Package: Invicti AppSec Core (on-demand)
Source Scan
Invicti Source Scan is a Docker-based static analysis tool that scans your application source code to generate OpenAPI 3.0 specifications and uploads them to your API catalog in Invicti AppSec Core for DAST scanning.
This document explains how to run Source Scan, configure its options, and integrate it into your CI/CD pipeline.
Why this matters
Not all APIs generate live traffic you can intercept, and not all teams maintain up-to-date API specifications. Source Scan fills that gap by deriving API specifications directly from your source code, so you can discover and scan APIs that have never been documented or deployed yet.
How it works
Source Scan runs as a Docker container. It scans your source code, generates an OpenAPI 3.0 specification, optionally enriches it using an LLM, and uploads it directly to your API catalog.
Supported languages: Python, JavaScript, TypeScript, C#/.NET, Java, Go, Ruby, PHP, Rust, Kotlin, Swift, Scala, Crystal, and Elixir. Source Scan also parses existing OpenAPI/Swagger specifications and GraphQL schemas.
Prerequisites
Before you begin, make sure you have:
- Docker installed
- Your source code accessible locally or via Git
- Registry credentials for
registry.invicti.com(rundocker login registry.invicti.com) - A registration token from Invicti AppSec Core (see Step 1)
Step 1: Generate a registration token
- Select Discovery > API sources from the left-side menu.
- Click Add source.
- Select the Source Scan source type card.
- Click Continue.
- Click Generate token and copy the token. You'll use it as
INVICTI_JWT_TOKENin the Docker run command.
Step 2: Run the scan
Mount your source code at /code (read-only) and an output directory at /output. The generated specification is saved to output/openapi.json.
docker run --rm \
-v /path/to/source:/code:ro \
-v $(pwd)/output:/output \
registry.invicti.com/invicti-api-discovery/source-scan:latest
A typical scan takes 30 seconds to 2 minutes depending on project size.
Scan options
| Variable | Description |
|---|---|
SCANNER_PROFILE | Scan depth: quick, standard (default), or deep. |
SCANNER_PARALLEL | Enable parallel scanning: true or false. |
SCANNER_WORKERS | Number of worker threads. |
SCANNER_SERVICE_NAME | Name to use for the generated API service. |
SCANNER_INCREMENTAL | Enable incremental scanning to skip unchanged files. |
SCANNER_FAIL_ON_CRITICAL | Exit with a non-zero code if critical issues are found. |
AI-enriched specifications (optional)
Source Scan can use an LLM to improve the quality of generated specifications when the deterministic confidence is below 70%. To enable enrichment, set SCANNER_AI_ENRICH=true and provide an API key for your chosen provider:
| Provider | Environment variable |
|---|---|
| Anthropic | ANTHROPIC_API_KEY |
| OpenAI | OPENAI_API_KEY |
| Google Gemini | GOOGLE_API_KEY |
| AWS Bedrock | Bedrock-specific keys |
Enrichment costs approximately $0.10-$0.50 per 100 endpoints. You can reduce costs by mounting a cache volume:
-v $(pwd)/.enrichment-cache:/enrichment-cache
Step 3: upload to Invicti AppSec Core
Add the following variables to your Docker run command to upload the generated specification automatically, replacing <TOKEN> with your registration token:
-e INVICTI_SYNC=true \
-e INVICTI_JWT_TOKEN=<TOKEN>
To validate the output without uploading, use DRY_RUN=true instead of INVICTI_SYNC=true.
Step 4: View and scan imported APIs
- Select Discovery > API sources from the left-side menu to verify the specification was imported.
- Go to your API catalog and link the specification to a target.
- Start a DAST scan.
Output files
Source Scan writes the following files to the /output directory:
| File | Description |
|---|---|
openapi.json | Generated OpenAPI 3.0 specification. |
result.json | Full scan metadata. |
results.sarif | SARIF 2.1 output for GitHub integration. |
results.junit.xml | JUnit XML output for CI/CD pipelines. |
To enable change tracking, mount a previous specification via PREVIOUS_SPEC.
CI/CD integration
Source Scan works in any CI/CD environment that supports Docker. GitHub Actions and GitLab CI examples are available from Invicti Support.
Troubleshooting
No endpoints found
- Verify that
/codeis mounted correctly and points to the right directory. - Confirm your language is in the supported list.
- Increase the file size limit:
SCANNER_MAX_FILE_SIZE=10.
Slow scans
- Use
SCANNER_PROFILE=quickfor faster results. - Enable
SCANNER_PARALLEL=true. - Use
SCANNER_INCREMENTAL=trueto skip unchanged files.
Upload failures
- Verify your registration token is valid and hasn't expired (HTTP 401).
- If you see HTTP 410, the source may have been deleted in Invicti AppSec Core.
- Use
DRY_RUN=trueto test the output before uploading.
Windows paths with spaces
- Wrap volume mount paths in double quotes.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center