CodeThreat SAST

Invicti ASPM supports CodeThreat as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the CodeThreat integration.

CodeThreat is an AI-powered static application security testing tool that provides vulnerability detection and code analysis.

Prerequisites

Before starting the integration, ensure you have the following information from your CodeThreat account:

Field	Description	Required
Token	API token generated from your CodeThreat account	Yes
Organization Name	Your organization name in CodeThreat	Yes
URL	Your CodeThreat instance URL (e.g., `https://cloud.codethreat.com`)	Yes
Insecure	Skip SSL certificate verification (not recommended for production)	No

How to Get a Token (on CodeThreat Side)

Log in to your CodeThreat instance.
Navigate to Settings or Account section.
Go to API Tokens or Access Management.
Click Generate New Token.
Copy the generated token and save it securely.

Step 1: Navigate to Integrations

From the left sidebar menu, click on Integrations.

Step 2: Select the SAST Tab

On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).

Step 3: Find and Activate CodeThreat

Scroll through the list of SAST scanners to find CodeThreat.

If CodeThreat is not activated, you will see an "Activate" button. Click it to enable the integration.
If CodeThreat is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.

Note: The scan method badge on the CodeThreat card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).

Step 4: Configure Connection Settings

Click on the gear icon on the CodeThreat card to open the configuration panel. Fill in the required fields:

Token: Paste the API token you generated from CodeThreat.
Organization Name: Enter your organization name in CodeThreat.
URL: Enter your CodeThreat instance URL (e.g., https://cloud.codethreat.com).
Insecure: Enable this checkbox only if your CodeThreat instance uses a self-signed SSL certificate.

Step 5: Test the Connection

Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.

If the connection is successful, the integration is ready to use.
If the connection fails, verify your Token and URL values.
For existing integrations, you can use the "Retest Connection" button at the top of the panel.

Step 6: Advanced Settings (Optional)

Click on "Advanced Settings" to expand additional options:

Setting	Description	Default
Allow team leads to scan this instance	Permits team leads to trigger scans using this CodeThreat instance	Off
Allow team leads to create new instances	Permits team leads to create additional CodeThreat instances	Off

After modifying advanced settings, click "Save Advanced Settings" to apply changes.

Summary

Step	Action
1	Navigate to Integrations from the sidebar
2	Select the SAST tab under Scanners
3	Find CodeThreat and click Activate (if not already active)
4	Click the gear icon and fill in Token, Organization Name, and URL
5	Click Test Connection to verify
6	(Optional) Configure Advanced Settings for team lead permissions

How to Create a Scan

After activating and configuring Code Threat, you can create scans from your project's scanner settings.

Navigate to Project Scanners

Go to your Project page.
Click on the Settings tab.
Select Scanners from the left sidebar.

Add Code Threat Scanner

In the scanner type dropdown, select SAST.
In the scanner dropdown, search for and select Code Threat.
Click the Add button to open the scan configuration drawer.

Scan Configuration Fields

Field	Description	Required
Environment	Select the environment for the scan (optional)	No
Bind to	Select the Code Threat project/scan to bind to	Yes
Branch	Specify the branch to scan	No
Meta Data	Additional metadata for the scan (optional)	No
Scan Tag	Tag to identify the scan (optional)	No

Scheduler

Now: Run the scan immediately after saving.
Custom Date: Schedule the scan for a specific date and time.

Webhook (Optional)

Enable webhook to trigger scans via actions taken on your application lifecycle management tool:

Check the Trigger scans via actions checkbox.
Select the Platform (e.g., GitHub, GitLab, Bitbucket).
Click Generate to create a Secret Key for webhook authentication.

KDT Command

You can also trigger Code Threat scans from your CI/CD pipeline using KDT:

kdt scan -p <project_name> -t codethreat -b <branch_name>

Click Save to create the scan configuration.

Troubleshooting

Connection Fails

Invalid Token: Verify the token is correct and has not expired. Generate a new token from the Code Threat dashboard.
Wrong Organization Name: Ensure the Organization Name matches exactly as it appears in your Code Threat account.
Incorrect URL: Verify the URL is correct (e.g., https://cloud.codethreat.com/ for cloud or your self-hosted URL).
SSL Certificate Issues: If using a self-hosted instance with a self-signed certificate, enable the Insecure checkbox.

Scan Issues

Scan Timeout: Large repositories may take longer to scan. Check the scan status on the Code Threat dashboard.
No Results: Ensure the project language is supported by Code Threat and the repository is accessible.

Best Practices

Use Dedicated API Tokens: Create a separate token for the Invicti ASPM integration rather than using personal tokens.
Rotate Tokens Regularly: Regenerate API tokens periodically to maintain security.
Use HTTPS: Always use HTTPS for the Code Threat URL, especially for self-hosted instances.
Monitor Scan Queue: Check the Code Threat dashboard for scan queue status if scans appear delayed.

Limitations

Cloud vs. Self-Hosted: Configuration settings may differ between Code Threat cloud and self-hosted deployments.
Language Support: Code Threat supports a specific set of programming languages. Check their documentation for the latest supported language list.