Fortify WebInspect DAST/API Integration
Fortify WebInspect (also known as Micro Focus WebInspect) is a comprehensive dynamic application security testing tool that performs automated scanning of web applications and services. This integration allows Invicti ASPM to connect to a WebInspect server and trigger scans or import results via the KDT agent.
Prerequisites
| Field | Description |
|---|---|
| URL | Base URL of your WebInspect server (e.g., https://webinspect.your-company.com) |
| Username | Username for WebInspect server authentication |
| Password | Password for the WebInspect user account |
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Fortify WebInspect
Scroll through the list of DAST/API scanners to find Fortify WebInspect.
-
If Fortify WebInspect is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the Fortify WebInspect card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Fortify WebInspect card to open the configuration panel. Fill in the required fields:
-
Authentication Type: Select the authentication method (Basic for username/password authentication).
-
Username: Enter your WebInspect service account username.
-
Password: Enter your WebInspect service account password.
-
URL: Enter the base URL of your WebInspect server (e.g.,
https://webinspect.your-company.com). -
Insecure: Enable this checkbox only if your WebInspect instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the credentials are valid.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Fortify WebInspect |
| 4 | Enter URL, Username, and Password |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Fortify WebInspect Scanner
- Select DAST/API as the scanner type.
- Choose Fortify WebInspect from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Settings Name | WebInspect scan settings preset to use | Yes |
| Target URL | Web application URL to scan | Yes |
| Scan Name | Display name for this scan | Yes |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t webinspect -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid credentials | Verify the username and password against the WebInspect server |
| URL unreachable | Ensure Invicti ASPM can reach the WebInspect server on the network |
| SSL certificate error | Enable the Insecure toggle if using a self-signed certificate |
| 403 Forbidden | The user account may lack API permissions on the WebInspect server |
Scan Issues
| Issue | Resolution |
|---|---|
| Agent/KDT not available | Ensure the Invicti agent or KDT is installed and connected |
| Target not reachable | Verify the target URL is accessible from the agent host network |
| Empty results | Check that the scan completed successfully in WebInspect before importing results |
Best Practices
- Use a dedicated service account with minimal required permissions for the WebInspect API.
- Avoid using personal credentials; create a dedicated integration user.
- Enable SSL validation in production; only use the Insecure toggle in test environments.
- Rotate credentials periodically or after personnel changes.
Limitations
- Requires network access from the Invicti ASPM server to the WebInspect server.
- Basic authentication is the supported authentication method.
- Concurrent scan limits are governed by your WebInspect license.
Updated about 10 hours ago