RESPONSE: Syhunt Hybrid 6.9.13 now detects the critical vulnerability Spring4Shell (CVE-2022-22965) Learn more

Integrating Syhunt into DefectDojo

The information in this document applies to version of Syhunt Hybrid.

DefectDojo is a security tool that automates application security vulnerability management. DefectDojo streamlines the application security testing process by offering features such as importing third party security findings, merging and de-duping, integration with Jira, templating, report generation and security metrics.

Syhunt generates a DefectDojo-compatible vulnerability report file if the output parameter is set to a filename that ends with the double extension .sast.json or .dast.json, as shown in the examples below. Finally when importing the JSON files into DefectDojo, specify the GitLab SAST or DAST format.

Note: currently, only GitLab SAST support is documented in DefectDojo. The DAST support may or may not come with some limitations


  • SAST: scancode [target] -xout:anyfilename.sast.json
  • DAST: scanurl [target] -xout:anyfilename.dast.json

When launching the scan through GitHub, GitLab and Powershell: use the outputex parameter of the scan function to pass the filename.

When launching the scan through Jenkins: use the outFilename parameter of the scan function to pass the filename.

For additional product documentation, visit