Acunetix

Acunetix Integration with DefectDojo

If your team runs Acunetix against web applications and APIs, you're generating some of the most detailed DAST output in the industry — confirmed findings with HTTP request and response evidence, CVSS scores, CWE mappings, and proof-of-exploit where available. The challenge is that Acunetix is a scanning tool, not a vulnerability management platform. Without something downstream to receive those results, you're back to comparing XML reports manually after every scan cycle and losing the thread of what was fixed, what was accepted, and what quietly slipped through.

Feeding Acunetix output into DefectDojo gives you a persistent, deduplicated record of web application vulnerabilities across every target and every scan run. You get remediation tracking, SLA enforcement, team assignment, and a clear audit trail — things that raw scan reports can't give you.

Why Acunetix Matters

Acunetix is a DAST scanner purpose-built for web applications and APIs. It tests running applications from the outside in — the same vantage point an attacker has — and it's been doing this longer than most tools in the category. A few things make its findings particularly valuable to route into DefectDojo:

• Proof-based scanning reduces false positive noise. Acunetix automatically validates many findings before reporting them, confirming that a vulnerability is actually exploitable rather than just theoretically present. This means the findings you're importing into DefectDojo are higher-signal than what many other DAST tools produce.
• Coverage spans the full web layer. SQL injection, XSS, SSRF, XXE, LFI, authentication bypasses, misconfigured security headers, and out-of-date server components — Acunetix covers them all, including vulnerabilities in modern JavaScript-heavy single-page applications and REST/GraphQL APIs.
• Findings are richly annotated. Every finding carries severity, CWE, CVE (where applicable), CVSS v2 and v3 scores, the exact HTTP request and response that triggered the issue, parameter-level detail, and remediation guidance. That level of metadata is directly importable and surfaceable in DefectDojo.
• Compliance report templates exist, but compliance is not a substitute for tracking. Acunetix can generate OWASP Top 10, PCI DSS, HIPAA, and NIST 800-53 compliance reports in-tool. Those are point-in-time documents. DefectDojo turns the same findings into a continuous, auditable record.

Advantages of This Integration

• Persistent history across scan cycles. When Acunetix reruns against the same target — weekly, after a deployment, or on-demand during a pentest — each import into DefectDojo builds a cumulative record. You can see exactly when a finding first appeared, whether it was previously closed and has re-opened, and how long it has been sitting unresolved.
• Cross-target deduplication. If the same missing Content-Security-Policy header appears across twelve web properties, DefectDojo's deduplication logic treats that as a systemic issue rather than twelve independent tickets. This directly affects prioritization: a pattern across your portfolio is more urgent than a single instance.
• SLA tracking that survives personnel changes. Acunetix Critical and High findings often require immediate developer attention, but developer ownership shifts. DefectDojo applies SLA timers at import time based on severity. A finding opened six weeks ago against a deadline of 30 days surfaces as breached — regardless of who originally picked it up.
• Proof-of-exploit evidence stays attached. DefectDojo stores the full finding detail from each import, including the HTTP request/response evidence that Acunetix captures. When a developer asks "how was this confirmed?", the answer is already in DefectDojo — no need to re-run the scan or dig up the original report file.
• Risk acceptance with expiry. Not every Acunetix finding warrants immediate remediation. Some are known configurations, accepted trade-offs, or findings on non-production targets. DefectDojo's risk acceptance workflow lets you formally document those decisions with an expiry date. When the date passes, the finding becomes active again rather than quietly staying suppressed.
• Unified reporting across scanner types. Acunetix findings sit alongside SAST, SCA, and container scanning results in DefectDojo. A product team's full security picture — static code issues, dependency vulnerabilities, and web application findings — is visible in one place, which makes cross-tool prioritization and executive reporting practical rather than a spreadsheet exercise.

How This Integration Works

DefectDojo ships with a native Acunetix parser that handles the standard Acunetix WVS XML export format. Acunetix 360 / Invicti JSON output is also supported via the same parser. Both formats are importable via the DefectDojo web UI or API.

Step 1 — Export the scan report from Acunetix. In classic Acunetix WVS (on-premises), generate an XML report from the scan results:

• Open the scan results in the Acunetix UI
• Select Generate Report → Affected Items or Comprehensive Report
• Choose XML as the export format
• Save the .xml file

For Acunetix 360 / Invicti (cloud or on-premises), export via the Vulnerabilities List in JSON format from the scan report UI, or pull results programmatically via the Acunetix REST API:

curl -k --request GET \

--url "https://<acunetix-host>/api/v1/vulnerabilities?q=scan_id:<scan_id>" \

--header "X-Auth: <api_token>" \

--header "Content-type: application/json" \

> acunetix-findings.json

Step 2 — Import into DefectDojo. Use the DefectDojo API to create a new test and import the report under the relevant engagement for your web application product:

curl -X POST https://<defectdojo-host>/api/v2/import-scan/ \

-H "Authorization: Token <your-token>" \

-F "scan_type=Acunetix Scan" \

-F "file=@acunetix-report.xml" \

-F "engagement=<engagement-id>" \

-F "product_name=<your-product>" \

-F "close_old_findings=true" \

-F "minimum_severity=Info"

For Acunetix 360 JSON output, the same scan type (Acunetix Scan) handles the JSON format via DefectDojo's unified parser. Step 3 — Automate as part of your scan workflow. If Acunetix is configured to run scans on a schedule or triggered via its API, add a post-scan step that pulls the completed scan report and pushes it to DefectDojo. This keeps DefectDojo in sync without requiring manual exports after each scan cycle. For Acunetix scheduled scans, use a lightweight wrapper script that polls for scan completion and then imports:

#!/bin/bash

SCAN_ID=$(curl -sk -H "X-Auth: $ACUNETIX_TOKEN" \

"$ACUNETIX_URL/api/v1/scans" | jq -r '.scans[0].scan_id')

# Wait for scan completion, then export and import

curl -sk -H "X-Auth: $ACUNETIX_TOKEN" \

"$ACUNETIX_URL/api/v1/scans/$SCAN_ID/report" \

-o acunetix-report.xml

curl -X POST "$DEFECTDOJO_URL/api/v2/import-scan/" \

-H "Authorization: Token $DOJO_TOKEN" \

-F "scan_type=Acunetix Scan" \

-F "file=@acunetix-report.xml" \

-F "engagement=$ENGAGEMENT_ID" \

-F "close_old_findings=true"

Data Granularity: What Gets Imported

The following fields are extracted from Acunetix XML/JSON reports and mapped into DefectDojo findings:

Use Cases

• Continuous DAST coverage across a web application portfolio. Your team manages twenty web applications with varying deployment cadences. Acunetix runs scheduled scans against each, and results are imported into DefectDojo automatically after each scan completes. The security team reviews a single DefectDojo dashboard showing new findings by severity across all products — not twenty separate Acunetix scan result pages. SLA timers enforce remediation deadlines without manual follow-up.
• Pre-release security gate for a web application. Before a major release, Acunetix runs a full authenticated scan against the staging environment. Results are imported into a DefectDojo engagement tied to the release. The team's policy is zero Critical or High findings before production deployment. DefectDojo surfaces any open findings in that severity range, and the release gate remains blocked until they're resolved or formally accepted with documented rationale.
• Tracking remediation velocity after a penetration test. A penetration test uncovers fifteen findings, many of which overlap with existing Acunetix findings already in DefectDojo. When the pentest results are imported alongside the Acunetix data, DefectDojo deduplication links related findings. As developers work through fixes, Acunetix reruns confirm the resolutions, and close_old_findings=true marks them resolved in DefectDojo. Leadership gets a factual view of remediation progress without requiring status updates from each developer.
• Compliance evidence collection. Your organization needs to demonstrate OWASP Top 10 coverage and remediation for a compliance audit. Every Acunetix scan run is stored in DefectDojo as a dated test record within the relevant product engagement. The auditor gets a DefectDojo export showing when each finding was opened, when it was resolved, and who accepted or closed it. This is substantially cleaner than producing a collection of XML report files.

Operational Tips

• Use authenticated scans and import separately from unauthenticated results. Acunetix can run both authenticated and unauthenticated scans against the same target. These surface materially different findings — authenticated scans reach application logic that's invisible to an unauthenticated crawler. Import them into separate DefectDojo engagements or tests so you don't conflate the coverage profile of each.
• Set close_old_findings=true on every automated import. Without this, each reimport accumulates duplicate findings rather than reconciling them. With it, DefectDojo marks findings as mitigated if they no longer appear in the latest scan, giving you an accurate active finding count. This is especially important for Acunetix, where proof-based scanning means a resolved finding genuinely won't reappear unless the vulnerability has been reintroduced.
• Tag by scan profile and target environment. Use DefectDojo tags to separate production scans from staging, and full-scope scans from quick targeted scans. Acunetix supports different scan profiles (full scan, high-risk checks only, custom), and the scope matters when interpreting what a clean result actually means.
• Triage Informational findings separately. Acunetix Informational alerts — server version disclosure, missing optional headers — are worth capturing but should not compete with Critical and High findings for remediation attention. Configure a separate DefectDojo SLA rule for Informational severity, or filter them out of the active findings view and review them in a dedicated triage cycle.
• Leverage CVSS v3 scores for cross-tool prioritization. DefectDojo can display CVSS v3 scores from Acunetix alongside findings from other tools in the same product. This gives a normalized severity baseline across DAST, SAST, and SCA — useful when you're deciding which finding type to fix first in a sprint.
• Document risk acceptances before scan reruns. If a finding has been formally accepted — for example, a known configuration on a legacy system — record the risk acceptance in DefectDojo before the next Acunetix scan runs. Otherwise, the reimport with close_old_findings=true may re-open the finding and generate noise. Risk acceptances in DefectDojo persist across reimports and correctly suppress those findings.