identity Provider, and you only need to grant them group membership or roles afterwards.
+
+## Recovering from a lost MFA token
+
+If a user loses access to their MFA device, see the [MFA recovery section](/get_started/pro/cloud/connectivity-troubleshooting/#ive-lost-access-to-my-mfa-codes) of the connectivity troubleshooting guide. There is currently no way to remove MFA from an account without an MFA code — the workaround is to create a new account for the user and re-grant the same permissions.
@@ -0,0 +1,40 @@
+---
+title: "Creating a new user"
+description: "How to onboard a new user onto your DefectDojo instance"
+audience: pro
+weight: 1
+---
+
+This page describes the recommended onboarding workflow for adding new users to a DefectDojo instance.  DefectDojo users can be used as both standard, human-operated accounts and as service accounts.
+
+The admin who creates the account is responsible for delivering the initial credentials (username and password) to the new user.
+
+## Recommended workflow
+
+1. **Create the user account** in DefectDojo (Superuser only):
+   * Navigate to **👤 Users → ➕ New User**.
+   * Enter the new user's name and email address.
+   * Set a temporary password.
+   * Submit the form.
+
+2. **Assign permissions** as appropriate — Product/Product Type membership, Configuration Permissions, Global Role, or Superuser status. See [Set a User's permissions](../set_user_permissions/) for details. A new user with no assignments will not be able to see any Products or Findings.
+
+3. **Send the credentials to the new user out-of-band** (over email, your team's chat tool, or however you normally share secrets). Include:
+   * The DefectDojo instance URL.
+   * The username (typically their email address).
+   * The temporary password you just set.
+   * A note that they should change the password and enable MFA (if your instance uses MFA) on first login.
+
+4. **The new user logs in and rotates the credential.** They can either:
+   * Log in with the temporary password and then change it from their profile menu, or
+   * Use the **I forgot my password** link on the login page to set a password directly without using the temporary one. The temporary password is still required for the initial account record to exist, but the user does not need to remember it if they use the password-reset flow.
+
+5. **The new user configures MFA** from their profile menu. We strongly recommend requiring MFA for all users on instances that aren't behind SSO.
+
+## SSO Users
+
+If your instance is configured with [SSO](../configure_sso/), the workflow is different — users are typically created on first login from the Identity Provider, and you only need to grant them group membership or roles afterwards.
+
+## Recovering from a lost MFA token
+
+If a user loses access to their MFA device, see the [MFA recovery section](/get_started/pro/cloud/connectivity-troubleshooting/#ive-lost-access-to-my-mfa-codes) of the connectivity troubleshooting guide. There is currently no way to remove MFA from an account without an MFA code — the workaround is to create a new account for the user and re-grant the same permissions.
@@ -0,0 +1,68 @@
+---
+title: "Components"
+description: "Tracking third-party libraries and software components in DefectDojo Pro"
+audience: pro
+weight: 1
+---
+
+In DefectDojo, Components represent third-party libraries, software components, and modules that potentially have vulnerabilities.
+
+
+## Component Views
+
+DefectDojo Pro includes a dedicated table view for Components, which can be found in the sidebar.  This view shows Active Findings, Duplicate Findings, and Total Findings for each Component.  These figures include all Assets on the DefectDojo instance.
+
+An individual Asset's Components can be seen on the Asset view.
+
+## The Component Table
+
+The Component Table displays the following columns:
+
+* **Component** — the name of the component, populated from scan data.
+* **Version** — the component version, populated from scan data.
+* **Active Findings** — count of Active Findings associated with the component.
+* **Duplicate Findings** — count of Duplicate Findings associated with the component.
+* **Total Findings** — total count of all Findings associated with the component.
+
+Clicking on the Component Name or the values for Active Findings, Duplicate Findings, or Total Findings opens a filtered list of Findings for the respective field.
+
+A **None** Component is displayed on the table, which shows all Findings that are not associated with any Component.
+
+Imported Components remain on the table even if all of their associated Findings are Mitigated. When Findings are imported for a specific Component, the Component Table is updated to accurately reflect the new Finding totals.
+
+
+### Example
+
+A Component imported from a Dependency-Check scan against an application with a vulnerable `lodash` dependency might appear on the table as:
+
+| Component | Version | Active Findings | Duplicate Findings | Total Findings |
+| --- | --- | --- | --- | --- |
+| npm:lodash | 4.17.15 | 3 | 1 | 5 |
+
+Clicking `npm:lodash` opens the list of every Finding that references this Component. Clicking `3` opens the same list filtered to Active Findings only.
+
+## Adding Components
+
+Components can be parsed from a scan import or by manually editing a Finding. Once a Component Name is associated with a Finding, a corresponding entry will be added to the Component Table automatically. If the Component is already associated with other Findings in DefectDojo, the totals for Active Findings, Duplicate Findings, and Total Findings are updated accordingly.
+
+### How Components are Parsed from Scan Data
+
+When a scan is imported, parsers populate the **Component Name** and **Component Version** fields on each Finding from the scan output. The Component Table is then built from those values. The level of detail and the naming convention depend on the tool that produced the scan:
+
+* **Software Composition Analysis (SCA) tools** typically report a package name and exact version. For example, OWASP Dependency-Check derives the Component from the [Package URL](https://github.com/package-url/purl-spec) in its identifier — a `pkg:npm/lodash@4.17.15` purl becomes `Component Name: npm:lodash`, `Component Version: 4.17.15`.
+* **Container and OS package scanners** such as Trivy, Anchore Grype, and Anchore Engine report the affected OS or language package — for example, `Component Name: curl`, `Component Version: 7.68.0`.
+* **Language-specific dependency scanners** such as npm Audit, pip-audit, bundler-audit, Retire.js, Govulncheck, and OSV-Scanner populate the offending package and version from their respective ecosystem manifests.
+
+Scanners focused on configuration, infrastructure, or source-code logic (such as SAST and IaC tools) generally do not populate the Component fields, and their Findings appear under the **None** Component.
+
+To add or change a Component manually, edit the Finding and set the **Component Name** and **Component Version** fields directly. The Component Table updates as soon as the Finding is saved.
+
+## Updating Components
+
+To update a Component Name or Version, all Findings associated with the Component must have their Component Name or Component Version field updated.
+
+## Removing Components
+
+To remove a Component from the Component Table, all Findings associated with the Component must be updated to remove their Component Name and Component Version fields. Components are also removed if all of their associated Findings are deleted.
+
+If all of a Component's Findings are Mitigated, the Component remains on the table but its Active Findings value is set to 0.
@@ -0,0 +1,10 @@
+---
+title: "Components & Endpoints"
+date: 2021-02-02T20:46:29+01:00
+draft: false
+type: docs
+weight: 4
+sidebar:
+  collapsed: false
+exclude_search: true
+---
@@ -2,7 +2,7 @@
 title: "Calendar"
 description: "How to use the Calendar in DefectDojo Pro"
 audience: opensource
-weight: 2
+weight: 9
 ---
 
 DefectDojo’s Calendar provides a centralized timeline view of all Engagements and Tests with defined start and end dates, allowing Users to quickly understand testing activity across Products, identify scheduling overlaps, and navigate directly to related objects. 

@@ -2,7 +2,7 @@
 title: "Engagements"
 description: "Understanding Engagements in DefectDojo OS"
 audience: opensource
-weight: 2
+weight: 3
 ---
 Product Types → Products → **ENGAGEMENTS** → Tests → Findings