Title:
[Enhancement] New Professional HTML Report Template for Engagement Vulnerability Reports
The current HTML engagement report template is minimal and difficult to share with clients or management. When security teams import scan results from tools like Grype, Trivy, or Snyk into DefectDojo and generate a report, the output lacks visual structure, severity grouping, and actionable remediation guidance — forcing teams to export data into external tools just to produce a professional-looking deliverable.
Describing the solution
As a security analyst, I want a professional HTML report template so that I can deliver client-ready vulnerability reports directly from DefectDojo without relying on external tools.
The proposed template (sbom_vulnerability_report.html) plugs into DefectDojo's existing report engine using the same context variables already available (engagement, findings, disclaimer, etc.) and extends report_base.html — exactly like the existing engagement_pdf_report.html.
Key features:
- Professional cover page auto-populated from DefectDojo data
- Executive summary with severity counters (Critical / High / Medium / Low)
- Findings grouped by severity with color-coded section headers
- Expandable finding cards showing CVSS, EPSS, CWE, fix version, description, mitigation, and references
- Dependency type grouping (Direct, Transitive, Development)
- Dependency chain visualization for transitive dependencies
- Unified fix recommendation when a package has multiple CVEs with different fix versions
- Prioritized remediation table with exact fix commands
- Glossary for non-technical readers
- Fully self-contained — no external libraries, works offline and in air-gapped environments
- Print/PDF friendly
No new models, no new API routes, no database migrations required.
Describing alternatives
- Using the existing report builder with custom widgets — too limited in layout and visual customization
- Exporting findings to external tools (Word, Excel, custom scripts) — breaks the workflow and defeats the purpose of having a centralized platform
- The existing
engagement_pdf_report.html — functional but not client-ready in terms of visual design and information hierarchy
Additional context
This template was developed and tested using real Grype scan output from OWASP Juice Shop (SPDX 2.3 SBOM), covering 78 vulnerabilities across 30 packages. It is compatible with any scan tool already supported by DefectDojo.
Files changed:
dojo/templates/dojo/sbom_vulnerability_report.html — new file only
A fully rendered HTML preview is available upon request.
We reviewed CONTRIBUTING.md and understand that pre-approval is recommended for this type of enhancement. We are happy to adjust scope, answer questions, or provide additional screenshots based on maintainer feedback.
Title:
[Enhancement] New Professional HTML Report Template for Engagement Vulnerability Reports
The current HTML engagement report template is minimal and difficult to share with clients or management. When security teams import scan results from tools like Grype, Trivy, or Snyk into DefectDojo and generate a report, the output lacks visual structure, severity grouping, and actionable remediation guidance — forcing teams to export data into external tools just to produce a professional-looking deliverable.
Describing the solution
As a security analyst, I want a professional HTML report template so that I can deliver client-ready vulnerability reports directly from DefectDojo without relying on external tools.
The proposed template (
sbom_vulnerability_report.html) plugs into DefectDojo's existing report engine using the same context variables already available (engagement,findings,disclaimer, etc.) and extendsreport_base.html— exactly like the existingengagement_pdf_report.html.Key features:
No new models, no new API routes, no database migrations required.
Describing alternatives
engagement_pdf_report.html— functional but not client-ready in terms of visual design and information hierarchyAdditional context
This template was developed and tested using real Grype scan output from OWASP Juice Shop (SPDX 2.3 SBOM), covering 78 vulnerabilities across 30 packages. It is compatible with any scan tool already supported by DefectDojo.
Files changed:
dojo/templates/dojo/sbom_vulnerability_report.html— new file onlyA fully rendered HTML preview is available upon request.
We reviewed CONTRIBUTING.md and understand that pre-approval is recommended for this type of enhancement. We are happy to adjust scope, answer questions, or provide additional screenshots based on maintainer feedback.