The docker-compose.yml file in this repository is fully functional to evaluate DefectDojo in your local environment.
Although Docker Compose is one of the supported installation methods to deploy a containerized DefectDojo in a production environment, the docker-compose.yml file is not intended for production use without first customizing it to your particular situation.
See Running with Docker Compose for more information how to run DefectDojo with Docker Compose.
It is recommended to use a dedicated database server and not the preconfigured PostgreSQL database. This will improve the performance of DefectDojo.
In both cases (dedicated DB or containerized), if you are self-hosting, it is recommended that you implement and create periodic backups of your data.
Media files for uploaded files, including threat models and risk acceptance, are stored in a docker volume. This volume needs to be backed up regularly.
With a separate database, the minimum recommendations are:
By default (except in
ptvsd mode for debug purposes), uWSGI will
handle 4 concurrent connections.
Based on your resource settings, you can tweak:
DD_UWSGI_NUM_OF_PROCESSESfor the number of spawned processes. (default 2)
DD_UWSGI_NUM_OF_THREADSfor the number of threads in these processes. (default 2)
For example, you may have 4 processes with 6 threads each, yielding 24 concurrent connections.
By default, a single mono-process celery worker is spawned. When storing a large amount of findings, leveraging async functions (like deduplication), or both. Eventually, it is important to adjust these parameters to prevent resource starvation.
The following variables can be changed to increase worker performance, while keeping a single celery container.
DD_CELERY_WORKER_POOL_TYPEwill let you switch to
When you enable
prefork, the variables below have
to be used. see the
Dockerfile.django-* for in-file references.
DD_CELERY_WORKER_AUTOSCALE_MINdefaults to 2.
DD_CELERY_WORKER_AUTOSCALE_MAXdefaults to 8.
DD_CELERY_WORKER_CONCURRENCYdefaults to 8.
DD_CELERY_WORKER_PREFETCH_MULTIPLIERdefaults to 128.
You can execute the following command to see the configuration:
docker-compose exec celerybeat bash -c "celery -A dojo inspect stats"
and see what is in effect.
Please note: Asynchronous Import is currently an experimental feature. Please exercise caution with this method as results may be inconsistent.
Import and Re-Import can also be configured to handle uploads asynchronously to aid in processing especially large scans. It works by batching Findings and Endpoints by a configurable amount. Each batch will be be processed in separate celery tasks.
The following variables impact async imports.
DD_ASYNC_FINDING_IMPORTdefaults to False
DD_ASYNC_FINDING_IMPORT_CHUNK_SIZEdefaults to 100
When using asynchronous imports with dynamic scanners, Endpoints will continue to “trickle” in even after the import has returned a successful response. This is because processing continues to occur after the Findings have already been imported.
To determine if an import has been fully completed, please see the progress bar in the appropriate test.