After years of incremental improvements to v2, DefectDojo v3 represents the most significant change to the project. We’ve made massive improvements to how DefectDojo looks, how it deploys, and how it serves security teams at every stage of maturity.
Here's a detailed look at what's changing, what's new on the Pro side, and what it all means for your program.
The underlying UI framework had become a liability.
DefectDojo v2 was built on Bootstrap, and while that served the project well in its early years, the library had aged. Early attempts to modernize the interface involved patching over Bootstrap rather than replacing it, an approach that created debt without solving the real problem. Eventually, the team decided that a proper modernization required ripping Bootstrap out entirely and rebuilding the frontend from scratch.
That's part of what v3 will accomplish.
The new beta for the v3 UI feels familiar to longtime Dojo users but is more modern and most importantly, more responsive. The filter experience alone is a noticeable improvement: previously verbose filter panels are now collapsible and grouped logically by function. For users who work with large finding sets and complex filter combinations, this is a practical quality-of-life gain.
A few important operational notes before you plan your upgrade:
The two interfaces coexist. v3 doesn't force you to abandon the v2 UI. Both interfaces live side by side, so you can transition at your own pace rather than flipping a switch and absorbing the change all at once.
Downgrade is supported. If you accidentally upgrade and aren't ready for v3, you can downgrade back to v2. The team has intentionally built this safety net given that more polishing is still in progress.
Don't run v3 in production yet. The recommendation from the team is to hold off on production deployments until the initial round of polish is complete. v3 is being released early to gather feedback, consistent with how the project has always operated, but it's not yet at the finish line for production-grade use.
V3 was released June 1st. We will continue to optimize in ongoing releases.
With v3, Role-Based Access Control (RBAC) and SSO will not be supported in the open source edition. This is a deliberate change in how the project is being positioned, with the intent of focusing enterprise-level features on the commercial Pro offering.
To offset the impact on smaller organizations, DefectDojo is introducing a free Pro option for small teams, designed to ensure that the change doesn't price out teams that aren't enterprise-scale.
The full rationale, the specific thresholds, and the feedback channels are all documented in the official release announcement on GitHub Discussions and the DefectDojo Slack. If this change affects you, reading that announcement directly is the right next step. The team has explicitly set up channels for this conversation and has stated they want to hear from and assist affected users.
The v3 release coincides with several significant Pro-side additions that are available today.
Custom Dashboards
The remediation and insight dashboards in Pro have been consistently cited as high-value features. The new custom dashboard capability lets you combine any of the built-in insight widgets into a single, fully configurable view. You can rearrange elements, save multiple dashboard configurations, and build exactly the reporting surface your team actually uses, rather than switching between several pre-built views. If you've ever tried to answer "what does our program look like right now?" and had to pull from three different screens, this addresses that directly.
Rebuilt Report Generator
The original report builder worked, but it was showing its age. The new report builder is a complete overhaul: more building blocks, more customization options, and better repeatability for reports that need to be regenerated regularly. If your team produces recurring reports for stakeholders or compliance purposes, this is worth exploring as soon as it's available in your instance.
Locations: A Modernized Asset Structure
Locations replaces the older Endpoints framework and consolidates functionality that previously lived in the Components object. The key improvements:
Components will continue to be populated alongside Locations during the transition period. There's no hard cutoff date yet, and the team's stated approach is to avoid abrupt deprecations.
PSIRT Advisory Engine
This is new territory for DefectDojo and it addresses a real gap raised by our customers.
The PSIRT function, the team responsible for monitoring and responding to external advisories, has historically had almost no dedicated tooling. As advisory feeds have proliferated (especially in the wake of uncertainty around programs like the CVE ecosystem), the manual burden on PSIRT teams has grown substantially.
The PSIRT Advisory Engine ingests advisories from multiple feeds, matches them against your SBOM data in Locations, prioritizes and groups the results, and lets you push validated advisories directly into DefectDojo for tracking and remediation. If you've ever had to manually cross-reference an advisory against a list of third-party dependencies across dozens of repos, this is what that workflow looks like when it's automated.
This feature currently lives as a service alongside Dojo while deeper integration is finalized, but it's already in use with early customers and the team is actively incorporating feedback.
Not in v3 at launch, but worth flagging: the team is working on API simplifications, including a consolidation of the import and re-import endpoints. The current state, where re-import is strictly more capable than import but both still exist, is a known source of confusion. A unified endpoint is planned, though no release date has been set.
v3 is the largest change DefectDojo has made to its open source codebase. We’re excited for the community to implement it and deliver feedback.