Invicti Platform DAST/API Integration
Invicti Platform is an enterprise-grade dynamic application security testing (DAST) solution. This integration allows Invicti ASPM to trigger scans, retrieve results, and track vulnerabilities directly from the Invicti Platform scanner.
Prerequisites
| Field | Description |
|---|---|
| Invicti Platform URL | The base URL of your Invicti Platform instance (e.g., https://your-org.invicti.com) |
| API Token | A personal API token generated from your Invicti Platform account |
How to Get an API Token (on Invicti Platform Side)
- Log in to your Invicti Platform instance.
- Click your profile icon in the upper right corner.
- Select API Settings or My Account.
- Navigate to the API Token section.
- Click Generate Token.
- Copy the token immediately — it is shown only once.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Invicti Platform
Scroll through the list of DAST/API scanners to find Invicti Platform.
-
If Invicti Platform is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the Invicti Platform card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Invicti Platform card to open the configuration panel. Fill in the required fields:
-
Token: Paste the API token generated from your Invicti Platform account.
-
URL: Enter your Invicti Platform base URL (default:
https://platform.invicti.com). -
Insecure: Enable this checkbox only if your Invicti Platform instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti ASPM can communicate with your Invicti Platform instance.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate the Invicti Platform scanner |
| 4 | Enter URL and API Token |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Invicti Platform Scanner
- Select DAST/API as the scanner type.
- Choose Invicti Platform from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | Invicti Platform project to bind to | Yes |
| Profiles | Scan profile to use | No |
| Start Scan | Toggle to trigger the scan immediately | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run this scan on a recurring schedule. Configure the frequency (daily, weekly) and time.
Webhook (Optional)
Add a webhook URL to receive scan status notifications when the scan completes or fails.
KDT Command
To trigger scans from a CI/CD pipeline using the KDT CLI:
kdt scan -p <project_name> -t invicti -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API token | Regenerate the token from Invicti Platform and update the settings |
| Wrong URL | Ensure the URL includes the protocol (https://) and no trailing slash |
| SSL certificate error | Verify the Invicti Platform instance uses a valid SSL certificate |
| Network/firewall | Ensure Invicti ASPM can reach the Invicti Platform host on port 443 |
Scan Issues
| Issue | Resolution |
|---|---|
| No scan profiles available | Verify the API token has sufficient permissions to list scan profiles |
| Scan not starting | Check that the target URL is reachable from the Invicti Platform agent |
| Empty results | Confirm the scan completed successfully in the Invicti Platform dashboard |
| Permission denied | Ensure the service account has the required role in Invicti Platform |
Best Practices
- Use a dedicated service account API token rather than a personal user token.
- Rotate the API token every 90 days.
- Always use HTTPS for the Invicti Platform URL.
- Assign the minimum required permissions to the service account.
- Use scan profiles optimized for your application type (web app vs. API).
Liitations
- The integration requires Invicti Platform API access; firewall rules must allow outbound connections from Invicti ASPM.
- Scan profile availability depends on your Invicti Platform subscription tier.
- Rate limits imposed by Invicti Platform's API may affect scan triggering frequency in high-volume environments.
- Only scan results from completed scans are imported; in-progress scan data is not retrieved until the scan finishes.
Updated about 3 hours ago