Deployment: Invicti Platform on-demand, Invicti Platform on-premises
CI environment variables
This document lists and describes the environment variables supported by the Invicti Scan command-line tool for use in CI/CD pipelines. These variables allow you to configure and customize automated scans when integrating Invicti DAST into your development workflows.
- All variables should be defined securely using your CI/CD system's secret management features (for example, GitHub Actions Secrets, GitLab CI/CD Variables, Jenkins Credentials).
- Authentication requires either
INVICTI_API_TOKEN(recommended) or the combination ofINVICTI_API_USERNAMEandINVICTI_API_PASSWORD. INVICTI_TARGET_IDis required for scans to run.INVICTI_SCAN_PROFILEmust match a configured profile in your Invicti Platform instance.
Environment variables
| Variable name | Description | Example value | Possible values |
|---|---|---|---|
INVICTI_AGENT_ID | GUID of a pre-existing agent configured in the platform. Find it under Scans > Agents. Default: null. Cannot be used with CloudAgent. | abc123-... | Any GUID |
INVICTI_API_BASE_URL | Platform URL (string) | https://platform.invicti.com | |
INVICTI_API_PASSWORD | Platform password. Use with INVICTI_API_USERNAME. Not recommended — use INVICTI_API_TOKEN instead. | ||
INVICTI_API_TOKEN | (Recommended) API token for authentication. Generate from your account settings. | 1234567890abcdef... | |
INVICTI_API_USERNAME | Platform username. Use with INVICTI_API_PASSWORD. Not recommended — use INVICTI_API_TOKEN instead. | ||
INVICTI_EXCLUDED_PATHS | Comma-separated list of paths to exclude from scanning. Default: null. | /admin,/login | |
INVICTI_FAIL_ON_VULN_CONFIDENCE_FULL | Obsolete. When true, equivalent to setting INVICTI_MINIMUM_CONFIDENCE=100. Use INVICTI_MINIMUM_CONFIDENCE=100 directly instead. Requires INVICTI_MINIMUM_SEVERITY to be set. Default: false. | true | true, false |
INVICTI_IGNORE_IF_VULN_STATUS_IGNORED | When true, vulnerabilities with a status of Ignored or False Positive are excluded from build failure checks. Default: true. | true | true, false |
INVICTI_IMPORT_FILE_PATHS | Comma-separated list of file paths or patterns to import into the target before scanning. Cannot be used with TargetDefault. Default: null. See Import file patterns for details. | imports/*.har,openapi/*.yaml | |
INVICTI_LOG_LEVEL | Logging verbosity level. Default: INFO. | INFO | DEBUG, INFO |
INVICTI_MINIMUM_CONFIDENCE | Minimum confidence level (1–100) for vulnerabilities to trigger a build failure. Vulnerabilities below this threshold are ignored. Can be used independently or with INVICTI_MINIMUM_SEVERITY. Default: null. | 80 | 1–100 |
INVICTI_MINIMUM_SEVERITY | Minimum severity for build failure. Fails the build if any vulnerability at this level or higher is found. Default: null. | High | Critical, High, Medium, Low, Info |
INVICTI_REPORT_TEMPLATE | Name of a report template configured in the platform. When set, a report is generated after the scan completes. Default: null. | Comprehensive | |
INVICTI_EXPORT_LIST | Comma-separated list of ExportType:FileName pairs specifying which formats to export after the scan. Export types can be obtained from /api/v1/export_types with accepted_sources as scan_result or the Export to button in the top-right corner of a scan. Export type names and file names must not contain commas. File names must not exceed 100 characters. Default: null. See Export list for details. | XML:export.xml | |
INVICTI_SCAN_AGENT | Which scanning agent to use. Default: TargetDefault. See Scan agent types for details. | CloudAgent | TargetDefault, CloudAgent, EphemeralAgent |
INVICTI_SCAN_PROFILE | Name of a scan profile configured in the platform. Default: Full Scan. | Full Scan | |
INVICTI_SCAN_TIMEOUT | Maximum time (in minutes) allowed for a scan to complete before it is stopped. Valid range: 5–10080 (7 days). Default: null (uses the target's configured timeout, typically 48 hours). Note: Ignored when INVICTI_SCAN_AGENT is TargetDefault — the target's existing timeout is used instead. | 120 | Integer (5–10080) |
INVICTI_TARGET_ID | ID of the target to scan, as configured in the platform. See Retrieve the target ID. | abcd1234-5678-efgh-ijkl-9876mnopqrst | |
INVICTI_TARGET_URL | URL of the target to scan. For ephemeral targets only. Don't use localhost as it refers to the container itself in that context. | https://test.test.net | |
INVICTI_TRIGGER_SCAN_ONLY | When true, starts the scan and exits immediately without waiting for results. The scan continues running in the background. The CLI displays the scan ID and URL for tracking, exits with code 0, and skips vulnerability processing and report generation. Cannot be used with EphemeralAgent. Default: false. | true | true, false |
Authentication
INVICTI_API_TOKEN is the recommended authentication method. It provides non-disruptive, persistent access without affecting other sessions.
Using INVICTI_API_USERNAME and INVICTI_API_PASSWORD is supported but not recommended. Each login invalidates any existing sessions, which can disrupt other users or integrations sharing the same account.
Import file patterns
The INVICTI_IMPORT_FILE_PATHS variable allows you to import traffic files, API definitions, or other scan data into the target before scanning begins. This variable accepts a comma-separated list of file paths or wildcard patterns.
- Can't be used with the
TargetDefaultagent type - The scan fails if any specified pattern matches zero files
- Invicti automatically removes import files from the target after the scan completes
Pattern syntax
Wildcard patterns:
- Supports standard wildcards:
*(matches any characters),?(matches single character) - Searches recursively in all subdirectories from the specified directory
- Each pattern is evaluated separately: directory path + filename pattern
- If no directory is specified, uses the current directory (
.)
Example patterns:
| Pattern | Description |
|---|---|
imports/*.har | All HAR files in the imports directory and its subdirectories |
test-data/traffic.saz | Specific file at the given path |
*.postman_collection.json | All Postman collection files in the current directory and subdirectories |
openapi/*.yaml | All YAML files in the openapi directory and subdirectories |
swagger*.json | All JSON files starting with "swagger" in the current directory and subdirectories |
*.har,*.xml,swagger*.json | Multiple patterns (comma-separated) |
Supported file types
Common import file formats include:
- HAR files (
*.har) - Fiddler SAZ files (
*.saz) - Postman collections (
*.postman_collection.json) - OpenAPI/Swagger definitions (
*.yaml,*.json) - XML files (
*.xml)
Export list
The INVICTI_EXPORT_LIST variable allows you to export scan results in one or more formats after the scan completes. This variable accepts a comma-separated list of ExportType:FileName pairs.
- Export type names and file names must not contain commas
- File names must not exceed 100 characters
Export type names
Export type names can be obtained from:
- The
/api/v1/export_typesAPI endpoint withaccepted_sourcesset toscan_result - The Export to button in the top-right corner of a scan in the platform
Example usage
# Single export
INVICTI_EXPORT_LIST="XML:export.xml"
# Multiple exports
INVICTI_EXPORT_LIST="XML:export.xml,CSV Vulnerabilities:vulns.csv,CSV Locations:locations.csv"
Scan agent types
The INVICTI_SCAN_AGENT variable determines which agent performs the scan and how the target configuration is handled:
-
TargetDefault(Default)Uses the target's existing configuration as-is. No modifications are made to the target settings. Use this when you have already configured the target in Invicti Platform and want to trigger scans without changing any settings.
-
CloudAgentForces the scan to use Invicti's cloud-hosted scanning infrastructure. The CLI removes any existing agent assignments from the target to ensure cloud scanners are used. Use this when your target is publicly accessible from the internet.
-
EphemeralAgentLaunches a temporary internal scanning agent from the CLI's environment. This allows scanning targets that are only accessible from the machine running the CLI — for example, internal networks, staging environments behind firewalls, or CI/CD environments. The agent is automatically registered, used for the scan, and cleaned up afterward. Use this when your target is not accessible from the cloud.
Choosing the right agent type
| Use case | Agent type |
|---|---|
| Target is already configured in the platform and you want to trigger scans without changing settings | TargetDefault |
| Target is publicly accessible and you want to use Invicti's managed cloud infrastructure | CloudAgent |
| Target is only accessible from the CI/CD environment (internal apps, staging behind a firewall) | EphemeralAgent |
Compatibility notes
Some variables can't be combined with certain agent types:
| Variable | Incompatible with | Reason |
|---|---|---|
INVICTI_IMPORT_FILE_PATHS | TargetDefault | Importing files modifies the target's configuration |
INVICTI_AGENT_ID | CloudAgent | Cloud agents are managed by Invicti |
INVICTI_TRIGGER_SCAN_ONLY | EphemeralAgent | The agent would be cleaned up before the scan completes |
Example usage
# Single pattern
INVICTI_IMPORT_FILE_PATHS="imports/*.har"
# Multiple patterns
INVICTI_IMPORT_FILE_PATHS="test-data/*.har,openapi/*.yaml,*.postman_collection.json"
# Specific file
INVICTI_IMPORT_FILE_PATHS="recordings/api-traffic.saz"
For complete integration guidance, refer to the Integrate CI-driven scans document.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center