Package: Invicti AppSec Enterprise (on-premise, on-demand)
CodeThreat SAST Integration
Invicti AppSec supports CodeThreat as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the CodeThreat integration.
CodeThreat is an AI-powered static application security testing tool that provides vulnerability detection and code analysis.
Prerequisites
Before starting the integration, ensure you have the following information from your CodeThreat account:
| Field | Description | Required |
|---|---|---|
| Token | API token generated from your CodeThreat account | Yes |
| Organization Name | Your organization name in CodeThreat | Yes |
| URL | Your CodeThreat instance URL (e.g., https://cloud.codethreat.com) | Yes |
| Insecure | Skip SSL certificate verification (not recommended for production) | No |
Get a Token (on CodeThreat Side)
- Log in to your CodeThreat instance.
- Navigate to Settings or Account section.
- Go to API Tokens or Access Management.
- Click Generate New Token.
- Copy the generated token and save it securely.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SAST Tab
On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).
Step 3: Find and Activate CodeThreat
Scroll through the list of SAST scanners to find CodeThreat.
- If CodeThreat is not activated, you will see an "Activate" button. Click it to enable the integration.
- If CodeThreat is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.
The scan method badge on the CodeThreat card shows KDT, which means scans are triggered through the Invicti Appsec CLI tool (KDT).
:::
Step 4: Configure Connection Settings
Click on the gear icon on the CodeThreat card to open the configuration panel. Fill in the required fields:
- Token: Paste the API token you generated from CodeThreat.
- Organization Name: Enter your organization name in CodeThreat.
- URL: Enter your CodeThreat instance URL (e.g.,
https://cloud.codethreat.com). - Insecure: Enable this checkbox only if your CodeThreat instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.
- If the connection is successful, the integration is ready to use.
- If the connection fails, verify your Token and URL values.
- For existing integrations, you can use the "Retest Connection" button at the top of the panel.
Step 6: Advanced Settings (Optional)
Click on "Advanced Settings" to expand additional options:
| Setting | Description | Default |
|---|---|---|
| Allow team leads to scan this instance | Permits team leads to trigger scans using this CodeThreat instance | Off |
| Allow team leads to create new instances | Permits team leads to create additional CodeThreat instances | Off |
After modifying advanced settings, click "Save Advanced Settings" to apply changes.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SAST tab under Scanners |
| 3 | Find CodeThreat and click Activate (if not already active) |
| 4 | Click the gear icon and fill in Token, Organization Name, and URL |
| 5 | Click Test Connection to verify |
| 6 | (Optional) Configure Advanced Settings for team lead permissions |
Create a Scan
After activating and configuring Code Threat, you can create scans from your project's scanner settings.
Navigate to Project Scanners
- Go to your Project page.
- Click on the Settings tab.
- Select Scanners from the left sidebar.
Add Code Threat Scanner
- In the scanner type dropdown, select SAST.
- In the scanner dropdown, search for and select Code Threat.
- Click the Add button to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan (optional) | No |
| Bind to | Select the Code Threat project/scan to bind to | Yes |
| Branch | Specify the branch to scan | No |
| Meta Data | Additional metadata for the scan (optional) | No |
| Scan Tag | Tag to identify the scan (optional) | No |
Scheduler
- Now: Run the scan immediately after saving.
- Custom Date: Schedule the scan for a specific date and time.
Webhook (Optional)
Enable webhook to trigger scans via actions taken on your application lifecycle management tool:
- Check the Trigger scans via actions checkbox.
- Select the Platform (e.g., GitHub, GitLab, Bitbucket).
- Click Generate to create a Secret Key for webhook authentication.
KDT Command
You can also trigger Code Threat scans from your CI/CD pipeline using KDT:
kdt scan -p <project_name> -t codethreat -b <branch_name>
Click Save to create the scan configuration.
Troubleshooting
Connection Fails
- Invalid Token: Verify the token is correct and has not expired. Generate a new token from the Code Threat dashboard.
- Wrong Organization Name: Ensure the Organization Name matches exactly as it appears in your Code Threat account.
- Incorrect URL: Verify the URL is correct (e.g.,
https://cloud.codethreat.com/for cloud or your self-hosted URL). - SSL Certificate Issues: If using a self-hosted instance with a self-signed certificate, enable the Insecure checkbox.
Scan Issues
- Scan Timeout: Large repositories may take longer to scan. Check the scan status on the Code Threat dashboard.
- No Results: Ensure the project language is supported by Code Threat and the repository is accessible.
Best Practices
- Use Dedicated API Tokens: Create a separate token for the Invicti AppSec integration rather than using personal tokens.
- Rotate Tokens Regularly: Regenerate API tokens periodically to maintain security.
- Use HTTPS: Always use HTTPS for the Code Threat URL, especially for self-hosted instances.
- Monitor Scan Queue: Check the Code Threat dashboard for scan queue status if scans appear delayed.
Limitations
- Cloud vs. Self-Hosted: Configuration settings may differ between Code Threat cloud and self-hosted deployments.
- Language Support: Code Threat supports a specific set of programming languages. Check their documentation for the latest supported language list.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center