Package: Invicti AppSec Enterprise (on-premise, on-demand)
Orca Security CSPM Integration
Orca Security provides agentless cloud security posture management, detecting misconfigurations, vulnerabilities, and compliance violations across cloud environments. In Invicti AppSec, the Orca Security integration connects to your Orca account to import cloud security findings into your projects.
Prerequisites
| Field | Description |
|---|---|
| Username | Orca Security API username |
| Password | Orca Security API password |
| API URL | Base URL of your Orca Security API endpoint |
Get API Credentials (on Orca Side)
- Log in to the Orca Security console.
- Navigate to Settings > Users or API Access.
- Create a dedicated API user or generate API credentials.
- Copy the Username, Password, and note the API URL for your Orca instance.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CSPM Tab
On the Integrations > Scanners page, click on the CSPM tab.
Step 3: Find and Activate Orca Security
Scroll through the list of CSPM scanners to find Orca Security.
- If Orca Security is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Orca Security card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Username | Orca Security API username | Yes |
| Password | Orca Security API password | Yes |
| API URL | Base URL of your Orca Security instance | Yes |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Orca Security API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CSPM tab |
| 3 | Activate Orca Security |
| 4 | Enter Username, Password, and API URL |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Orca Security Scanner
- Select CSPM as the scanner type.
- Choose Orca Security from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Associate the scan with a feature environment | No |
| Branch | The branch to associate cloud findings with | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Cloud Filter | Filter imported findings by Asset Name, Image, Region, Platform, Asset Type, Severity, or IP Address | No |
-
Invicti AppSec automatically syncs Orca Security vulnerabilities on a daily basis — no manual trigger is required after the initial scan is configured.
-
Cloud Filter lets you narrow which findings are imported into this project. You can filter by Asset Name, Image, Region, Cloud Platform, Asset Type, Severity, and IP Address. If no filter is set, all findings accessible via the API credentials are imported.
Scheduler
Enable the Scheduler toggle to automatically re-run the Orca Security scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t orcacspm -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid credentials | Verify the username and password in the Orca Security console. |
| Incorrect API URL | Ensure the API URL points to your Orca instance (e.g., https://api.orcasecurity.io). Check your Orca account settings for the correct endpoint. |
| Unauthorized | Confirm the API user has sufficient read permissions for cloud security findings. |
Scan Issues
| Issue | Resolution |
|---|---|
| No findings imported | Verify Orca Security has completed assessments for your cloud accounts. Check the Cloud Filter — overly restrictive filters may exclude all findings. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API user for Invicti AppSec with read-only access — do not use admin credentials.
- Use Cloud Filters to associate each project with specific asset types, regions, or cloud platforms it covers, ensuring findings are relevant to that project.
- Use the Scheduler to keep cloud security findings aligned with Orca's assessment schedule.
- Rotate credentials periodically and update the integration settings in Invicti AppSec accordingly.
Limitations
- Orca Security CSPM in Invicti AppSec imports cloud security posture findings — it does not trigger new Orca assessments.
- Only findings accessible via the provided API credentials are available for import.
- Vulnerability sync occurs daily automatically; manual on-demand sync is not supported outside of scheduled scans.
- Requires an active Orca Security subscription.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center