Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

Configure target issue tracking

Decide which vulnerabilities Invicti AppSec opens as issues for a specific target, who handles those issues, and how fixes are validated when the issues close. This document explains how to connect a target to an issue manager like Jira, schedule a validation scan that confirms fixes when issues close, set a default assignee, and filter which findings become issues.

Why this matters

Without target-level issue tracking, every finding ends up in a generic inbox - usually whoever holds the integration token - and never reaches the developer who wrote the code. Connecting each target to the right issue manager project, then pointing assignment at a real owner, sends each vulnerability to someone who can act on it. Filtering which findings open issues prevents noise, and validation scans close the loop so a "fixed" issue actually means a fixed vulnerability.

Prerequisites

Before you configure issue tracking for a target, make sure you have:

  • Activated at least one issue manager under Integrations (see Integrations overview).
  • Permission to edit the target's settings.

Connect a target to an issue manager

The Settings sub-tab inside Issue assignment is where you connect the target to a specific issue manager project and decide how Invicti AppSec creates issues there.

  1. Select Inventory > Targets from the left-side menu.
  2. Click the target name to open the target dashboard.
  3. Select the Settings tab, then select Issue assignment from the left sidebar.
  4. On the Settings sub-tab, choose an issue manager from the Issue manager dropdown - for example, Jira. The fields below the dropdown change to match the selected manager.
  5. Fill in the required connection fields. For Jira:
    • Instance: the connected Jira instance.
    • Project key: the Jira project that will receive issues from this target.
    • Issue type: the Jira issue type Invicti AppSec creates (for example, Bug or Task).
  6. (Optional) Configure any project-specific fields that appear under Optional fields. The set depends on how the issue manager project is configured - for example, a Jira project might surface Team, Fields, and Project components, while another project surfaces a different set. Use these to tag each issue with project-relevant metadata.
  7. (Optional) Configure any of the behavior toggles. These appear regardless of project setup, though some labels (such as "Use custom labels on Jira") reflect the selected issue manager:
    • Assign custom issue state mapping: when enabled, choose the issue manager states Invicti AppSec uses for opening, in progress, and closing an issue. Make sure the three states are linked to each other in the issue manager's workflow - for Jira, the transitions between them must exist - otherwise Invicti AppSec can't move an issue from one state to the next.
    • Define resolutions to close issues: choose which issue manager resolutions count as closure for the linked vulnerability.
    • Use custom labels on Jira: add your own labels to issues Invicti AppSec creates in Jira.
    • Custom issue template: customize the title and body Invicti AppSec uses when it creates an issue.
    • Push flags on Invicti as labels: push Invicti AppSec vulnerability flags (for example, False Positive or Acceptable Risk) to the linked issue as labels.
  8. Click Save at the bottom of the page.
note

Field names and toggles depend on the selected issue manager. Other managers (such as GitHub Issues or Azure DevOps) show the equivalent fields for their platform - the pattern is the same: required connection fields, then optional fields and behavior toggles.

Verify fixes with validation scans

A validation scan re-scans the target after an issue closes in the issue manager, so Invicti AppSec can confirm the underlying vulnerability is actually fixed before marking it Closed.

  1. From the target's Issue assignment page, select the Automation sub-tab.
  2. In the Validation scan section, toggle the option on.
  3. Choose how the scan triggers:
    • Each time an issue gets closed: Invicti AppSec runs a validation scan immediately whenever an issue is marked closed in the issue manager. Best for low-volume targets where you want fast confirmation.
    • Wait until specific time of day to check if one or more issues have been closed: Invicti AppSec waits until a scheduled time, then checks for issues that closed during the day and runs one validation scan to cover them. Best for high-volume targets, or when scans are expensive and you want to batch them.
  4. Click Save at the bottom of the page.

Set a target's default issue assignee

The Automation sub-tab is where you decide who receives each issue Invicti AppSec opens for the target.

  1. From the target's Issue assignment page, select the Automation sub-tab.
  2. In the Assign to section, configure:
    • Committer when committer is known: when you enable this option, Invicti AppSec first tries to assign each issue to the committer reported by the source code platform. If it can't resolve a committer, the issue falls back to the user in the Specific user field.
    • Specific user: choose the user who receives issues when the committer is unknown. If the team that owns this target has an Issue responsible configured, the user you select here supersedes that team-level setting. The user must hold an active Invicti AppSec license to appear in the dropdown.
  3. Click Save at the bottom of the page.

Issue assignment hierarchy

When you configure more than one assignee option, Invicti AppSec follows this priority order:

  1. Committer of the vulnerability: receives the issue when the committer is known and the option is enabled.
  2. Specific user: the user selected in the Assign to section.
  3. Issue responsible for the team: the user marked as issue responsible inside the team that owns the target.
  4. Token owner: if none of the above apply, Invicti AppSec assigns the issue to the token owner generated on the issue manager.
info

The hierarchy only matters when more than one level is configured. Each level acts as a fallback if Invicti AppSec can't resolve the previous one.

Decide which vulnerabilities open issues

Use Issue criteria to control which vulnerabilities Invicti AppSec automatically opens as issues in the issue manager. Without criteria, Invicti AppSec follows the default behavior set globally; with criteria, only findings that match a rule open an issue for this target.

  1. From the target's Issue assignment page, select the Automation sub-tab.
  2. In the Issue criteria section, do one of the following:
    • Click + Add custom criteria to build a new rule:
      1. In the modal, pick a Field (for example, Severity or Scanner).
      2. Pick an Operand (for example, equals or contains).
      3. Set the value to match.
      4. Combine multiple conditions with AND for a narrower rule.
      5. Click Save in the modal.
    • Click Import global rule to import a globally defined preset into this target.
  3. The saved rule appears in the Issue criteria table. From there you can edit (pencil icon), delete (trash icon), or duplicate (copy icon) the rule.
  4. Click Save at the bottom of the page to apply the configuration.
tip

Use combined conditions to narrow what triggers an issue - for example, open issues only for critical and high severity vulnerabilities discovered by a specific scanner. Tighter criteria reduces noise in the issue manager.

Troubleshooting

Every issue is going to the token owner

The token owner is the last fallback in the assignment hierarchy. If every issue lands there, no higher level resolved. Check, in order:

  1. Committer when committer is known is enabled in the target's Assign to section, and the scan source actually reports a committer. Some scanners and manual import flows don't carry committer data.
  2. A Specific user is selected for the target.
  3. The team that owns the target has a user marked as Issue responsible.

The first level that resolves wins, so filling in Specific user is usually the fastest fix.

The Specific user dropdown doesn't show the person I want

The dropdown only lists users with an active Invicti AppSec license. Check that the person has a licensed account and that they belong to the team that owns this target. After you add them under Users, teams, and roles, refresh the page so the dropdown picks them up.

Custom criteria isn't opening any issues

The criteria join conditions with AND, so each extra condition narrows the match. If nothing opens, simplify to a single condition first and confirm issues appear as expected, then add the next condition. If even one condition produces nothing, confirm the issue manager itself is still connected and able to receive issues - a broken integration looks the same as a criteria miss.

A vulnerability is marked Closed but the issue stays open in the issue manager

Invicti AppSec creates and updates issues in the issue manager, but the closure direction usually runs the other way: an issue closes in the issue manager, and a validation scan then confirms the fix in Invicti AppSec. If you closed the vulnerability in Invicti AppSec directly and the issue is still open in Jira (or another manager), close the issue manually there - the link only carries Invicti AppSec's view of the vulnerability state outward when a validation scan confirms it. If you expected automatic closure in either direction, check that the issue manager integration under Integrations is healthy and reconnect it if there's an authentication error.

The Issue manager dropdown doesn't show the manager I activated

The dropdown only lists issue managers that have an active integration. Open Integrations, confirm the integration is connected, then return to the target's Issue assignment page and refresh so the dropdown picks up the new manager.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?