availability

Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)

Docker-hosted scanners

Many scanners in Invicti AppSec run inside Docker containers. These Docker-hosted scanners use pre-built images from the kondukto/ registry and follow a shared setup and configuration workflow. This guide covers the common requirements and steps that apply to all Docker-hosted scanners.

For scanner-specific configuration details, refer to the individual scanner integration guide.

Docker-hosted scanners by category

The following scanners run inside Docker containers:

Category	Scanners
SAST	Semgrep, Opengrep, Bandit, Gosec, Brakeman, TruffleHog Security, NodeJSScan, Psalm, SecurityCodeScan, FindSecBugs, GitLeaks, ESLint
SCA	OSV scanner, Dependency Check, Nancy
IaC	Checkmarx KICS, Checkov, Semgrep Config, Tfsec, Trivy IaC
Container security	Trivy, Grype
DAST	OWASP ZAP Headless, Nuclei

note

You can identify Docker-hosted scanners in the UI by the Docker icon displayed next to the scanner name.

Requirements

Before you can use Docker-hosted scanners, make sure the following prerequisites are in place:

Requirement	Details
Operating system	Linux or macOS. Docker-hosted scanners don't run on Windows.
Docker runtime	You need a Docker daemon running and accessible on the scan host. The platform reads authentication from ~/.docker/config.json.
Network access	The scan host needs network access to pull images from the Docker registry (Docker Hub by default, or your custom registry).
Disk space	Enough disk space to store Docker images locally. Each scanner image varies in size.
Invicti AppSec access	Administrator permissions to activate scanners and manage Docker images.

Kubernetes environments

If you're running Invicti AppSec on Kubernetes, the following additional requirements apply:

• Kubernetes cluster credentials must be configured.
• The service account needs permissions to create Jobs in the target namespace.
• Volume mount paths on the host must match the container paths. Kubernetes doesn't support path translation for volume mounts, so the host path and the container path must be identical.
• Image pull secrets must be configured if you're using a private registry.
• The platform skips local image inspection in Kubernetes and marks all tags as ready, since the container runtime handles image pulling.

Step 1: Activate a Docker-hosted scanner

You need to activate a Docker-hosted scanner at the platform level before you can use it in any project.

1. Select Integrations from the left side menu.
2. Navigate to the Scanners category.
3. Locate the scanner you want to activate under the relevant tab (for example, SAST, SCA, IaC).
4. Click Activate on the scanner card.
5. Fill in the required fields in the configuration drawer. The fields depend on the scanner, but most follow one of these patterns:
   • Token only: most scanners (for example, Bandit, Gosec, NodeJSScan, Checkov, Tfsec, Grype, Nuclei) require only an authentication token.
   • Token + rules configuration: scanners like Semgrep, Opengrep, and Brakeman also let you configure custom scan rules, include/exclude patterns, or rule sets during activation.
   • Token + extended settings: some scanners have additional fields. For example, Dependency Check supports an NVD API key and cache settings, and Nancy includes a cache toggle.
6. Click Save.

After activation, the scanner appears in project-level scanner dropdowns and shows the See available tags link on its integration card.

Step 2: Pull Docker images

Before you can run a scan, the Docker image for that scanner must be available on the scan host. You manage Docker images from the Integrations page.

Check image availability

1. Select Integrations from the left side menu.
2. Navigate to the Scanners category.
3. Locate the Docker-hosted scanner you want to use.
4. Click See available tags on the scanner card. The tag list expands, showing each tag with its status:
   • Ready: the image is pulled and available for scanning.
   • Not ready: the image hasn't been pulled yet.

Pull images

1. In the expanded tag list, select the checkboxes next to the tags you want to pull.
2. Click Pull Selected.
3. The platform pulls the images in the background. The tag status updates to Ready once the pull completes.

note

In Kubernetes environments, the platform skips the pull step. The container runtime pulls images automatically when a scan Job starts.

Step 3: Configure a Docker-hosted scanner for a project

After you activate a Docker-hosted scanner and pull its image, you can add it to any project.

1. Navigate to the project where you want to run scans.
2. Select Settings from the project menu, then go to the Scanners tab.
3. From the Scan type dropdown, select the scanner category (for example, SAST, SCA, IaC).
4. From the Scanner dropdown, select the scanner. Docker-hosted scanners display a Docker icon next to their name.
5. Click Add. The scan configuration drawer opens.
6. Fill in the configuration fields. The common fields are described below, but some scanners have additional fields. Refer to the individual scanner guide for details.

Common configuration fields

All Docker-hosted scanners share these configuration fields:

Field	Required	Description
Environment	No	Assign the scan to a specific environment (for example, Production, Staging, Feature, Development).
Branch	Yes	The repository branch to scan. Use the auto-complete field to search available branches.
Meta data	No	An optional metadata value. This must be unique per branch and tool combination.
Scan tag	No	An optional tag for organizational purposes.
Tag	Yes	The scanner version to use. The dropdown shows only Docker image tags with Ready status. If only one tag is available, the platform auto-selects it.
Fork default branch	No	When you enable this, the scan compares the selected branch against the project's default branch or a fork source branch.

Some scanners have additional fields. For example, Trivy and Grype support a Full registry path field for scanning specific container images, and Trivy also supports Private registry authentication with username and password.

Schedule and save

1. Configure the Schedule for the scan. You can set recurring scans (for example, daily, weekly) or trigger a one-time scan.
2. Click Save.

Use a custom Docker registry

By default, Docker-hosted scanners pull images from Docker Hub (kondukto/ namespace). If your environment uses a private or custom registry, you can override the default image source.

To configure a custom registry for a scanner:

1. Select Integrations from the left side menu.
2. Locate the Docker-hosted scanner and click Settings.
3. Enable the Custom registry option.
4. Enter the full image path for your custom registry (for example, my-registry.company.com/kondukto/semgrep).
5. Click Save.

The platform uses the custom image path when pulling and running the scanner.

note

Make sure your Docker daemon or Kubernetes cluster has the necessary credentials to pull from the custom registry. For Docker, configure authentication in ~/.docker/config.json. For Kubernetes, set up image pull secrets.

Resource allocation

The platform automatically manages resource allocation for Docker-hosted scanners:

• Memory: the platform divides available system memory (minus a 1 GB reserve) equally across the maximum number of concurrent scans.
• CPU: CPU shares are distributed proportionally based on the number of available cores and the maximum concurrent scan limit.

You can also set a Max scan duration per project under Settings > Scanners to prevent scans from running indefinitely. The maximum allowed value is 5000 minutes.

Proxy configuration

The platform automatically injects proxy environment variables from the host into scanner containers. If your environment uses an HTTP or HTTPS proxy, the following variables are forwarded automatically:

• HTTP_PROXY / http_proxy
• HTTPS_PROXY / https_proxy
• NO_PROXY / no_proxy

You don't need to configure proxy settings individually for each scanner.

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center