Is it normal for defectdojo to assign different severity scores to separate instances of the same CWE? We have one finding of a CWE where it was scored as is high and another where it is low.
I would suggest picking out a security scanner to start with, incorporate it into whatever CI/CD pipeline your org uses, and then have a script in the pipeline that imports scan results into defectdojo via its API. System requirements can be found here https://docs.defectdojo.com/get_started/open_source/running-in-production/
