Package: Invicti AppSec Enterprise (on-premise, on-demand)
Contrast IAST integration
Contrast Security's IAST module detects vulnerabilities in running applications using an instrumentation-based agent. Unlike traditional scanners, Contrast IAST monitors application behavior at runtime, identifying security flaws as the application is exercised (manually, through automated tests, or via functional QA). The Invicti AppSec integration connects to your Contrast Security server via API and retrieves IAST findings for specified applications.
Prerequisites
| Field | Description |
|---|---|
| API Key | the organization-level API key from Contrast Security |
| Token | your Contrast Security user Service Key (authorization token) |
| Organization | your Contrast Security organization UUID |
| URL | the base URL of your Contrast Security instance (e.g., https://app.contrastsecurity.com) |
Get credentials (on Contrast Security side)
Token (Service Key):
- Log in to Contrast Security and click your profile icon in the upper right corner.
- Select User Settings.
- Under Your Keys, copy the Service Key — this is your Token.
API Key:
- In Contrast Security, navigate to Organization Settings > API.
- Copy the API Key shown on this page.
Organization UUID:
- In Contrast Security, navigate to Organization Settings > General.
- Copy the Organization ID (UUID format).
All three credentials are required. The Token (Service Key) and API Key work together to authenticate API requests to the Contrast Security server.
Step 1: Navigate to Integrations
From the left sidebar menu, click Integrations.
Step 2: Select the IAST tab
On the Integrations > Scanners page, click the IAST tab.
Step 3: Find and activate Contrast IAST
Scroll through the list of IAST scanners to find Contrast IAST.
- If Contrast IAST is not activated, click Activate to enable the integration.
The scan method badges on the Contrast IAST card include Bind and KDT.
Step 4: Configure connection settings
Click the gear icon on the Contrast IAST card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| API Key | the organization-level API key from Contrast Security | Yes |
| Token | your Contrast Service Key (user authorization token) | Yes |
| Organization | your Contrast organization UUID | Yes |
| URL | your Contrast Security server URL | Yes |
| Insecure | enable only if your instance uses a self-signed SSL certificate | No |
Step 5: Test the connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can reach your Contrast Security instance with the provided credentials.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the IAST tab |
| 3 | Activate Contrast IAST |
| 4 | Enter API Key, Token, Organization, and URL |
| 5 | Test the connection |
Create a scan
Navigate to project scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Contrast IAST scanner
- Select IAST as the scanner type.
- Choose Contrast IAST from the scanner list.
- Click Add to open the scan configuration drawer.
Scan configuration fields
| Field | Description | Required |
|---|---|---|
| Environment | select the environment for the scan | No |
| Project | select the Contrast application to monitor (loaded from your organization) | Yes |
| Branch | source code branch associated with this scan | Yes |
| Meta Data | additional metadata for the scan | No |
| Scan Tag | tag to identify the scan | No |
The Project list is populated from Contrast Security. Only applications instrumented with the Contrast agent and visible under your organization appear.
Scheduler
Enable the Scheduler toggle to pull Contrast IAST findings on a recurring schedule.
Webhook (optional)
Add a webhook URL to receive scan completion notifications.
KDT command
kdt scan -p <project_name> -t contrastiast -b <branch_name>
Troubleshooting
Connection fails
| Issue | Resolution |
|---|---|
| 403 Forbidden | verify that both the Service Key (Token) and the API Key are correct and belong to the same user and organization. |
| Organization not found | check that the Organization ID matches exactly the UUID shown in Contrast Organization Settings. |
| URL not reachable | confirm the Contrast server URL is accessible from the Invicti AppSec network. Check firewall rules and proxy settings. |
| SSL certificate error | enable the Insecure option for self-signed certificates, or add the certificate to your trust store. |
Scan issues
| Issue | Resolution |
|---|---|
| No applications listed | ensure the Contrast agent is deployed and actively reporting to the configured organization. |
| Empty results | the application may have no vulnerabilities detected, or the Contrast agent may not be exercised during the scan window. |
| Application not found | confirm the application exists and is accessible under the configured organization UUID. |
Best practices
- Use a dedicated Contrast service account to avoid disruptions when team members leave or change roles.
- Ensure the Contrast agent is running and actively monitoring the target application before triggering a scan import.
- Keep the API Key and Service Key confidential and rotate them periodically.
- Verify in Contrast Organization Settings which applications are instrumented before configuring scans.
- For on-premises Contrast installations, ensure Invicti AppSec can reach the Contrast server on the required ports.
Limitations
- Contrast IAST retrieves findings only for applications instrumented with the Contrast agent. Uninstrumented applications return no results.
- The integration reads existing findings collected by the running agent — it doesn't trigger new scans or agent deployments.
- Invicti AppSec imports vulnerabilities reported by Contrast at the time of the sync; findings detected after the sync appear in the next scheduled run.
- License compliance and library vulnerability data from the Contrast SCA module aren't imported by this integration.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center