Integrate CI-driven scans
This document outlines a generic process to integrate Invicti Platform with your CI/CD pipelines (e.g., Jenkins, GitLab CI/CD, Azure Pipelines) to automate web application vulnerability scans. With this integration, you can automatically trigger security scans during your CI/CD workflows to identify and address issues before deployment.
Prerequisites
Ensure the following requirements are met before proceeding with the integration:
- Access to your CI/CD tool (Jenkins, GitLab CI/CD, Azure Pipelines, etc.)
- Docker CLI installed and running
- Invicti Platform account with API Security enabled
- Access to the Invicti Scan CLI Docker image. Refer to our Access Invicti Registries document for more information.
Step 1: Generate an API Token
You need an API token to authenticate the scan requests.
- In Invicti Platform, select your Username > Profile from the left-side menu.
- In the Token field, copy the existing token. If you generate a new token, the previous one will be invalidated.
- Store this token securely. It will be used in your CI/CD script.
Step 2: Generate an automated scan script
Invicti Platform provides a tool-specific scan script generator. This script can be adapted for any CI/CD tool.
- Select Integrations from the left-side menu.
- Open the Browse Integrations tab.
- Select any supported integration (e.g., Jenkins) to generate a base script and click Configure.
- Choose the Asset and Scan Profile you want to use.
- Set build failure conditions if needed.
- Click Generate script.
Step 3: Copy and customize the script
- Copy the generated script.
- Replace the INVICTI_API_TOKEN placeholder with your actual API token.
- If needed, adjust environment variables or parameters to fit your CI/CD environment. For a list of all available variables, refer to the linked document.
Generic Docker Run commands for CI/CD scans
This provides a generic docker run command to execute Invicti DAST scans via the Invicti Scan CLI. This method can be used across all CI/CD platforms that support Docker.
Basic usage
Use the following command to trigger a scan directly via Docker:
docker pull registry.invicti.com/invicti-platform/invicti-scan-cli |
This will run the scan using the configured target, agent, and report template. All scan data is stored and viewable in Invicti Platform.
With report volume mount
To retrieve reports locally after the scan completes, use a volume mount:
docker run \ |
This mounts the local ./publicdata directory into the CLI container, allowing you to retrieve reports post-scan.
Step 4: Embed the script in your CI/CD pipeline
Each CI/CD tool has its own method for embedding shell scripts. Here's how to adapt:
Make sure the script runs at the appropriate phase (e.g., post-build, pre-deploy).
Step 5: Run and monitor the pipeline
- Trigger a pipeline run.
- The CI/CD tool will:
- Pull the Invicti Scan CLI Docker image
- Run the scan
- Generate a security report
- Monitor the console/log output.
- Download and review the report if required.
Additional tips
- Schedule regular scans using scheduled pipelines or cron jobs.
- Use environment-specific scan profiles (e.g., staging vs. production).
- Integrate report output into your QA dashboards.
- Enforce policies to block builds if critical vulnerabilities are found.