DefectDojo · paulOsinski · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 4, 2026
@@ -40,3 +40,10 @@ jobs:
           HUGO_ENVIRONMENT: production
           HUGO_ENV: production
         run: cd docs && npm ci && hugo --minify --gc --config config/production/hugo.toml
+
+      - name: Check internal links
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
+        with:
+          args: --offline --no-progress --root-dir docs/public './docs/public/**/*.html'
+          fail: true
+
@@ -5,7 +5,7 @@ weight: 4
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via Auth0. DefectDojo Pro users should refer to the [Pro Auth0 guide](../PRO__auth0/).
+Open-Source DefectDojo supports login via Auth0. DefectDojo Pro users should refer to the [Pro Auth0 guide](/admin/sso/pro__auth0/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 6
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via Azure Active Directory (Azure AD), including automatic User Group synchronization. DefectDojo Pro users should refer to the [Pro Azure AD guide](../PRO__azure_ad/).
+Open-Source DefectDojo supports login via Azure Active Directory (Azure AD), including automatic User Group synchronization. DefectDojo Pro users should refer to the [Pro Azure AD guide](/admin/sso/pro__azure_ad/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 8
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via GitHub Enterprise. DefectDojo Pro users should refer to the [Pro GitHub Enterprise guide](../PRO__github_enterprise/).
+Open-Source DefectDojo supports login via GitHub Enterprise. DefectDojo Pro users should refer to the [Pro GitHub Enterprise guide](/admin/sso/pro__github_enterprise/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 10
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via GitLab. DefectDojo Pro users should refer to the [Pro GitLab guide](../PRO__gitlab/).
+Open-Source DefectDojo supports login via GitLab. DefectDojo Pro users should refer to the [Pro GitLab guide](/admin/sso/pro__gitlab/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 12
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via Google accounts. New users are created automatically on first login if they don't already exist. Existing DefectDojo users are matched to Google accounts by username (the portion before the `@` in their Google email). DefectDojo Pro users should refer to the [Pro Google guide](../PRO__google/).
+Open-Source DefectDojo supports login via Google accounts. New users are created automatically on first login if they don't already exist. Existing DefectDojo users are matched to Google accounts by username (the portion before the `@` in their Google email). DefectDojo Pro users should refer to the [Pro Google guide](/admin/sso/pro__google/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 14
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via KeyCloak. DefectDojo Pro users should refer to the [Pro KeyCloak guide](../PRO__keycloak/).
+Open-Source DefectDojo supports login via KeyCloak. DefectDojo Pro users should refer to the [Pro KeyCloak guide](/admin/sso/pro__keycloak/).
 
 This guide assumes you already have a KeyCloak Realm configured. If not, see the [KeyCloak documentation](https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/realms/create.html).
 

@@ -0,0 +1,135 @@
+---
+title: "LDAP Authentication"
+description: "Authenticate users via LDAP by building custom Docker images"
+weight: 20
+audience: opensource
+aliases:
+  - /en/open_source/ldap-authentication
+---
+
+**This feature is experimental, and is not implemented in DefectDojo Pro**.
+
+DefectDojo does not support LDAP authentication out of the box. However, since DefectDojo is built on Django, LDAP can be added by building your own Docker images and modifying a small number of configuration files.
+
+## Files to Modify
+
+- `Dockerfile.django-*`
+- `Dockerfile.nginx-*`
+- `requirements.txt`
+- `local_settings.py`
+- `docker-compose.yml` *(optional — for passing secrets via environment variables)*
+
+## Dockerfile Modifications
+
+In both `Dockerfile.django-alpine` and `Dockerfile.nginx-alpine`, add the following to the `apk add` layer:
+
+```bash
+openldap-dev \
+cyrus-sasl-dev \
+```
+
+In `Dockerfile.django-debian`, add the following to the `apt-get install` layer:
+
+```bash
+libldap2-dev \
+libsasl2-dev \
+ldap-utils \
+```
+
+## requirements.txt
+
+Check [pypi.org](https://pypi.org) for the latest versions at the time of implementation, then add:
+
+```
+python-ldap==3.4.5
+django-auth-ldap==5.2.0
+```
+
+- [python-ldap](https://pypi.org/project/python-ldap/)
+- [django-auth-ldap](https://pypi.org/project/django-auth-ldap/)
+
+## local_settings.py
+
+Find the settings file (see `/dojo/settings/settings.py` for instructions on using `local_settings.py`) and make the following additions.
+
+At the top of the file:
+
+```python
+import ldap
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+import environ
+```
+
+Add LDAP variables to the `env` dict:
+
+```python
+# LDAP
+env = environ.FileAwareEnv(
+    DD_LDAP_SERVER_URI=(str, 'ldap://ldap.example.com'),
+    DD_LDAP_BIND_DN=(str, ''),
+    DD_LDAP_BIND_PASSWORD=(str, ''),
+)
+```
+
+Then add the LDAP settings beneath the `env` dict:
+
+```python
+AUTH_LDAP_SERVER_URI = env('DD_LDAP_SERVER_URI')
+AUTH_LDAP_BIND_DN = env('DD_LDAP_BIND_DN')
+AUTH_LDAP_BIND_PASSWORD = env('DD_LDAP_BIND_PASSWORD')
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    "ou=Groups,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"
+)
+
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn",
+    "email": "mail",
+}
+```
+
+Customise all search variables to match your organisation's LDAP configuration.
+
+### Optional: Group Controls
+
+```python
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    "dc=example,dc=com",
+    ldap.SCOPE_SUBTREE,
+    "(objectClass=groupOfNames)",
+)
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")
+
+AUTH_LDAP_REQUIRE_GROUP = "cn=DD_USER_ACTIVE,ou=Groups,dc=example,dc=com"
+
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": "cn=DD_USER_ACTIVE,ou=Groups,dc=example,dc=com",
+    "is_staff": "cn=DD_USER_STAFF,ou=Groups,dc=example,dc=com",
+    "is_superuser": "cn=DD_USER_ADMIN,ou=Groups,dc=example,dc=com",
+}
+```
+
+Finally, add `django_auth_ldap.backend.LDAPBackend` to `AUTHENTICATION_BACKENDS`:
+
+```python
+AUTHENTICATION_BACKENDS = (
+    'django_auth_ldap.backend.LDAPBackend',
+    'django.contrib.auth.backends.RemoteUserBackend',
+    'django.contrib.auth.backends.ModelBackend',
+)
+```
+
+Full documentation: [Django Authentication with LDAP](https://django-auth-ldap.readthedocs.io/en/latest/)
+
+## docker-compose.yml
+
+To pass LDAP credentials to the container via environment variables, add these to the `uwsgi` service environment section:
+
+```yaml
+DD_LDAP_SERVER_URI: "${DD_LDAP_SERVER_URI:-ldap://ldap.example.com}"
+DD_LDAP_BIND_DN: "${DD_LDAP_BIND_DN:-}"
+DD_LDAP_BIND_PASSWORD: "${DD_LDAP_BIND_PASSWORD:-}"
+```
+
+Alternatively, set these values directly in `local_settings.py`.
@@ -5,7 +5,7 @@ weight: 18
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via a generic OpenID Connect (OIDC) provider. DefectDojo Pro users should refer to the [Pro OIDC guide](../PRO__oidc/).
+Open-Source DefectDojo supports login via a generic OpenID Connect (OIDC) provider. DefectDojo Pro users should refer to the [Pro OIDC guide](/admin/sso/pro__oidc/).
 
 ## Configuration
 

@@ -5,7 +5,7 @@ weight: 16
 audience: opensource
 ---
 
-Open-Source DefectDojo supports login via Okta. DefectDojo Pro users should refer to the [Pro Okta guide](../PRO__okta/).
+Open-Source DefectDojo supports login via Okta. DefectDojo Pro users should refer to the [Pro Okta guide](/admin/sso/pro__okta/).
 
 ## Prerequisites
 

@@ -7,7 +7,7 @@ aliases:
   - /en/working_with_findings/sla_configuration
 ---
 
-Open-Source DefectDojo supports SAML authentication via environment variables. DefectDojo Pro users should refer to the [Pro SAML guide](../PRO__saml/).
+Open-Source DefectDojo supports SAML authentication via environment variables. DefectDojo Pro users should refer to the [Pro SAML guide](/admin/sso/pro__saml/).
 
 ## Setup
 

@@ -5,7 +5,7 @@ weight: 3
 audience: pro
 ---
 
-DefectDojo Pro supports login via Auth0. Open-Source users should refer to the [Open-Source Auth0 guide](../OS__auth0/).
+DefectDojo Pro supports login via Auth0. Open-Source users should refer to the [Open-Source Auth0 guide](/admin/sso/os__auth0/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 5
 audience: pro
 ---
 
-DefectDojo Pro supports login via Azure Active Directory (Azure AD), including automatic User Group synchronization. Open-Source users should refer to the [Open-Source Azure AD guide](../OS__azure_ad/).
+DefectDojo Pro supports login via Azure Active Directory (Azure AD), including automatic User Group synchronization. Open-Source users should refer to the [Open-Source Azure AD guide](/admin/sso/os__azure_ad/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 7
 audience: pro
 ---
 
-DefectDojo Pro supports login via GitHub Enterprise. Open-Source users should refer to the [Open-Source GitHub Enterprise guide](../OS__github_enterprise/).
+DefectDojo Pro supports login via GitHub Enterprise. Open-Source users should refer to the [Open-Source GitHub Enterprise guide](/admin/sso/os__github_enterprise/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 9
 audience: pro
 ---
 
-DefectDojo Pro supports login via GitLab. Open-Source users should refer to the [Open-Source GitLab guide](../OS__gitlab/).
+DefectDojo Pro supports login via GitLab. Open-Source users should refer to the [Open-Source GitLab guide](/admin/sso/os__gitlab/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 11
 audience: pro
 ---
 
-DefectDojo Pro supports login via Google accounts. New users are created automatically on first login if they don't already exist. Existing DefectDojo users are matched to Google accounts by username (the portion before the `@` in their Google email). Open-Source users should refer to the [Open-Source Google guide](../OS__google/).
+DefectDojo Pro supports login via Google accounts. New users are created automatically on first login if they don't already exist. Existing DefectDojo users are matched to Google accounts by username (the portion before the `@` in their Google email). Open-Source users should refer to the [Open-Source Google guide](/admin/sso/os__google/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 13
 audience: pro
 ---
 
-DefectDojo Pro supports login via KeyCloak. Open-Source users should refer to the [Open-Source KeyCloak guide](../OS__keycloak/).
+DefectDojo Pro supports login via KeyCloak. Open-Source users should refer to the [Open-Source KeyCloak guide](/admin/sso/os__keycloak/).
 
 This guide assumes you already have a KeyCloak Realm configured. If not, see the [KeyCloak documentation](https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/realms/create.html).
 

@@ -5,7 +5,7 @@ weight: 17
 audience: pro
 ---
 
-DefectDojo Pro supports login via a generic OpenID Connect (OIDC) provider. Open-Source users should refer to the [Open-Source OIDC guide](../OS__oidc/).
+DefectDojo Pro supports login via a generic OpenID Connect (OIDC) provider. Open-Source users should refer to the [Open-Source OIDC guide](/admin/sso/os__oidc/).
 
 ## Configuration
 

@@ -5,7 +5,7 @@ weight: 15
 audience: pro
 ---
 
-DefectDojo Pro supports login via Okta. Open-Source users should refer to the [Open-Source Okta guide](../OS__okta/).
+DefectDojo Pro supports login via Okta. Open-Source users should refer to the [Open-Source Okta guide](/admin/sso/os__okta/).
 
 ## Prerequisites
 

@@ -5,7 +5,7 @@ weight: 1
 audience: pro
 ---
 
-DefectDojo Pro supports SAML authentication via the **Enterprise Settings** UI. Open-Source users should refer to the [Open-Source SAML guide](../OS__saml/).
+DefectDojo Pro supports SAML authentication via the **Enterprise Settings** UI. Open-Source users should refer to the [Open-Source SAML guide](/admin/sso/os__saml/).
 
 ## Setup
 

@@ -20,15 +20,15 @@ aliases:
 
 Users can connect to DefectDojo with a Username and Password, but you can also allow users to authenticate via Single Sign-On (SSO). DefectDojo supports SAML and a range of OAuth providers:
 
-* **[Auth0](./PRO__auth0/)**
-* **[Azure Active Directory](./PRO__azure_ad/)**
-* **[GitHub Enterprise](./PRO__github_enterprise/)**
-* **[GitLab](./PRO__gitlab/)**
-* **[Google](./PRO__google/)**
-* **[KeyCloak](./PRO__keycloak/)**
-* **[Okta](./PRO__okta/)**
-* **[OIDC (OpenID Connect)](./PRO__oidc/)**
-* **[SAML](./PRO__saml/)**
+* **[Auth0](/admin/sso/pro__auth0/)**
+* **[Azure Active Directory](/admin/sso/pro__azure_ad/)**
+* **[GitHub Enterprise](/admin/sso/pro__github_enterprise/)**
+* **[GitLab](/admin/sso/pro__gitlab/)**
+* **[Google](/admin/sso/pro__google/)**
+* **[KeyCloak](/admin/sso/pro__keycloak/)**
+* **[Okta](/admin/sso/pro__okta/)**
+* **[OIDC (OpenID Connect)](/admin/sso/pro__oidc/)**
+* **[SAML](/admin/sso/pro__saml/)**
 
 SSO configuration can only be performed by a **Superuser**.
 

@@ -73,6 +73,6 @@ Once a new SLA has been selected for a Product, all of the associated Findings'
 
 ## Notes on SLAs
 
-* SLAs can be optionally restarted once a [Risk Accepted](/triage_findings/findings_workflows/risk_acceptances/) Finding reactivates.  This is set when creating the Risk Acceptance by setting the **Restart SLA Expired** field.
+* SLAs can be optionally restarted once a [Risk Accepted](/triage_findings/findings_workflows/os__risk_acceptance/) Finding reactivates.  This is set when creating the Risk Acceptance by setting the **Restart SLA Expired** field.
 * Reimporting a Finding does not restart the SLA - SLAs are always calculated from when a Finding was first detected unless **Restart SLA on Finding Reactivation** is enabled.
 * Risk Acceptance expiry or reactivation of a Closed Finding are the only ways to reset or recalculate an SLA for a Finding once it is created (without changing the Product's SLA configuration).
@@ -262,6 +262,6 @@ Once a new SLA has been selected for a Product, all of the associated Findings'
 
 ## Notes on SLAs
 
-* SLAs can be optionally restarted once a [Risk Accepted](/triage_findings/findings_workflows/risk_acceptances/) Finding reactivates.  This is set when creating the Risk Acceptance by setting the **Restart SLA Expired** field.
+* SLAs can be optionally restarted once a [Risk Accepted](/triage_findings/findings_workflows/pro__risk_acceptance/) Finding reactivates.  This is set when creating the Risk Acceptance by setting the **Restart SLA Expired** field.
 * Reimporting a Finding does not restart the SLA - SLAs are always calculated from when a Finding was first detected unless **Restart SLA on Finding Reactivation** is enabled.
 * Risk Acceptance expiry or reactivation of a Closed Finding are the only ways to reset or recalculate an SLA for a Finding once it is created (without changing the Product's SLA configuration).
@@ -0,0 +1,38 @@
+---
+title: "OWASP ASVS Benchmarks"
+description: "Benchmark a Product against the OWASP Application Security Verification Standard"
+weight: 6
+audience: opensource
+---
+
+DefectDojo supports benchmarking Products against the [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/), which provides a basis for testing web application technical security controls.
+
+Benchmarks allow you to measure how well a Product meets your organization's defined security requirements, and to publish a score on the Product page for visibility.
+
+## Accessing Benchmarks
+
+Benchmarks are available from the **Product** page. To open the Benchmarks view, select the dropdown menu in the upper-right area of the Product page and choose **OWASP ASVS v.3.1** near the bottom of the menu.
+
+## Benchmark Levels
+
+OWASP ASVS defines three levels of verification coverage:
+
+- **Level 1** – For all software. Covers the most critical security requirements with the lowest cost to verify. This is the default level in DefectDojo.
+- **Level 2** – For applications that contain sensitive data. Appropriate for most applications.
+- **Level 3** – For the most critical applications, such as those performing high-value transactions or storing sensitive medical, financial, or safety data.
+
+You can switch between levels using the dropdown in the upper-right of the Benchmarks view.
+
+## Benchmark Score
+
+The left side of the Benchmarks view displays the current score for your Product at the selected ASVS level:
+
+- The **desired score** your organization has set as a target
+- The **percentage of benchmarks passed** toward achieving that score
+- The **total number of enabled benchmarks** for the selected level
+
+Enabling the **Publish** checkbox will display the ASVS score directly on the Product page.
+
+## Managing Benchmark Entries
+
+Individual benchmark entries can be marked as passed or failed as your team works through the ASVS controls. Additional benchmark entries, beyond the default ASVS set, can be added or updated through the **Django admin site**.