Webhook Issue Manager - API Reference
This document describes the HTTP API that your custom webhook server must implement for Invicti ASPM to use it as an Issue Manager. Invicti ASPM acts as the client — it sends requests to your server. Your server must expose these endpoints and return the expected responses.
Authentication
Every request from Invicti ASPM includes the following header:
X-Kondukto-Secret: {your-secret-token}Your server should validate this header on every request and return 403 if it is missing or incorrect.
Endpoint Overview
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/test | Test connection — called when clicking Test Connection in ASPM |
POST | /api/v1/issues | Create a new issue from a vulnerability |
GET | /api/v1/issues/{id} | Get current state of an issue (used for status sync) |
PATCH | /api/v1/issues/{id} | Update issue status, severity, or labels |
PATCH | /api/v1/issues/{id} | Update issue body (re-rendered vulnerability content) |
POST | /api/v1/issues/{id}/attachments | Add screenshot attachments to an issue |
GET | /api/v1/issues/{id}/comments | Retrieve comments from an issue (used to read triage commands) |
POST | /api/v1/issues/{id}/comments | Add comments to an issue |
GET /api/v1/test - Test Connection
Called by Invicti ASPM when the user clicks Test Connection in the integration settings.
Request
curl --location --request GET '{IssueManagerURL}/api/v1/test' \
--header 'X-Kondukto-Secret: {IssueManagerToken}'Response — 200 OK
{
"connection": true
}Response — 403 Forbidden (missing header)
{
"message": "missing secret key"
}POST /api/v1/issues — Create Issue
Called when Invicti ASPM creates a new issue for a vulnerability — either manually by a user or automatically via an Issue Creation Policy.
Request
curl --location --request POST '{IssueManagerURL}/api/v1/issues' \
--header 'Accept: application/json' \
--header 'X-Kondukto-Secret: {IssueManagerToken}' \
--header 'Content-Type: application/json' \
--data-raw '{...payload...}'Request Payload Structure
The top-level fields describe the issue itself. The vulnerability object contains the vulnerability metadata and scanner-specific details. Inside vulnerability.detail, only the scanner type that discovered the vulnerability will have "ok": true — all others will be present with "ok": false and empty values. See Scanner-Type Payload Examples for full examples per scanner type.
{
"status": "open",
"title": "Vulnerability Name (CWE-400)",
"severity": "medium",
"template_md": "Rendered markdown body of the issue...",
"project_name": "my-project",
"due_date": "2006-01-02T15:04:05Z07:00",
"assignee": {
"username": "dev.user",
"email": "[email protected]"
},
"labels": [
"Bug",
"KONDUKTO"
],
"vulnerability": {
"name": "Vulnerability Name",
"path": "src/file.go",
"fp": false,
"wf": false,
"mitigated": false,
"link": "http://checkmarx.example.com/CxWebClient/ViewerMain.aspx?scanid=1020487",
"cvssv3": {
"score": 6.0,
"vector": ""
},
"detail": {
"cwe": {
"cwe_id": 400,
"name": "Uncontrolled Resource Consumption (Resource Exhaustion)",
"desc": "The software does not properly restrict the size or amount of resources...",
"desc_ext": "",
"parent_id": 399,
"isActive": 0,
"wasc": 0,
"stride": null,
"classification": {
"owasp_2017": {},
"owasp_2021": {},
"pci_dss": {},
"sans": {}
}
},
"tags": ["tag-name-1", "tag-name-2"],
"description": "Additional description of the vulnerability",
"comment": {
"last_edited": "2024-01-15T10:00:00.000Z",
"text": "A comment left on this vulnerability in ASPM"
},
"project": {
"id": "000000000000000000000002",
"name": "my-project",
"team": "default"
},
"scanner": {
"id": "000000000000000000000003",
"name": "checkmarx",
"type": "sast"
},
"scan_parameters": {
"branch": "master",
"manual": false,
"bind_name": "",
"meta_data": "",
"custom": {}
},
"sast": { "ok": true, ... },
"dast": { "ok": false, ... },
"pentest": { "ok": false, ... },
"sca": { "ok": false, ... },
"cs": { "ok": false, ... },
"iac": { "ok": false, ... },
"infra": { "ok": false, ... }
}
}
}Top-Level Field Reference
| Field | Type | Description |
|---|---|---|
status | string | Always "open" on creation |
title | string | Issue title: vulnerability name + CWE ID |
severity | string | info / low / medium / high / critical |
template_md | string | Pre-rendered markdown body (same content used in Jira/other trackers) |
project_name | string | Invicti ASPM project name |
due_date | string | RFC 3339 remediation deadline |
assignee.username | string | Assigned user's username in ASPM |
assignee.email | string | Assigned user's email |
labels | array of strings | Always includes "KONDUKTO" and "Bug"; may include additional labels |
vulnerability Field Reference
vulnerability Field Reference| Field | Type | Description |
|---|---|---|
name | string | Vulnerability name (without CWE suffix) |
path | string | Affected file path (SAST/IaC), URL (DAST), or IP (Infrastructure) |
fp | boolean | true if marked as False Positive |
wf | boolean | true if marked as Won't Fix |
mitigated | boolean | true if marked as Mitigated |
link | string | External link (scanner report URL or CWE reference) |
cvssv3.score | number | CVSSv3 score |
cvssv3.vector | string | CVSSv3 vector string |
vulnerability.detail Shared Fields
vulnerability.detail Shared Fields| Field | Type | Description |
|---|---|---|
cwe.cwe_id | number | CWE identifier number |
cwe.name | string | CWE name |
cwe.desc | string | CWE description |
cwe.classification.owasp_2017 | object | OWASP Top 10 2017 classification (may be empty) |
cwe.classification.owasp_2021 | object | OWASP Top 10 2021 classification (may be empty) |
tags | array of strings | Tag display names assigned to the vulnerability |
description | string | Additional description of the vulnerability |
comment.text | string | Last comment on the vulnerability in ASPM |
comment.last_edited | string | RFC 3339 timestamp of last comment edit |
project.id | string | ASPM project MongoDB ID |
project.name | string | ASPM project name |
project.team | string | Team name assigned to the project |
scanner.id | string | Scanner MongoDB ID |
scanner.name | string | Scanner name (e.g., "checkmarx", "invicti") |
scanner.type | string | Scanner category: "sast", "dast", "sca", "cs", "iac", "infra", "pentest" |
scan_parameters.branch | string | Source branch scanned |
scan_parameters.manual | boolean | true if scan was triggered manually |
Response — 201 Created
Your server must return the created issue with an id and a links object so Invicti ASPM can reference it in future requests.
{
"id": "1640249015470395000",
"status": "open",
"title": "Vulnerability Name (CWE-400)",
"labels": ["Bug", "KONDUKTO"],
"links": {
"self": "{IssueManagerURL}/api/v1/issues/1640249015470395000",
"html": "https://your-system.com/issues/1640249015470395000"
}
}| Response Field | Type | Description |
|---|---|---|
id | string | Your system's unique identifier for this issue — used in all subsequent requests |
status | string | Current issue status |
links.self | string | Full URL to the API endpoint for this issue |
links.html | string | Browser-accessible URL to the issue in your system |
GET /api/v1/issues/{id} — Get Issue
/api/v1/issues/{id} — Get IssueCalled periodically by Invicti ASPM to synchronize issue status. Also called immediately after issue creation.
Request
curl --location --request GET '{IssueManagerURL}/api/v1/issues/1640249015470395000' \
--header 'X-Kondukto-Secret: {IssueManagerToken}'Response — 200 OK
{
"id": "1640249015470395000",
"status": "open",
"title": "Denial_Of_Service_Resource_Exhaustion (CWE-400)",
"severity": "medium",
"template_md": "",
"assignee": {
"email": "",
"username": "dev.user"
},
"labels": [
"Bug",
"KONDUKTO"
],
"created_at": "2024-01-15T10:00:00.000Z",
"closed_at": "0001-01-01T00:00:00Z",
"state_updated_at": "2024-01-15T10:00:00.000Z",
"links": {
"self": "{IssueManagerURL}/api/v1/issues/1640249015470395000",
"html": "{CustomIssueManager_IssueURL}"
}
}| Response Field | Type | Description |
|---|---|---|
id | string | Your system's unique identifier for this issue |
status | string | Current issue status (open, inprogress, closed) |
severity | string | Current issue severity (info, low, medium, high, critical) |
created_at | string | RFC 3339 timestamp of issue creation |
closed_at | string | RFC 3339 timestamp of when the issue was closed (zero value if still open) |
state_updated_at | string | RFC 3339 timestamp of the last status change — used to track when an issue entered "in progress" |
links.self | string | Full URL to the API endpoint for this issue |
links.html | string | Browser-accessible URL to the issue in your system |
PATCH /api/v1/issues/{id} — Update Issue Status
/api/v1/issues/{id} — Update Issue StatusCalled when the vulnerability's status, severity, or labels change in Invicti ASPM.
Request
curl --location --request PATCH '{IssueManagerURL}/api/v1/issues/1639981740332776000' \
--header 'Accept: application/json' \
--header 'X-Kondukto-Secret: {IssueManagerToken}' \
--header 'Content-Type: application/json' \
--data-raw '{
"status": "closed",
"severity": "medium",
"labels": ["Bug", "KONDUKTO"]
}'Request Payload
{
"status": "closed",
"severity": "medium",
"labels": ["Bug", "KONDUKTO"]
}| Field | Type | Allowed Values |
|---|---|---|
status | string | open, inprogress, closed |
severity | string | info, low, medium, high, critical |
labels | array of strings | Full updated label list |
Response — 200 OK
{
"id": "1640331222914174000",
"status": "closed"
}PATCH /api/v1/issues/{id} — Update Issue Body
/api/v1/issues/{id} — Update Issue BodyWhen a subsequent scan detects changes in the vulnerability's technical details (e.g. affected file or line number, HTTP request/response, package versions, CVE, or code snippet), Invicti ASPM re-renders the issue body with the updated information and sends a PATCH request to replace it. The payload contains only the rendered text — not the raw vulnerability object.
Request
curl --location --request PATCH '{IssueManagerURL}/api/v1/issues/1639981740332776000' \
--header 'Accept: application/json' \
--header 'X-Kondukto-Secret: {IssueManagerToken}' \
--header 'Content-Type: application/json' \
--data-raw '{
"body": "Re-rendered markdown body with updated vulnerability details..."
}'Request Payload
{
"body": "Re-rendered markdown body with updated vulnerability details..."
}| Field | Type | Description |
|---|---|---|
body | string | The full re-rendered issue body in markdown format |
Response — 200 OK
{
"message": "body updated successfully"
}Note: This PATCH is sent separately from the status/severity/labels PATCH. Your server can distinguish between the two by checking which fields are present in the payload.
POST /api/v1/issues/{id}/attachments — Add Attachments
/api/v1/issues/{id}/attachments — Add AttachmentsCalled when Invicti ASPM adds a screenshot or other attachment to an issue.
Request
curl --location --request POST '{IssueManagerURL}/api/v1/issues/1640241035417634000/attachments' \
--header 'Accept: application/json' \
--header 'X-Kondukto-Secret: {IssueManagerToken}' \
--header 'Content-Type: application/json' \
--data-raw '{
"attachments": [
{
"title": "screenshot-1",
"base64_content": "<base64-encoded image bytes>"
}
]
}'Request Payload
{
"attachments": [
{
"title": "screenshot-1",
"base64_content": "<base64-encoded image bytes>"
},
{
"title": "screenshot-2",
"base64_content": "<base64-encoded image bytes>"
}
]
}Response — 200 OK
{
"message": "attachments added successfully"
}GET /api/v1/issues/{id}/comments — Get Comments
/api/v1/issues/{id}/comments — Get CommentsCalled by Invicti ASPM to read comments from the issue. Comments prefixed with kondukto:, kondukto-fp:, kondukto-wf:, or kondukto-mit: are parsed as triage commands and applied to the linked vulnerability in ASPM.
Request
curl --location --request GET '{IssueManagerURL}/api/v1/issues/1640174964942146000/comments' \
--header 'Accept: application/json' \
--header 'X-Kondukto-Secret: {IssueManagerToken}'Response — 200 OK
{
"comments": [
{
"created_at": "2021-12-22T15:58:46.779745+03:00",
"body": "Looking into this issue.",
"author": {
"email": "",
"username": "dev.user"
}
},
{
"created_at": "2021-12-22T16:00:52.490011+03:00",
"body": "kondukto: applied input sanitization in PR #142",
"author": {
"email": "[email protected]",
"username": "dev.user"
}
}
]
}Triage Command Prefixes
Comments with these prefixes trigger automatic updates in Invicti ASPM:
| Comment Prefix | Effect in ASPM |
|---|---|
kondukto: <text> | Adds a remediation note to the vulnerability |
kondukto-fp: <reason> | Marks the vulnerability as False Positive |
kondukto-wf: <reason> | Marks the vulnerability as Won't Fix |
kondukto-mit: <reason> | Marks the vulnerability as Mitigated |
POST /api/v1/issues/{id}/comments — Add Comments
/api/v1/issues/{id}/comments — Add CommentsCalled by Invicti ASPM to post comments to an issue — for example, when adding remediation notes or status update messages during issue synchronization.
Request
curl --location --request POST '{IssueManagerURL}/api/v1/issues/1640174964942146000/comments' \
--header 'Accept: application/json' \
--header 'X-Kondukto-Secret: {IssueManagerToken}' \
--header 'Content-Type: application/json' \
--data-raw '{
"comments": [
{
"body": "Vulnerability status changed to closed in Invicti ASPM."
}
]
}'Request Payload
{
"comments": [
{
"body": "Vulnerability status changed to closed in Invicti ASPM."
}
]
}| Field | Type | Description |
|---|---|---|
comments | array | List of comments to add |
comments[].body | string | The comment text |
Response — 200 OK
{
"message": "comments added successfully"
}Scanner-Type Payload Examples
The following shows full Create Issue request payloads for each scanner type. In each example, only the relevant scanner block has "ok": true. All other scanner blocks are included with "ok": false and empty values (they are omitted here for brevity).
SAST Example (Checkmarx)
{
"status": "open",
"title": "Denial_Of_Service_Resource_Exhaustion (CWE-400)",
"severity": "medium",
"template_md": "A **medium** severity vulnerability...",
"project_name": "my-project",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "dev.user", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "Denial_Of_Service_Resource_Exhaustion",
"path": "vendor/github.com/magiconair/properties/load.go",
"fp": false,
"wf": false,
"mitigated": false,
"link": "http://checkmarx.example.com/CxWebClient/ViewerMain.aspx?scanid=1020487",
"cvssv3": { "score": 6.0, "vector": "" },
"detail": {
"cwe": {
"cwe_id": 400,
"name": "Uncontrolled Resource Consumption (Resource Exhaustion)",
"desc": "The software does not properly restrict the size or amount of resources...",
"desc_ext": "",
"parent_id": 399,
"isActive": 0,
"wasc": 0,
"stride": null,
"classification": {
"owasp_2017": {},
"owasp_2021": {},
"pci_dss": {},
"sans": {}
}
},
"tags": [],
"description": "",
"comment": { "last_edited": "2024-01-15T10:00:00.000Z", "text": "" },
"project": { "id": "000000000000000000000002", "name": "my-project", "team": "default" },
"scanner": { "id": "000000000000000000000003", "name": "checkmarx", "type": "sast" },
"scan_parameters": { "branch": "master", "manual": false, "bind_name": "", "meta_data": "", "custom": {} },
"sast": {
"ok": true,
"file_name": "vendor/github.com/magiconair/properties/load.go",
"line_number": 284,
"language": "go",
"code": "for i, b := range buf {",
"code_lines": [
{ "number": 279, "content": "\tswitch enc {\n" },
{ "number": 280, "content": "\tcase utf8Default, UTF8:\n" },
{ "number": 281, "content": "\t\treturn string(buf)\n" },
{ "number": 282, "content": "\tcase ISO_8859_1:\n" },
{ "number": 283, "content": "\t\trunes := make([]rune, len(buf))\n" },
{ "number": 284, "content": "\t\tfor i, b := range buf {\n", "vulnerable": true },
{ "number": 285, "content": "\t\t\trunes[i] = rune(b)\n" },
{ "number": 286, "content": "\t\t}\n" },
{ "number": 287, "content": "\t\treturn string(runes)\n" }
],
"commit_detail": {
"committer_name": "Jane Developer",
"committer": "[email protected]",
"commit_link": "https://gitlab.com/your-org/your-repo/-/commit/abc123def456abc123def456abc123def456abc1",
"commit_no": "abc123def456abc123def456abc123def456abc1",
"snippet": "for i, b := range buf {"
},
"flow": {
"nodes": [
{ "Name": "ReadFile", "Code": "data, err := ioutil.ReadFile(filename)", "Filename": "vendor/github.com/magiconair/properties/load.go", "Line": 94, "Message": "" },
{ "Name": "data", "Code": "return l.loadBytes(data, l.Encoding)", "Filename": "vendor/github.com/magiconair/properties/load.go", "Line": 102, "Message": "" },
{ "Name": "buf", "Code": "for i, b := range buf {", "Filename": "vendor/github.com/magiconair/properties/load.go", "Line": 284, "Message": "" }
]
}
},
"dast": { "ok": false, "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" } },
"pentest": { "ok": false },
"sca": { "ok": false, "file_name": "", "license": "", "packages": null, "references": null, "fixed_packages": null },
"cs": { "ok": false },
"iac": { "ok": false, "commit_detail": { "committer_name": "" } },
"infra": { "ok": false, "ip": "", "fqdn": "", "port": "", "protocol": "", "service": "", "os": "", "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" }, "cve_id": "", "vpr": "", "exploitable": false, "proof": "" }
}
}
}SAST field reference:
| Field | Type | Description |
|---|---|---|
file_name | string | Source file containing the vulnerable code |
line_number | number | Line number of the vulnerable code |
language | string | Programming language (e.g., "go", "java", "python") |
code | string | The vulnerable line of code |
code_lines | array | Surrounding lines; the vulnerable line includes "vulnerable": true |
code_lines[].number | number | Line number |
code_lines[].content | string | Line content |
code_lines[].vulnerable | boolean | Present and true only on the vulnerable line |
commit_detail.committer_name | string | Developer who introduced the vulnerability |
commit_detail.committer | string | Committer email |
commit_detail.commit_link | string | Link to the commit in the VCS |
commit_detail.commit_no | string | Full commit hash |
commit_detail.snippet | string | Short code snippet from the vulnerable line |
flow.nodes | array | SAST data flow trace from source to sink |
flow.nodes[].Name | string | Variable or function name at this node |
flow.nodes[].Code | string | Code at this node |
flow.nodes[].Filename | string | File containing this node |
flow.nodes[].Line | number | Line number of this node |
DAST Example (Invicti / OWASP ZAP)
{
"status": "open",
"title": "Cross-Site Scripting (CWE-79)",
"severity": "high",
"template_md": "A **high** severity vulnerability...",
"project_name": "web-app",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "dev.user", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "Cross-Site Scripting",
"path": "https://app.company.com/search",
"fp": false,
"wf": false,
"mitigated": false,
"link": "https://cwe.mitre.org/data/definitions/79.html",
"cvssv3": { "score": 7.2, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" },
"detail": {
"cwe": { "cwe_id": 79, "name": "Improper Neutralization of Input During Web Page Generation", "desc": "...", "classification": { "owasp_2017": {}, "owasp_2021": {} } },
"tags": [],
"description": "",
"comment": { "last_edited": "", "text": "" },
"project": { "id": "000000000000000000000004", "name": "web-app", "team": "frontend" },
"scanner": { "id": "000000000000000000000005", "name": "invicti", "type": "dast" },
"scan_parameters": { "branch": "", "manual": false, "bind_name": "", "meta_data": "", "custom": {} },
"sast": { "ok": false },
"dast": {
"ok": true,
"plugin": {
"id": "10098",
"name": "Cross-Site Scripting (Reflected)",
"publication_date": "2020-01-15",
"modification_date": "2024-06-01"
},
"target": "https://app.company.com/search?q=<script>alert(1)</script>",
"method": "GET",
"endpoint": "/search",
"param": [
{ "name": "q", "value": "<script>alert(1)</script>", "type": "Query" }
],
"http_request": "GET /search?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E HTTP/1.1\nHost: app.company.com\nUser-Agent: Mozilla/5.0",
"http_response": "HTTP/1.1 200 OK\nContent-Type: text/html\n\n<html><body>Results for: <script>alert(1)</script></body></html>",
"confidence": "high",
"references": [
"https://owasp.org/www-community/attacks/xss/",
"https://cwe.mitre.org/data/definitions/79.html"
]
},
"pentest": { "ok": false },
"sca": { "ok": false, "file_name": "", "license": "", "packages": null, "references": null, "fixed_packages": null },
"cs": { "ok": false },
"iac": { "ok": false, "commit_detail": { "committer_name": "" } },
"infra": { "ok": false, "ip": "", "fqdn": "", "port": "", "protocol": "", "service": "", "os": "", "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" }, "cve_id": "", "vpr": "", "exploitable": false, "proof": "" }
}
}
}DAST field reference:
| Field | Type | Description |
|---|---|---|
plugin.id | string | Scanner-specific plugin or check ID |
plugin.name | string | Plugin or check name |
plugin.publication_date | string | Date the plugin was first published |
plugin.modification_date | string | Date the plugin was last modified |
target | string | Full URL that triggered the vulnerability |
method | string | HTTP method used (e.g., GET, POST) |
endpoint | string | The URL path of the affected endpoint |
param | array | Vulnerable parameters |
param[].name | string | Parameter name |
param[].value | string | Parameter value that triggered the finding |
param[].type | string | Parameter type: Query, Parameter, Header, Cookie, or Body |
http_request | string | Raw HTTP request that triggered the finding |
http_response | string | Raw HTTP response from the server |
confidence | string | Scanner's confidence level for this finding |
references | array of strings | Related documentation or advisory links |
Pentest Example
{
"status": "open",
"title": "SQL Injection (CWE-89)",
"severity": "critical",
"template_md": "A **critical** severity vulnerability...",
"project_name": "web-app",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "dev.user", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "SQL Injection",
"path": "https://app.company.com/api/users",
"fp": false,
"wf": false,
"mitigated": false,
"link": "https://cwe.mitre.org/data/definitions/89.html",
"cvssv3": { "score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" },
"detail": {
"cwe": { "cwe_id": 89, "name": "Improper Neutralization of Special Elements used in an SQL Command", "desc": "...", "classification": { "owasp_2017": {}, "owasp_2021": {} } },
"tags": [],
"description": "",
"comment": { "last_edited": "", "text": "" },
"project": { "id": "000000000000000000000004", "name": "web-app", "team": "security" },
"scanner": { "id": "000000000000000000000014", "name": "manual-pentest", "type": "pentest" },
"scan_parameters": { "branch": "", "manual": true, "bind_name": "", "meta_data": "", "custom": {} },
"sast": { "ok": false },
"dast": { "ok": false, "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" } },
"pentest": {
"ok": true,
"target": "https://app.company.com/api/users?id=1' OR '1'='1",
"method": "GET",
"param": [
{ "name": "id", "value": "1' OR '1'='1", "type": "Query" }
],
"http_request": "GET /api/users?id=1'%20OR%20'1'%3D'1 HTTP/1.1\nHost: app.company.com",
"http_response": "HTTP/1.1 200 OK\nContent-Type: application/json\n\n[{\"id\":1,\"name\":\"admin\"},{\"id\":2,\"name\":\"user\"}]",
"engagement": "Q1-2026-External-Pentest",
"references": [
"https://owasp.org/www-community/attacks/SQL_Injection"
]
},
"sca": { "ok": false, "file_name": "", "license": "", "packages": null, "references": null, "fixed_packages": null },
"cs": { "ok": false },
"iac": { "ok": false, "commit_detail": { "committer_name": "" } },
"infra": { "ok": false, "ip": "", "fqdn": "", "port": "", "protocol": "", "service": "", "os": "", "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" }, "cve_id": "", "vpr": "", "exploitable": false, "proof": "" }
}
}
}Pentest field reference:
| Field | Type | Description |
|---|---|---|
target | string | Full URL or resource that was tested |
method | string | HTTP method used (e.g., GET, POST) |
param | array | Vulnerable parameters |
param[].name | string | Parameter name |
param[].value | string | Parameter value that triggered the finding |
param[].type | string | Parameter type: Query, Parameter, Header, Cookie, or Body |
http_request | string | Raw HTTP request used during the test |
http_response | string | Raw HTTP response from the server |
engagement | string | Name or identifier of the pentest engagement |
references | array of strings | Related documentation or advisory links |
SCA Example (Snyk / Mend)
{
"status": "open",
"title": "Prototype Pollution (CWE-1321)",
"severity": "high",
"template_md": "A **high** severity vulnerability...",
"project_name": "node-service",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "dev.user", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "Prototype Pollution",
"path": "package.json",
"fp": false,
"wf": false,
"mitigated": false,
"link": "https://cwe.mitre.org/data/definitions/1321.html",
"cvssv3": { "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" },
"detail": {
"cwe": { "cwe_id": 1321, "name": "Improperly Controlled Modification of Object Prototype Attributes", "desc": "...", "classification": { "owasp_2017": {}, "owasp_2021": {} } },
"tags": [],
"description": "",
"comment": { "last_edited": "", "text": "" },
"project": { "id": "000000000000000000000006", "name": "node-service", "team": "backend" },
"scanner": { "id": "000000000000000000000007", "name": "snyk", "type": "sca" },
"scan_parameters": { "branch": "main", "manual": false, "bind_name": "", "meta_data": "", "custom": {} },
"sast": { "ok": false },
"dast": { "ok": false, "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" } },
"pentest": { "ok": false },
"sca": {
"ok": true,
"cve": "CVE-2021-23337",
"file_name": "package.json",
"license": "MIT",
"reachable": true,
"packages": [
"[email protected]",
"[email protected]"
],
"fixed_packages": [
"[email protected]"
],
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-23337",
"https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724"
]
},
"cs": { "ok": false },
"iac": { "ok": false, "commit_detail": { "committer_name": "" } },
"infra": { "ok": false, "ip": "", "fqdn": "", "port": "", "protocol": "", "service": "", "os": "", "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" }, "cve_id": "", "vpr": "", "exploitable": false, "proof": "" }
}
}
}SCA field reference:
| Field | Type | Description |
|---|---|---|
cve | string | CVE identifier (e.g., "CVE-2021-23337") |
file_name | string | Manifest file containing the vulnerable dependency (e.g., package.json, pom.xml, requirements.txt) |
license | string | License of the affected package |
reachable | boolean | true if the vulnerable code path is reachable from application code |
packages | array of strings | Affected package names and versions |
fixed_packages | array of strings | Package versions in which the vulnerability is patched |
references | array of strings | CVE, NVD, or advisory links |
Container Security Example (Trivy / Grype)
{
"status": "open",
"title": "Log4Shell (CWE-502)",
"severity": "critical",
"template_md": "A **critical** severity vulnerability...",
"project_name": "payment-service",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "devops.user", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "Log4Shell",
"path": "ubuntu:20.04",
"fp": false,
"wf": false,
"mitigated": false,
"link": "https://cwe.mitre.org/data/definitions/502.html",
"cvssv3": { "score": 10.0, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" },
"detail": {
"cwe": { "cwe_id": 502, "name": "Deserialization of Untrusted Data", "desc": "...", "classification": { "owasp_2017": {}, "owasp_2021": {} } },
"tags": [],
"description": "",
"comment": { "last_edited": "", "text": "" },
"project": { "id": "000000000000000000000008", "name": "payment-service", "team": "platform" },
"scanner": { "id": "000000000000000000000009", "name": "trivy", "type": "cs" },
"scan_parameters": { "branch": "", "manual": false, "bind_name": "payment-service:latest", "meta_data": "", "custom": {} },
"sast": { "ok": false },
"dast": { "ok": false, "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" } },
"pentest": { "ok": false },
"sca": { "ok": false, "file_name": "", "license": "", "packages": null, "references": null, "fixed_packages": null },
"cs": {
"ok": true,
"cve": "CVE-2021-44228",
"target": "ubuntu:20.04",
"workload": "deployment/payment-service",
"packages": [
{
"name": "log4j-core",
"installed_version": "2.14.0",
"fixed_version": "2.17.1"
}
],
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"https://logging.apache.org/log4j/2.x/security.html"
]
},
"iac": { "ok": false, "commit_detail": { "committer_name": "" } },
"infra": { "ok": false, "ip": "", "fqdn": "", "port": "", "protocol": "", "service": "", "os": "", "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" }, "cve_id": "", "vpr": "", "exploitable": false, "proof": "" }
}
}
}Container Security field reference:
| Field | Type | Description |
|---|---|---|
cve | string | CVE identifier |
target | string | Container image or OS base image scanned |
workload | string | Kubernetes workload or deployment associated with the image (e.g., "deployment/payment-service") |
packages[].name | string | Affected package name |
packages[].installed_version | string | Currently installed version |
packages[].fixed_version | string | Version in which the vulnerability is patched |
references | array of strings | CVE, NVD, or advisory links |
IaC Example (Checkov / Terrascan)
{
"status": "open",
"title": "S3 Bucket Publicly Accessible (CWE-732)",
"severity": "high",
"template_md": "A **high** severity vulnerability...",
"project_name": "infra-repo",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "devops.user", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "S3 Bucket Publicly Accessible",
"path": "terraform/s3.tf",
"fp": false,
"wf": false,
"mitigated": false,
"link": "https://cwe.mitre.org/data/definitions/732.html",
"cvssv3": { "score": 7.5, "vector": "" },
"detail": {
"cwe": { "cwe_id": 732, "name": "Incorrect Permission Assignment for Critical Resource", "desc": "...", "classification": { "owasp_2017": {}, "owasp_2021": {} } },
"tags": [],
"description": "",
"comment": { "last_edited": "", "text": "" },
"project": { "id": "000000000000000000000010", "name": "infra-repo", "team": "platform" },
"scanner": { "id": "000000000000000000000011", "name": "checkov", "type": "iac" },
"scan_parameters": { "branch": "main", "manual": false, "bind_name": "", "meta_data": "", "custom": {} },
"sast": { "ok": false },
"dast": { "ok": false, "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" } },
"pentest": { "ok": false },
"sca": { "ok": false, "file_name": "", "license": "", "packages": null, "references": null, "fixed_packages": null },
"cs": { "ok": false },
"iac": {
"ok": true,
"file_name": "terraform/s3.tf",
"line_number": 12,
"code": " acl = \"public-read\"",
"lines": [
{ "number": 10, "content": "resource \"aws_s3_bucket\" \"data\" {\n" },
{ "number": 11, "content": " bucket = \"company-data\"\n" },
{ "number": 12, "content": " acl = \"public-read\"\n", "vulnerable": true },
{ "number": 13, "content": "}\n" }
],
"commit_detail": {
"committer_name": "DevOps Engineer",
"committer": "[email protected]",
"commit_link": "https://github.com/org/infra/commit/def456abc",
"commit_no": "def456abc",
"snippet": "acl = \"public-read\""
},
"references": [
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html"
]
},
"infra": { "ok": false, "ip": "", "fqdn": "", "port": "", "protocol": "", "service": "", "os": "", "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" }, "cve_id": "", "vpr": "", "exploitable": false, "proof": "" }
}
}
}IaC field reference:
| Field | Type | Description |
|---|---|---|
file_name | string | IaC file containing the misconfiguration |
line_number | number | Line number of the misconfiguration |
code | string | The misconfigured line |
lines | array | Surrounding lines; the misconfigured line includes "vulnerable": true |
commit_detail | object | Same structure as SAST commit_detail |
references | array of strings | Documentation or advisory links for the misconfiguration |
Infrastructure Example (Tenable / Nessus)
{
"status": "open",
"title": "SSL Certificate Expired (CWE-295)",
"severity": "high",
"template_md": "A **high** severity vulnerability...",
"project_name": "prod-infrastructure",
"due_date": "2026-05-01T00:00:00Z",
"assignee": { "username": "sys.admin", "email": "[email protected]" },
"labels": ["Bug", "KONDUKTO"],
"vulnerability": {
"name": "SSL Certificate Expired",
"path": "192.0.2.1",
"fp": false,
"wf": false,
"mitigated": false,
"link": "https://cwe.mitre.org/data/definitions/295.html",
"cvssv3": { "score": 7.4, "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" },
"detail": {
"cwe": { "cwe_id": 295, "name": "Improper Certificate Validation", "desc": "...", "classification": { "owasp_2017": {}, "owasp_2021": {} } },
"tags": [],
"description": "",
"comment": { "last_edited": "", "text": "" },
"project": { "id": "000000000000000000000012", "name": "prod-infrastructure", "team": "ops" },
"scanner": { "id": "000000000000000000000013", "name": "nessus", "type": "infra" },
"scan_parameters": { "branch": "", "manual": false, "bind_name": "", "meta_data": "", "custom": {} },
"sast": { "ok": false },
"dast": { "ok": false, "plugin": { "id": "", "name": "", "publication_date": "", "modification_date": "" } },
"pentest": { "ok": false },
"sca": { "ok": false, "file_name": "", "license": "", "packages": null, "references": null, "fixed_packages": null },
"cs": { "ok": false },
"iac": { "ok": false, "commit_detail": { "committer_name": "" } },
"infra": {
"ok": true,
"ip": "192.0.2.1",
"fqdn": "api.company.com",
"dns_name": "api.company.com",
"net_bios_name": "API-SERVER-01",
"internal_ip": "10.0.1.50",
"port": "443",
"protocol": "tcp",
"service": "Apache httpd 2.4.41",
"os": "Ubuntu 20.04 LTS",
"family": "Web Servers",
"infra_group": "production-dmz",
"provider": "aws",
"ami_id": "ami-0abcdef1234567890",
"subnet_id": "subnet-0abc123def456789",
"plugin": {
"id": "51192",
"name": "SSL Certificate Cannot Be Trusted",
"publication_date": "2010-10-24",
"modification_date": "2024-01-15"
},
"cve_id": "",
"vpr": "7.4",
"exploitable": true,
"fixable": true,
"proof": "The SSL certificate for api.company.com expired on 2026-03-01."
}
}
}
}Infrastructure field reference:
| Field | Type | Description |
|---|---|---|
ip | string | IP address of the affected host |
fqdn | string | Fully qualified domain name |
dns_name | string | DNS name of the host |
net_bios_name | string | NetBIOS name of the host |
internal_ip | string | Internal/private IP address of the host |
port | string | Affected port number |
protocol | string | Network protocol (e.g., "tcp", "udp") |
service | string | Service name and version running on the port |
os | string | Operating system of the host |
family | string | Plugin family or vulnerability category (e.g., "Web Servers") |
infra_group | string | Logical group or network segment the host belongs to |
provider | string | Cloud provider (e.g., "aws", "azure", "gcp") |
ami_id | string | AWS AMI ID of the instance (AWS-specific) |
subnet_id | string | Cloud subnet ID of the instance |
plugin.id | string | Scanner plugin or check ID |
plugin.name | string | Plugin or check name |
plugin.publication_date | string | Date the plugin was first published |
plugin.modification_date | string | Date the plugin was last modified |
cve_id | string | CVE identifier (if applicable) |
vpr | string | Vulnerability Priority Rating score (Tenable-specific) |
exploitable | boolean | Whether the vulnerability is confirmed exploitable |
fixable | boolean | Whether a fix or patch is available for this vulnerability |
proof | string | Evidence string from the scanner |
Updated about 3 hours ago