Package: Invicti AppSec Enterprise (on-premise, on-demand)
CrowdStrike Falcon Container Security
CrowdStrike Falcon Container Security scans container images for vulnerabilities, misconfigurations, and threats using the CrowdStrike Falcon platform. In Invicti AppSec, the integration connects to the Falcon cloud API — no self-hosted URL is required.
Prerequisites
| Field | Description |
|---|---|
| Client ID | OAuth2 Client ID generated in the CrowdStrike Falcon console |
| Client Secret | OAuth2 Client Secret paired with the Client ID |
Get a Client ID and Client Secret (on CrowdStrike Side)
- Log in to the CrowdStrike Falcon console.
- Navigate to Support & Resources > API Clients and Keys.
- Click Add new API client.
- Enter a name for the client (e.g.,
invicti-appsec). - Under Scopes, enable at least:
- Falcon Container Image → Read
- Vulnerabilities → Read
- Click Add. Copy the Client ID and Client Secret immediately — the secret is shown only once.
The API client must belong to the correct CrowdStrike Cloud region (US-1, US-2, EU-1, etc.) that matches your Falcon tenant.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CS Tab
On the Integrations > Scanners page, click on the CS tab.
Step 3: Find and Activate CrowdStrike CS
Scroll through the list of CS scanners to find CrowdStrike CS.
- If CrowdStrike CS is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the CrowdStrike CS card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Client ID | OAuth2 Client ID from the CrowdStrike Falcon API Clients page | Yes |
| Client Secret | OAuth2 Client Secret paired with the Client ID | Yes |
CrowdStrike CS uses the Falcon cloud API — no URL field is required. The integration automatically connects to your CrowdStrike tenant's regional endpoint.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the CrowdStrike Falcon API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CS tab |
| 3 | Activate CrowdStrike CS |
| 4 | Enter Client ID and Client Secret |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add CrowdStrike CS Scanner
- Select CS as the scanner type.
- Choose CrowdStrike CS from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | The deployment environment (e.g., feature, production) | No |
| Bind to | Select the container image from CrowdStrike to associate with this scan | Yes |
| Branch | Source code branch for this scan | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Fork Default Branch / Fork Source Branch | Enable to fork scan results from the default or source branch | No |
Bind to links the Invicti AppSec project to a specific container image tracked in CrowdStrike Falcon. Vulnerability findings from that image will be imported into the project.
Scheduler
Enable the Scheduler toggle to automatically run CrowdStrike CS scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t crowdstrikecs -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid Client ID or Secret | Verify the credentials in the CrowdStrike Falcon console under API Clients and Keys. Regenerate if needed. |
| Insufficient API scope | Ensure the API client has Falcon Container Image: Read and Vulnerabilities: Read permissions. |
| Wrong region | Confirm your Falcon tenant's region matches the CrowdStrike API endpoint being used. |
| Client Secret not available | The secret is shown only at creation — create a new API client if the original secret was not saved. |
Scan Issues
| Issue | Resolution |
|---|---|
| No images available in Bind to dropdown | Ensure at least one container image has been scanned in CrowdStrike Falcon and is accessible via the API client's scope. |
| Scan shows no findings | The image may have no known vulnerabilities, or the scan may not have completed in Falcon yet. Check the Falcon console. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API client for Invicti AppSec with the minimum required scopes rather than reusing credentials shared with other tools.
- Rotate the Client Secret periodically and update the integration settings in Invicti AppSec accordingly.
- Associate each Invicti AppSec project with the specific container image that represents its production artifact for accurate vulnerability tracking.
- Use the Scheduler to align scans with your container image rebuild cadence so findings always reflect the latest image state.
Limitations
- CrowdStrike CS in Invicti AppSec imports vulnerability data from existing Falcon scans — it does not trigger new Falcon image scans.
- Only images already tracked within CrowdStrike Falcon are available for binding; images not yet scanned by Falcon will not appear.
- CrowdStrike regional API endpoints (US-1, US-2, EU-1) are determined by your Falcon tenant configuration and cannot be overridden in Invicti AppSec.
- Runtime threat detection and behavioral signals from Falcon are not surfaced in Invicti AppSec findings; only vulnerability data is imported.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center