CI environment variables
This document lists and describes the environment variables supported by the Invicti Scan command-line tool for use in CI/CD pipelines. These variables allow you to configure and customize automated scans when integrating Invicti DAST into your development workflows.
- All variables should be defined securely using your CI/CD system's secret management features (for example, GitHub Actions Secrets, GitLab CI/CD Variables, Jenkins Credentials).
- Authentication requires either
INVICTI_API_TOKEN(recommended) or the combination ofINVICTI_API_USERNAMEandINVICTI_API_PASSWORD. INVICTI_TARGET_IDis required for scans to run.INVICTI_SCAN_PROFILEmust match a configured profile in your Invicti Platform instance.
Environment variables
| Variable name | Description | Example value | Possible values |
|---|---|---|---|
INVICTI_AGENT_ID | GUID of a pre-existing agent configured in the platform. Find it under Scans > Agents. Default: null. Cannot be used with CloudAgent. | abc123-... | Any GUID |
INVICTI_API_BASE_URL | Platform URL (string) | https://platform.invicti.com | |
INVICTI_API_PASSWORD | Platform password. Use with INVICTI_API_USERNAME. Not recommended — use INVICTI_API_TOKEN instead. | ||
INVICTI_API_TOKEN | (Recommended) API token for authentication. Generate from your account settings. | 1234567890abcdef... | |
INVICTI_API_USERNAME | Platform username. Use with INVICTI_API_PASSWORD. Not recommended — use INVICTI_API_TOKEN instead. | ||
INVICTI_EXCLUDED_PATHS | Comma-separated list of paths to exclude from scanning. Default: null. | /admin,/login | |
INVICTI_FAIL_ON_VULN_CONFIDENCE_FULL | Obsolete. When true, equivalent to setting INVICTI_MINIMUM_CONFIDENCE=100. Use INVICTI_MINIMUM_CONFIDENCE=100 directly instead. Requires INVICTI_MINIMUM_SEVERITY to be set. Default: false. | true | true, false |
INVICTI_IGNORE_IF_VULN_STATUS_IGNORED | When true, vulnerabilities with a status of Ignored or False Positive are excluded from build failure checks. Default: true. | true | true, false |
INVICTI_IMPORT_FILE_PATHS | Comma-separated list of file paths or patterns to import into the target before scanning. Cannot be used with TargetDefault. Default: null. See Import file patterns for details. | imports/*.har,openapi/*.yaml | |
INVICTI_LOG_LEVEL | Logging verbosity level. Default: INFO. | INFO | DEBUG, INFO |
INVICTI_MINIMUM_CONFIDENCE | Minimum confidence level (1–100) for vulnerabilities to trigger a build failure. Vulnerabilities below this threshold are ignored. Can be used independently or with INVICTI_MINIMUM_SEVERITY. Default: null. | 80 | 1–100 |
INVICTI_MINIMUM_SEVERITY | Minimum severity for build failure. Fails the build if any vulnerability at this level or higher is found. Default: null. | High | Critical, High, Medium, Low, Info |
INVICTI_REPORT_TEMPLATE | Name of a report template configured in the platform. When set, a report is generated after the scan completes. Default: null. | Comprehensive | |
INVICTI_SCAN_AGENT | Which scanning agent to use. Default: TargetDefault. See Scan agent types for details. | CloudAgent | TargetDefault, CloudAgent, EphemeralAgent |
INVICTI_SCAN_PROFILE | Name of a scan profile configured in the platform. Default: Full Scan. | Full Scan | |
INVICTI_SCAN_TIMEOUT | Maximum scan duration in minutes. Default: 20. | 20 | |
INVICTI_TARGET_ID | ID of the target to scan, as configured in the platform. See Retrieve the target ID. | abcd1234-5678-efgh-ijkl-9876mnopqrst | |
INVICTI_TARGET_URL | URL of the target to scan. For ephemeral targets only. Do not use localhost as it refers to the container itself in that context. | https://test.test.net | |
INVICTI_TRIGGER_SCAN_ONLY | When true, starts the scan and exits immediately without waiting for results. The scan continues running in the background. Cannot be used with EphemeralAgent. Default: false. | true | true, false |
Authentication
INVICTI_API_TOKEN is the recommended authentication method. It provides non-disruptive, persistent access without affecting other sessions.
Using INVICTI_API_USERNAME and INVICTI_API_PASSWORD is supported but not recommended. Each login invalidates any existing sessions, which can disrupt other users or integrations sharing the same account.
Import file patterns
The INVICTI_IMPORT_FILE_PATHS variable allows you to import traffic files, API definitions, or other scan data into the target before scanning begins. This variable accepts a comma-separated list of file paths or wildcard patterns.
- Can't be used with the
TargetDefaultagent type - The scan fails if any specified pattern matches zero files
- Import files are automatically cleaned up from the target after the scan completes
Pattern syntax
Wildcard patterns:
- Supports standard wildcards:
*(matches any characters),?(matches single character) - Searches recursively in all subdirectories from the specified directory
- Each pattern is evaluated separately: directory path + filename pattern
- If no directory is specified, uses the current directory (
.)
Example patterns:
| Pattern | Description |
|---|---|
imports/*.har | All HAR files in the imports directory and its subdirectories |
test-data/traffic.saz | Specific file at the given path |
*.postman_collection.json | All Postman collection files in the current directory and subdirectories |
openapi/*.yaml | All YAML files in the openapi directory and subdirectories |
swagger*.json | All JSON files starting with "swagger" in the current directory and subdirectories |
*.har,*.xml,swagger*.json | Multiple patterns (comma-separated) |
Supported file types
Common import file formats include:
- HAR files (
*.har) - Fiddler SAZ files (
*.saz) - Postman collections (
*.postman_collection.json) - OpenAPI/Swagger definitions (
*.yaml,*.json) - XML files (
*.xml)
Scan agent types
The INVICTI_SCAN_AGENT variable determines which agent performs the scan and how the target configuration is handled:
-
TargetDefault(Default)Uses the target's existing configuration as-is. No modifications are made to the target settings. Use this when you have already configured the target in Invicti Platform and want to trigger scans without changing any settings.
-
CloudAgentForces the scan to use Invicti's cloud-hosted scanning infrastructure. The CLI removes any existing agent assignments from the target to ensure cloud scanners are used. Use this when your target is publicly accessible from the internet.
-
EphemeralAgentLaunches a temporary internal scanning agent from the CLI's environment. This allows scanning targets that are only accessible from the machine running the CLI — for example, internal networks, staging environments behind firewalls, or CI/CD environments. The agent is automatically registered, used for the scan, and cleaned up afterward. Use this when your target is not accessible from the cloud.
Choosing the right agent type
| Use case | Agent type |
|---|---|
| Target is already configured in the platform and you want to trigger scans without changing settings | TargetDefault |
| Target is publicly accessible and you want to use Invicti's managed cloud infrastructure | CloudAgent |
| Target is only accessible from the CI/CD environment (internal apps, staging behind a firewall) | EphemeralAgent |
Compatibility notes
Some variables cannot be combined with certain agent types:
| Variable | Incompatible with | Reason |
|---|---|---|
INVICTI_IMPORT_FILE_PATHS | TargetDefault | Importing files modifies the target's configuration |
INVICTI_AGENT_ID | CloudAgent | Cloud agents are managed by Invicti |
INVICTI_TRIGGER_SCAN_ONLY | EphemeralAgent | The agent would be cleaned up before the scan completes |
Example usage
# Single pattern
INVICTI_IMPORT_FILE_PATHS="imports/*.har"
# Multiple patterns
INVICTI_IMPORT_FILE_PATHS="test-data/*.har,openapi/*.yaml,*.postman_collection.json"
# Specific file
INVICTI_IMPORT_FILE_PATHS="recordings/api-traffic.saz"
For complete integration guidance, refer to the Integrate CI-driven scans document.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center