Installing a scanner agent via dockerization

This document is for:
Invicti Enterprise On-Premises

If you want to scan a website in a demilitarized zone (DMZ), internal networks that are not publicly accessible, you can install Invicti scan agents in your network.

  • You can install the Invicti Enterprise scan agent on any operating system that has Docker.
  • Using Docker means you don’t need to install redundant files like drivers or operating system kernels, for example. This is an alternative method for installing Invicti Enterprise Scan Agents.

This topic explains how to install Invicti Enterprise scan agent on Windows, Linux or MacOS operating systems using dockerization. Except for the steps for installing Docker (it is out of this topic’s scope), the steps are the same for each operating system.

In this document, for illustration purposes, you may see some Linux images.

Using Invicti Enterprise On-Demand? See Installing a scanner agent via dockerization on Invicti Enterprise On-Demand.

To detect Out of band vulnerabilities via Invicti Hawk, please whitelist the following ports on your agent server: TCP 80 and 443, UDP 53. For further information about Invicti Hawk, see How Invicti Hawk Finds Vulnerabilities.


  • Docker. To find out if your OS has Docker installed, type the following code in the shell: docker -v
  • Install .7z so that you can extract the downloaded .7z installation file.
  • Administrator privileges to run the required commands.

Downloading and Installing the Agent

How to download a Scan Agent in Invicti Enterprise On-Demand
  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Agents > Manage Agents > Configure New Agent.

  • From the Agent section, select Docker to download the Invicti_Enterprise_Scan_Agent.tar file.
How to install a Scan Agent in Invicti Enterprise
  1. Extract the file:
7z x Invicti_Enterprise_Scanner_Docker_Agent.tar

This has a TAR file.

  1. Now, navigate to the extracted file, and run the following command to load the image file:
docker load < InvictiEnterprise_Scan_Agent.tar

After entering the previous command, the system will start to download the image. It may take some time. Once the download is complete, a welcome message is displayed.

  1. Now that the latest version of scan agent’s Docker image is installed, the next step is to boot up a container.
docker run -d --name {container name} --restart=always
-v {log file path in host machine}:/app/Logs/
-e "ApiToken={api token}"
-e "ApiRootUrl={api url}"
-e "AgentName={agent name}"
-e "IgnoreSslCertificateErrors=false"
-e "NhsPort=8080"

The command docker run would boot up a container. This table lists and explains the parameters required to further configure the container.

Parameter Description
-d: This denotes daemon mode. The container will work in the background.
–name : This gives a name to the container.
–restart=always: This makes the container start automatically when the Docker service starts.
-v : The parameters mount a directory in the container with a directory in the host. This setting allows you to see agent reports.
-e: This parameter is used to set the environment variable for the container. The ApiToken, ApiRootUrl and AgentName settings will be used by the scan agent.

AgentName: This can be anything you want. This text will be displayed when you are starting a new Scan. (If you plan to install more than one instance of the agent, make sure you set a unique agentName value for each instance, as it will be needed later.)

ApiToken: In Invicti Enterprise, the Agent Token is displayed in the Configure New Agent window. Copy this value into the apiToken.

ApiRootUrl: This would be the URL of Invicti Enterprise On-Demand or Invicti Enterprise Web On-Premises.

IgnoreSslCertificateErrors: This would ignore any SSL certificate errors on the scan target website.

NhsPort: This port is used for Invicti Helper Service. If the port is already used, please change with any available port.

agent:{tag}: This is the image name from which the container will be created. The name of the image is agent, whereas {tag} is the version number of the image. We use the latest in our case.
How to Get an Agent Token for the Scan Agent

From the main menu go to Agents > Manage Agents > Configure New Agent. In the Agent Token field, select Copy to clipboard ().

  1. You can now execute the following command in order to create a container.

  1. After the command is executed, the container is created. To see the result, you can execute the command below.
docker container ls
  1. The scanner agent container is now installed. You can check its status in Invicti Enterprise. From the Agents menu, select Manage Agents.

Now you can start a scan through the scan agent you just installed. To do that navigate to Scans > New Scan and select a website that agent mode is Internal. Then with other settings that required to start a scan, you can also select which agent would be used to scan the target:

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.