Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
AppSpider Pro DAST/API Integration
AppSpider Pro (by Rapid7) is a dynamic application security testing tool that crawls and attacks web applications to identify exploitable vulnerabilities. This integration allows Invicti AppSec to trigger AppSpider Pro scans and import findings.
Prerequisites
| Field | Description |
|---|---|
| AppSpider Pro URL | The URL of your AppSpider Pro instance (e.g., https://appscan.your-company.com) |
| Username | AppSpider Pro account username |
| Password | AppSpider Pro account password |
Get Credentials (on AppSpider Pro Side)
- Contact your AppSpider Pro administrator for a service account with API access.
- The administrator creates the account via Administration > Users in the AppSpider Enterprise console.
- Assign the Scan Manager or Administrator role to enable scan creation and result retrieval via API.
- Use the provided username and password in the integration configuration.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate AppSpider Pro
Scroll through the list of DAST/API scanners to find AppSpider Pro.
- If AppSpider Pro is not activated, you will see an "Activate" button. Click it to enable the integration.
The scan method badge on the AppSpider Pro card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the AppSpider Pro card to open the configuration panel. Fill in the required fields:
- Authentication Type: Select the authentication method (Basic for username/password or Token for API token).
- Username (Basic auth): Enter the service account username.
- Password (Basic auth): Enter the service account password.
- Token (Token auth): Enter the API token.
- URL: Enter your AppSpider Pro server URL (e.g.,
https://appscan.your-company.com). - Insecure: Enable this checkbox only if your AppSpider Pro instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms successful authentication.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate AppSpider Pro |
| 4 | Enter URL, Username, and Password |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add AppSpider Pro Scanner
- Select DAST/API as the scanner type.
- Choose AppSpider Pro from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Preset | AppSpider scan preset configuration to use | Yes |
| Macro | Login or workflow macro to attach to the scan | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t appspider -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid credentials | Verify the username and password with your AppSpider administrator |
| Wrong server URL | Confirm the AppSpider Pro server address and ensure it includes https:// |
| SSL certificate error | Ensure the server uses a valid SSL certificate or configure trust for the CA |
| Firewall block | Open the required port (typically 443) between Invicti AppSec and AppSpider Pro |
Scan Issues
| Issue | Resolution |
|---|---|
| No scan configurations listed | Ensure the service account has access to the target configurations |
| Scan not starting | Verify AppSpider scan engines are running and available |
| Empty results | Check that the scan completed in AppSpider and the report is available |
| Access denied | Ensure the account has the Scan Manager or Administrator role |
Best Practices
- Create a dedicated service account for the integration with only the required permissions.
- Use HTTPS for all AppSpider Pro API communications.
- Rotate credentials periodically and update the integration settings.
- Pre-configure scan configurations in AppSpider Pro to ensure consistent scanning behavior.
- Review and tune crawl configurations to cover all relevant application entry points.
Limitations
- AppSpider Pro must be accessible from the Invicti AppSec network.
- Concurrent scan capacity is limited by the AppSpider Pro license and available scan engines.
- Scan configurations must be pre-created in AppSpider Pro; they cannot be created from the Invicti AppSec integration.
- Username/password authentication is used; API token authentication is not supported.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center