Scanner Agents

Installing a scanner agent via dockerization

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

If you want to scan a website in a demilitarized zone (DMZ), internal networks that are not publicly accessible, you can install Invicti scanner agents in your network. You can install the Invicti Enterprise scanner agent on any operating system that has Docker. 

Using Docker means you don’t need to install redundant files like drivers or operating system kernels, for example. 

This topic explains how to install the Invicti Enterprise scanner agent on Windows, Linux, or macOS operating systems using dockerization. Except for the steps for installing Docker (it is out of this topic’s scope), the steps are the same for each operating system.

To detect Out of band vulnerabilities via Invicti Hawk, please allowlist the following ports on your agent server: TCP 80 and 443, UDP 53. For further information about Invicti Hawk, see How Invicti Hawk Finds Vulnerabilities.


  • Docker. To find out if your OS has Docker installed, type the following code in the shell: docker -v
  • Install 7z to extract the downloaded 7z installation file.
  • Administrator privileges to run the required commands.

Downloading and installing the agent

You need to download the installation files of the agent to a machine on your internal network.

There are four steps in this process:

  1. Downloading the docker scanner agent
  2. Installing the docker scanner agent
  3. Installing ClamAV for the docker scanner agent (This step is optional.)
  4. Running the docker scanner agent
Step 1. How to download a scanner agent in Invicti Enterprise On-Demand
  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Agents > Manage Agents > Configure New Agent.
  1. From the Agent section, select Docker to download the file.
Step 2. How to install a scanner agent in Invicti Enterprise
  1. Extract the TAR file:
7z x Invicti_Enterprise_Scanner_Docker_Agent.tar

It should contain the following: a TAR file.

  1. Now, navigate to the extracted file, and run the following command to load the image file.
docker load < InvictiEnterprise_Scan_Agent.tar

After entering the said command, the system starts to load the image. It may take some time. Once the load is complete, a welcome message is displayed.

  1. Create a user and a group called “invicti”. These are required, as the docker agent runs with a non-root user. Then, add this new user to the docker group.
groupadd -g 1001 invicti
useradd -u 1001 -r -g 1001 -d /home/invicti -s /bin/bash invicti
mkdir -p /home/invicti 
chown -R invicti:invicti /home/invicti
usermod -aG docker invicti
  1. Switch to the invicti user and create a directory to save the logs persistently in the same path.
su - invicti
mkdir invictiLogs # creates a folder to store agent logs
Step 3. How to install ClamAV for the docker scanner agent

ClamAV is required if you want the Invicti Enterprise docker scanner agent to run malware analysis. If you do not, you can skip the 3rd step.

  1. To pull and run the latest ClamAV image, run the following command:
docker run --name clamav -d -p 3310:3310 clamav/clamav:latest
Step 4. How to run the docker scanner agent
  1. Now that the latest version of the scanner agent’s Docker image is installed, the next step is to run a container.
docker run -d --name {container name} --restart=always \
--volume "$(pwd)/invictiLogs:/app/Logs" \
-e "ApiRootUrl={api url}" \
-e "ApiToken={api token}" \
-e "AgentName={agent name}" \
-e "AgentMode=Scanner" \
-e "IgnoreSslCertificateErrors=false" \
-e "ClamAvServiceAddress={ClamAV container Host IP}" \
-e "ClamAvServicePort=3310" \

The command docker run would boot up a container. This table lists and explains the parameters required to further configure the container.

-d:This denotes daemon mode. The container will work in the background.
–name:This gives a name to the container.
–userThis instructs the container to run with this user.
–restart=always:This makes the container start automatically when the Docker service starts.
–volume:The parameters mount a directory in the container with a directory in the host. This setting allows you to see agent reports.
-e:This parameter is used to set the environment variable for the container. The ApiToken, ApiRootUrl, and AgentName settings will be used by the scanner agent. 
AgentName: This can be anything you want. This text will be displayed when you are starting a new Scan. (If you plan to install more than one instance of the agent, make sure you set a unique agentName value for each instance, as it will be needed later.)
ApiToken: In Invicti Enterprise, the Agent Token is displayed on the Configure New Agent page. Copy this value into the apiToken. (From the main menu, go to Agents > Manage Agents > Configure New Agent. In the Agent Token field, select Copy to clipboard.)
ApiRootUrl: This would be the URL of Invicti Enterprise On-Demand or Invicti Enterprise Web On-Premises.
ScanDataFolderPath: This would be your scan data folder. (This is optional.)
If you want to change the default folder for saving the scan data, add the following parameter before running the container: -e "ScanDataFolderPath={Scan data folder}"\
IgnoreSslCertificateErrors: This would ignore any SSL certificate errors on the scan target website.
ClamAvServiceAddress: This is the IP Address of the ClamAV container host. (This is optional.)
ClamAvServicePort: This is the Port number that ClamAV listens to. (This is optional.)
agent:{tag}:This is the image name from which the container will be created. The name of the image is agent, whereas {tag} is the version number of the image. We use the latest in our case.
  1. You can now execute the following command in order to create a container.
  2. After the command is executed, the container is created. To see the result, you can execute the command below.
docker container ls
  1. The scanner agent container is now installed. You can check its status in Invicti Enterprise. From the Agents menu, select Manage Agents.

Now you can start a scan through the scanner agent you just installed. To do that navigate to Scans > New Scan and select a website the agent mode is Internal. Then with other settings that are required to start a scan, you can also select which agent would be used to scan the target:

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.