Rapid7 InsightAppSec DAST/API Integration
Rapid7 InsightAppSec is a cloud-based DAST platform that performs deep, automated scans of web applications to identify exploitable security weaknesses. This integration allows Invicti ASPM to trigger InsightAppSec scans and import vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Region | Your Rapid7 Insight Platform region (e.g., us, eu, ap, ca, au) |
| API Key | A Rapid7 Insight Platform API key |
How to Get an API Key (on Rapid7 InsightAppSec Side)
- Log in to the Rapid7 Insight Platform .
- Click your profile icon in the upper right corner.
- Select API Keys from the profile menu.
- Click + New User Key.
- Enter a name for the key and click Generate.
- Copy the API key — it is shown only once.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Rapid7 InsightAppSec
Scroll through the list of DAST/API scanners to find Rapid7 InsightAppSec.
-
If Rapid7 InsightAppSec is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the Rapid7 InsightAppSec card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Rapid7 InsightAppSec card to open the configuration panel. Fill in the required fields:
-
Token: Paste your Rapid7 InsightAppSec API token.
-
URL: Enter your Rapid7 InsightAppSec instance URL.
-
Insecure: Enable this checkbox only if your Rapid7 InsightAppSec instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the API key and region are correct.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Rapid7 InsightAppSec |
| 4 | Enter Region and API Key |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Rapid7 InsightAppSec Scanner
- Select DAST/API as the scanner type.
- Choose Rapid7 InsightAppSec from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | InsightAppSec project to bind to | Yes |
| Start Scan | Toggle to trigger the scan immediately | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t insightappsec -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API key | Regenerate the API key from the Rapid7 Insight Platform and update the integration |
| Wrong region | Confirm your account region from the Insight Platform URL (e.g., us.api.insight.rapid7.com) |
| InsightAppSec not activated | Ensure the InsightAppSec product is activated on your Rapid7 subscription |
| Network access | Ensure Invicti ASPM can reach us.api.insight.rapid7.com (or your region endpoint) on port 443 |
Scan Issues
| Issue | Resolution |
|---|---|
| No apps listed | Verify the API key account has access to the target apps in InsightAppSec |
| Scan config missing | Create a scan configuration in InsightAppSec before triggering scans |
| Scan not starting | Check InsightAppSec engine status and scan slot availability |
| Empty results | Confirm the scan completed in the InsightAppSec dashboard |
Best Practices
- Use a dedicated user API key from a service account rather than a personal account.
- Select the correct region when configuring the integration to avoid authentication failures.
- Rotate the API key annually or upon personnel changes.
- Pre-configure apps and scan configurations in InsightAppSec before using the integration.
- Use scan configurations tailored to the application type (web app, API, microservices).
Limitations
- API keys are region-specific; ensure you select the region that matches your Rapid7 account.
- The InsightAppSec product must be separately subscribed to within the Rapid7 Insight Platform.
- Apps and scan configurations must be created in InsightAppSec before they appear in Invicti ASPM.
- Concurrent scan limits are governed by your InsightAppSec subscription tier and scan engine capacity.
Updated about 3 hours ago