Skip to main content
availability

Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)

Pull request scans

PR decoration

Using the Invicti AppSec CLI, you can view scan results within PRs.

A sample command needed for this operation is:

./kdt scan -p test -b feature -t gosec --pr-number 24

This command starts a gosec scan on the feature branch and then pushes the results of the scan to the PR. It also presents the number of open (new+recurrent) vulnerabilities on the same branch of the project.

The following command filters the number of open vulnerabilities in the project by the selected scanner types. In this example, the total number of open SAST and SCA vulnerabilities are displayed:

./kdt scan -p test -b feature -t gosec --pr-number 24 --pr-decoration-scanner-types sast,sca

PR scans

When the PR scan functionality is used, Invicti AppSec locally merges the target and source branches and then runs a scan on the combined source code created by Git.

You can use this functionality when triage operations on the source or the target branch need to be carried over to the target or source branch. This way, Invicti AppSec allows you to focus on new vulnerabilities that have been recently created without being distracted by previous vulnerabilities that have been triaged on the target branch.

info

For this functionality to work properly, the branch provided with the --merge-target flag (main in the example below) should have been scanned at least once via UI or CLI.

Start a PR scan without PR decoration

When the following command is run, Invicti AppSec carries over any triage activity that has taken place on the main branch to the feature branch. This means that vulnerabilities previously discovered on the main branch are shown as recurrent rather than new, or those that have been suppressed remain suppressed on the feature branch. This allows you to easily focus on new vulnerabilities on the feature branch:

./kdt scan -p test -b feature -t gosec --merge-target main

Start a PR scan with PR decoration

You can use the following command to push results of the scan performed on the combined source code to PR number 24 as a PR decoration:

./kdt scan -p test -b feature -t gosec --merge-target main --pr-number 24

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?