Prerequisites
- DefectDojo instance (self-hosted or cloud) with API access
- qai v0.5.1 or later
- A completed qai audit scan with JSON export
Workflow
- Run a qai audit scan and export as JSON
- Transform the findings to DefectDojo’s expected format
- Submit via DefectDojo’s findings import API
Step 1: Run Audit and Export
Step 2: Transform Findings
qai findings are MCP server security results — not source code findings. Map them to DefectDojo fields:| qai Finding Field | DefectDojo Field | Notes |
|---|---|---|
title | title | Finding title (e.g., “Tool parameter allows shell injection”) |
description | description | Detailed finding description |
severity | severity | Maps directly: critical→Critical, high→High, medium→Medium, low→Low |
category | vuln_id_from_tool | OWASP MCP category (e.g., command_injection) |
framework_ids.owasp_mcp_top10 | references | OWASP MCP Top 10 ID (e.g., MCP05) |
mitigation | mitigation | Remediation guidance |
Step 3: Submit to DefectDojo
Use the DefectDojo v2 API to create findings:SARIF Import Alternative
DefectDojo also supports SARIF import. Generate SARIF from qai and import directly:CI/CD Integration
Automate the scan-and-import workflow in GitHub Actions:DefectDojo automatically deduplicates SARIF findings on reimport. Repeated scans update existing findings rather than creating duplicates.