Stop guessing which vulnerabilities are new. Now you can diff any two objects and know instantly.

We're excited to introduce Finding Diff, a new API endpoint in DefectDojo that lets you compare the findings between any two objects (engagements, assets, tests, and more) and get a clear breakdown of what was added, what was removed, and what stayed the same.

If you've ever stared at two scan results trying to figure out what actually changed, this one's for you.

The Problem: "What's New?"

It sounds like a simple question. You ran a scan on your main branch last week. A developer opens a pull request today. You scan the PR branch. Now you want to know: did this PR introduce any new vulnerabilities? Did it fix any existing ones? Or is everything the same?

In practice, answering that question has been surprisingly painful. You'd either eyeball two sets of results side by side, export to spreadsheets and manually compare, or build custom scripts to reconcile findings between scans. None of those approaches scale, and all of them waste time that security engineers should be spending on actual remediation.

Finding Diff solves this with a single API call.

How It Works

The new endpoint is straightforward:

GET /api/v2/engagements/{id}/finding_diff/{other_id}/

Pass in two object IDs and DefectDojo compares the findings associated with each. The response tells you exactly three things:

New findings (new_in_other). Vulnerabilities that exist in the second object but not the first. In a PR workflow, these are the findings the pull request introduced.

Removed findings (removed_from_other). Vulnerabilities that existed in the first object but are gone in the second. In a PR workflow, these are findings the pull request fixed.

Equality status (equal). A simple boolean telling you whether the two objects have identical findings or not.

Each finding in the response includes its ID, title, and hash code, giving you enough context to act on the results immediately or drill into the full finding details.

The Primary Use Case: PR Branch vs. Main Branch

The most common workflow for Finding Diff is comparing a pull request scan against your primary branch scan. Here's how it fits into a typical CI/CD pipeline:

1. You have a baseline scan of your main branch. This runs on every merge and represents your known security posture. The results live in a DefectDojo engagement (or product, test, etc.).

2. A developer opens a pull request. Your CI pipeline scans the PR branch and imports the results into DefectDojo as a separate engagement.

3. You call the Finding Diff endpoint. Compare the PR engagement against the main branch engagement. In one call, you know exactly which vulnerabilities the PR introduced and which ones it resolved.

4. You make a decision. If the PR introduced new critical or high findings, you can block the merge or flag it for review. If it only removed findings, you know the PR is improving your security posture. If the diff is empty, the PR didn't change your risk profile at all.

This turns DefectDojo into a security gate in your development workflow, not just a reporting tool that runs after the fact.

Beyond Pull Requests

While PR diffing is the primary use case, Finding Diff works between any two objects in DefectDojo. That opens up several other workflows:

Compare scans over time. Diff this week's engagement against last week's to see what changed in your security posture. Track whether your remediation efforts are actually reducing your finding count, or if new issues are being introduced faster than old ones are being fixed.

Compare environments. Diff your staging scan against your production scan. If staging has findings that production doesn't, you know what's about to ship. If production has findings that staging doesn't, something was deployed outside your normal pipeline.

Compare tools. Run two different scanners against the same target and diff the results. See which findings are unique to each tool and which ones overlap. This is useful for evaluating new scanners or validating that your existing tools have adequate coverage.

Compare assets. If you have multiple instances of the same application (multi-tenant, regional deployments), diff them to ensure they have a consistent security posture.

Integrating Finding Diff Into Your Pipeline

Since Finding Diff is an API endpoint, it slots directly into your existing CI/CD automation. A typical integration looks like this:

# Scan the PR branch and import results into DefectDojo
# (using your existing import automation)

# Diff the PR engagement against the main branch engagement
curl -X GET \
  "https://your-defectdojo.com/api/v2/engagements/${PR_ENGAGEMENT_ID}/finding_diff/${MAIN_ENGAGEMENT_ID}/" \
  -H "Authorization: Token ${DEFECTDOJO_API_TOKEN}"

# Parse the response
# - If new_in_other contains critical/high findings: fail the build
# - If new_in_other is empty: pass
# - Log removed_from_other as resolved findings

You can wrap this in a few lines of script in your CI tool of choice (GitHub Actions, GitLab CI, Jenkins, etc.) and have automated security gates running in minutes.

Getting Started

Finding Diff is available now in the DefectDojo API. To start using it:

1. Ensure you're running the latest version of DefectDojo.
2. Set up baseline scans for your main branch if you haven't already.
3. Configure your CI pipeline to import PR branch scans as separate engagements.
4. Call the /finding_diff/ endpoint to compare them.
5. Use the response to build pass/fail logic in your pipeline.

Full API documentation is available at docs.defectdojo.com.

Ready to Add Security Gates to Your Pipeline?

If you're already a DefectDojo Pro customer, Finding Diff is available now. If you're exploring DefectDojo for the first time, this is a great example of how DefectDojo goes beyond scan aggregation to become an active part of your development workflow.

Request a Demo Explore the Platform Read the Docs

DefectDojo is the leading open-source and enterprise vulnerability management platform, trusted by security teams worldwide to consolidate, deduplicate, and manage findings from 200+ security tools. Learn more at defectdojo.com.