Running scans using different SAST, DAST, IaaC, and proprietary scanners is only half of the battle for a security team. Aggregating those results, normalizing and interpreting the data into actionable tickets, and reporting are other time-consuming processes. But what do you do when there isn’t an existing parser?
In this blog, we’ll cover DefectDojo Pro's Universal Parser, which offers a simple, fast, and reliable means to ingest the most important data from any scanning tool or custom report without having to wait or build a custom parser or API Connector.
DefectDojo's Universal Parser is a flexible import mechanism designed to serve as a “catch-all”, DIY parser builder that allows DefectDojo Pro users to ingest security findings from virtually any security tool. Unlike traditional parsers, the Universal Parser allows users to build their own, private parser that can import custom or tool-exported .csv, .xml or .json files.
This capability is particularly valuable for teams that use custom security tooling, 3rd party security tests, or newer security products without waiting for a dedicated parsers. For example, a security team might receive 3rd party pen test in a spreadsheet that was created by hand.
DefectDojo Pro users would be able to use the user interface to perform a one-time mapping where they
Assign data elements from the pen test to DefectDojo finding data objects
Review the mapping
Immediately import and begin tracking findings in their vulnerability management platform.
The newly mapped Universal Parser would also be saved for future imports, and can even be used via the API for automated imports.
The Universal Parser eliminates several pain points that plague modern security operations. First, it dramatically reduces integration time. Security teams can onboard a new security tool in minutes rather than days or weeks, simply by mapping the tool's output fields to DefectDojo's standard format.
Second, it provides consistency across disparate security findings. Whether a vulnerability comes from a commercial SAST tool, an open-source DAST scanner, or a custom penetration testing script, the Universal Parser normalizes the data into a unified format. This standardization enables apples-to-apples comparisons, accurate metrics, and streamlined remediation workflows.
Third, it future-proofs your vulnerability management process. As your security tooling evolves—new tools are added, vendors change output formats, or internal tools are updated—the Universal Parser adapts without requiring code changes or parser updates from DefectDojo maintainers.
In our fictional example here, your org has developed an internal API security scanner that outputs findings in a custom JSON format. Here's how the Universal Parser brings these security findings into DefectDojo:
Step 1: Prepare Your Data
Your API scanner produces an output like this:
Step 2: Import via Universal Parser
In DefectDojo Pro, navigate to your Import section and select "New Universal Parser." Upload your JSON file and map the fields:
*Note that Title, Severity, and Description are all required fields.
Step 3: Review and Track
DefectDojo processes the import and creates standardized security findings. Your custom API scanner results now appear alongside findings from your SAST, DAST, and SCA tools, all in a unified vulnerability management dashboard. You can assign findings to developers, track remediation progress, and generate reports—all without building custom integrations.
DefectDojo's Universal Parser makes ingesting any security finding into DefectDojo easier. By accepting any security tooling output and intelligently transforming it into actionable security findings, it empowers teams to focus on remediation rather than integration. Universal Parser can also be used to import manual pentest reports and can even be used to remap a tool with an existing parser if you want to change how DefectDojo organizes the data out of the box.
Whether you're managing a complex security tooling stack or building custom scanners, the Universal Parser ensures every vulnerability gets tracked, prioritized, and resolved—regardless of where it originated.
Try out the Universal Parser in DefectDojo Pro.