.svg?width=20&height=18&name=desktop_windows%20(1).svg){kind=small}
.svg?width=150&height=150&name=DefectDojo%20Menu%20Icons-03%20(1).svg)
AppSpider (Rapid7)
AppSpider is a dynamic application security testing (DAST) solution by Rapid7 that automatically crawls and scans web applications to identify security vulnerabilities including SQL injection, cross-site scripting, and other OWASP Top 10 risks. The tool provides comprehensive security assessment capabilities for modern web applications and APIs, simulating real-world attack scenarios to discover exploitable vulnerabilities before malicious actors can compromise application security.
AppSpider Integration with DefectDojo
If your team is running AppSpider against web applications and APIs, you're generating some of the most actionable DAST findings available — authenticated scan coverage, attack replay data, and request/response pairs that make triage far less ambiguous than most scanners produce. The gap is what happens after the scan. AppSpider's native reporting is useful for point-in-time reviews, but it doesn't give you a persistent vulnerability lifecycle. Integrating AppSpider with DefectDojo closes that gap: findings move from scan artifacts into a managed workflow where you can deduplicate across scans, track remediation progress, enforce SLAs, and report on posture over time across your entire application portfolio.
Why AppSpider Matters
AppSpider (now part of Rapid7's application security portfolio) is a commercial DAST scanner built for coverage and depth on modern web applications — including JavaScript-heavy SPAs, authenticated workflows, and REST/SOAP APIs.
- AppSpider's traffic-based attack engine replays actual HTTP transactions, which means findings come with the exact request that triggered the vulnerability — critical for developer triage and false positive validation
- Authenticated scanning support allows coverage behind login flows, including multi-step authentication sequences that simpler scanners can't navigate
- It handles a broad attack surface: reflected and stored XSS, SQL injection, XXE, SSRF, authentication flaws, session management issues, and more, mapped to CWE identifiers
- Findings include attack traffic (request/response) and remediation guidance, reducing the back-and-forth between security and engineering teams
- AppSpider produces XML-based scan results (VulnSummary.xml) that DefectDojo's parser consumes directly, making import straightforward without preprocessing
Advantages of This Integration
AppSpider gives you findings. DefectDojo gives those findings a lifecycle. The combination is where operational value accumulates.
- Persistent finding records across scans: Each time you run AppSpider against an application, reimporting into DefectDojo updates existing findings rather than creating a new pile of duplicates. You can see whether a finding was resolved, regressed, or has been open for 60 days without action.
- Cross-application portfolio visibility: AppSpider is typically run against many applications. DefectDojo aggregates findings across your entire product catalog, giving security leadership a single view of DAST posture rather than application-by-application scan reports.
- SLA tracking with breach alerting: DefectDojo applies configurable SLA policies by severity. A Critical finding from AppSpider gets a remediation deadline; DefectDojo tracks it and surfaces breaches in dashboards and reports — something AppSpider's native reporting doesn't do between scan cycles.
- False positive management with audit trail: DAST scanners produce false positives. DefectDojo lets you mark findings as false positives with a documented rationale, so the next scan reimport doesn't re-open them. The record is retained for compliance review.
- Developer-facing ticket creation: Once a finding is triaged in DefectDojo, it can be pushed directly to Jira, GitHub Issues, or ServiceNow with the relevant request/response context included — giving developers what they need without requiring access to the AppSpider console.
- Engagement-level trend reporting: Over time, DefectDojo's metrics show whether DAST findings for a given application are trending down (remediation is working) or flat-lining (findings are being accepted or ignored). This is useful data for both team leads and executive reporting.
How This Integration Works
AppSpider produces scan output in XML format. DefectDojo's AppSpider parser reads this file directly.
Step 1 — Run the AppSpider scan and export results
AppSpider generates a VulnSummary.xml file as part of its standard scan output. This is the file DefectDojo consumes. You can locate it in the scan results directory after a completed scan, or export it via the AppSpider REST API if you're running AppSpider Enterprise:
# AppSpider Enterprise API — retrieve scan results XML
curl -X GET "https://<appspider-host>/AppSpiderEnterprise/rest/v1/Scan/GetVulnSummaryXml?scanId=<scan-id>" \
-H "Authorization: Bearer <your-token>" \
-o VulnSummary.xml
Step 2 — Import into DefectDojo
Import via the DefectDojo UI by selecting AppSpider Scan as the scan type and uploading the XML file, or use the API for pipeline integration:
curl -X POST https://<defectdojo-host>/api/v2/import-scan/ \
-H "Authorization: Token <your-api-token>" \
-F "scan_type=AppSpider Scan" \
-F "file=@VulnSummary.xml" \
-F "engagement=<engagement-id>" \
-F "product=<product-id>" \
-F "active=true" \
-F "verified=false"
Step 3 — Reimport for recurring scans
For applications scanned on a regular cadence, use the reimport endpoint to update existing findings rather than stack duplicate test records:
curl -X POST https://<defectdojo-host>/api/v2/reimport-scan/ \
-H "Authorization: Token <your-api-token>" \
-F "scan_type=AppSpider Scan" \
-F "file=@VulnSummary.xml" \
-F "test=<test-id>"
DefectDojo will mark findings that no longer appear in the new scan as resolved, and surface any new findings introduced since the last import.
Data Granularity: What Gets Imported
|
Field |
Source in AppSpider Output |
Notes |
|---|---|---|
|
Title |
AttackType + VulnType |
Descriptive finding name based on attack class |
|
Severity |
Severity |
Critical, High, Medium, Low, Informational |
|
CWE ID |
CWEId |
Mapped to CWE where AppSpider provides it |
|
Description |
Description |
Vulnerability explanation from AppSpider's knowledge base |
|
URL |
AttackedURL |
The specific endpoint where the vulnerability was found |
|
Attack Value |
AttackValue |
The payload used to trigger the vulnerability |
|
Request |
RequestHeaders + RequestBody |
Full HTTP request used in the attack — key for developer triage |
|
Response |
ResponseHeaders + ResponseBody |
Server response that confirmed the vulnerability |
|
Remediation |
Recommendation |
AppSpider's remediation guidance |
|
References |
Reference |
Links to CVE, OWASP, or vendor documentation |
|
CVSS Score |
CVSSScore |
Where populated by AppSpider |
|
Confidence |
AttackType context |
Inferred from attack class; not all findings carry explicit confidence scores |
Use Cases
During a pre-release security review: AppSpider scans run against a staging environment as part of a release gate. Results are imported into a DefectDojo engagement tied to the release version. Security and engineering teams triage findings in DefectDojo, accept or remediate before go-live, and the engagement record serves as documented evidence of the pre-release review — useful for compliance and audit purposes.
For applications with recurring scan schedules: Production-facing applications are scanned monthly or quarterly. Each scan reimports into the same DefectDojo engagement, updating finding status automatically. Security teams can immediately see what's new, what regressed, and what has been open longest — without manually diffing XML files between scan cycles.
When managing a large application portfolio: An organization running AppSpider across 30+ applications consolidates all results in DefectDojo under a product-per-application structure. Security leadership gets a portfolio-level dashboard showing total open High/Critical DAST findings, SLA compliance rates, and which applications have the most unresolved debt — enabling prioritized resource allocation.
For compliance evidence collection: Regulatory frameworks (PCI DSS, SOC 2, FedRAMP) require documented evidence of application security testing. DefectDojo's engagement records, imported AppSpider findings, and remediation history provide a structured audit trail that's far cleaner to present than raw scan XML files.
Operational Tips
- Create one engagement per application per scan cycle: A clear engagement naming convention (e.g., AppSpider - Q2 2025 - <App Name>) keeps your history organized and makes it easy to compare posture across quarters.
- Use reimport for the same application over time: Don't create a new test record for every scan of the same application. Reimport into the existing test so DefectDojo can track resolved and regressed findings accurately.
- Mark Informational findings inactive on import: AppSpider includes Informational findings that are rarely actionable as vulnerabilities. Setting these to inactive on import keeps your active queue focused on real risk without discarding the data.
- Document false positives immediately after triage: DAST findings are inherently noisier than SAST. Building a habit of marking false positives in DefectDojo during triage — rather than just ignoring them — pays dividends on the next scan when reimport would otherwise re-open them.
- Attach the full VulnSummary.xml as a test artifact: DefectDojo allows file attachments on test records. Storing the original scan file alongside the imported findings gives you a complete record if you ever need to re-examine raw output or re-import with an updated parser.
- Leverage request/response data in Jira tickets: When pushing findings to Jira from DefectDojo, include the attack request and response in the ticket description. Developers can reproduce the issue immediately rather than needing to access the AppSpider console or ask the security team for context.