Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Project AppSec vulnerabilities
The application security vulnerabilities page lists all vulnerabilities identified in the project since the platform's inception. From this page you can drill down into vulnerability details, manually add new vulnerabilities, or take action on existing ones.
To view application security vulnerabilities:
- Select Inventory > Projects from the left side menu.
- Click the project name to open the project.
- Select the Vulnerabilities tab > AppSec Vulnerabilities.
Issue status indicators
Each vulnerability row displays a colored circle on the left side that indicates the issue manager ticket status:
| Indicator | Meaning |
|---|---|
| Blue circle | A ticket has been created on the issue manager and its status is still open. |
| Grey circle | No ticket has been created on the issue manager for this vulnerability. |
| Red circle | The ticket on the issue manager has been closed. |
Vulnerability details
Click the page icon on the rightmost side of any vulnerability row to view additional details. The details presented vary depending on the scanner tool that identified the vulnerability.
Customize table columns
Click the gear icon in the upper-right corner of the vulnerability table to modify which columns are displayed.
Change vulnerability view
Use the view options at the top of the page to switch between different vulnerability views.
Bulk actions
Select one or more vulnerabilities using the checkboxes, then choose an action from the Choose an action dropdown:
- Assign Issue: create tickets on the issue manager for the selected vulnerabilities. A modal opens where you can choose to create a single ticket for all selected vulnerabilities or a separate ticket for each one.
- False positive: mark vulnerabilities as not being actual security issues. You can set an optional expiration date and provide a description justifying the decision.
- True positive: confirm that vulnerabilities are genuine security issues that require remediation.
- Risk accepted: mark vulnerabilities as tolerable business risks. You can classify them as Mitigated (risk has been reduced) or Won't Fix (risk accepted as-is), and set an optional expiration date.
- Close: close manually imported vulnerabilities.
- Reopen: reopen previously closed, manually imported vulnerabilities. You can set the status to New or Recurrent.
- Add or remove flags: assign or remove custom flags to organize vulnerabilities into custom groups.
Vulnerabilities that already have an open ticket (blue circle) cannot be selected when using the Assign Issue action.
If you group multiple vulnerabilities into a single ticket, certain automated workflows (such as validation scans or reflecting the vulnerability status on the ticket) won't work until all grouped vulnerabilities reach a Closed status. However, if the ticket is closed on the issue manager, the issue status of the vulnerabilities transitions to Closed and a validation scan is triggered if configured. If the same vulnerabilities are rediscovered in the validation scan, the ticket cannot be automatically reopened.
False positive management
How false positive handling works depends on your user role:
- Team Lead and Admin users can mark vulnerabilities as false positives directly by entering a false-positive description.
- Developer users can submit a false positive request, which a Team Lead or Admin must approve.
Import vulnerabilities
You can manually import vulnerabilities into a project using a CSV file or a supported tool's output format. Click the Import button at the top of the vulnerability table to open the import form.
Import types
- Template: import vulnerabilities using a CSV file that follows the Invicti AppSec template format. You can click Download Sample to get a sample CSV template for your selected scanner type.
- Tool: import vulnerabilities directly from a supported scanner tool's output file.
Import fields
| Field | Description | Required |
|---|---|---|
| Import type | Select Template or Tool. | Yes |
| Scanner type | The type of scan: SAST, DAST, SCA, Infrastructure, or Pen Test. | Yes (for template imports) |
| Scanner | The scanner tool associated with the import. | Yes |
| Branch | The branch to associate the vulnerabilities with. | Yes (except for Infrastructure imports) |
| File | The CSV or PDF file to upload. | Yes |
| Date discovered | The date the vulnerabilities were originally discovered. | Yes (for tool imports) |
| Discovered by | The user who discovered the vulnerabilities. | Yes (for template imports) |
| Metadata | Custom metadata to associate with the scan. | Yes (for Infrastructure imports) |
| Scan tag | An optional identifier for the scan. | No |
For pen test imports, you can upload a PDF report instead of a CSV file. PDF imports require an LLM provider to be configured.
Export vulnerabilities
Click the Actions button in the upper-right corner of the page and select the export option to download the vulnerability table in CSV format. The export includes the columns currently displayed in the table.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center