CI environment variables
This document lists and describes the environment variables supported by the Invicti Scan command-line tool for use in CI/CD pipelines. These variables allow you to configure and customize automated scans when integrating Invicti DAST into your development workflows.
- All variables should be defined securely using your CI/CD system's secret management features (for example, GitHub Actions Secrets, GitLab CI/CD Variables, Jenkins Credentials).
INVICTI_API_TOKENandINVICTI_TARGET_IDare required for scans to run.INVICTI_SCAN_PROFILEmust match a configured profile in your Invicti Platform instance.
Environment variables
| Variable Name | Description | Example value | Possible values |
|---|---|---|---|
INVICTI_API_BASE_URL | Base URL for the Invicti API (string) | https://platform.invicti.com | |
INVICTI_API_TOKEN | API token for authenticating command-line tool scan requests (string) | 1234567890abcdef... | |
INVICTI_IMPORT_FILE_PATHS | Comma-separated list of file paths or patterns to import into the target before scanning. See Import file patterns for details. Can't be used with TargetDefault agent type. Default: null | imports/*.har,openapi/*.yaml | |
INVICTI_LOG_LEVEL | Logging verbosity level (enum) | INFO | DEBUG, INFO, WARNING, ERROR, CRITICAL |
INVICTI_MINIMUM_SEVERITY | Minimum severity to break the build on finding vulnerabilities. If set, the build fails if any vulnerabilities of that severity or higher are found. (enum) | High | Critical, High, Medium, Low, Info |
INVICTI_REPORT_TEMPLATE | The report template to use | Comprehensive | |
INVICTI_SCAN_AGENT | The scan agent to use (enum). See Scan agent types for details. Default: TargetDefault | CloudAgent | TargetDefault, CloudAgent |
INVICTI_SCAN_PROFILE | Name of the scan profile to use (string) | Full Scan | |
INVICTI_SCAN_TIMEOUT | Maximum scan duration in minutes (integer) | 20 | |
INVICTI_TARGET_ID | ID of the target to scan, as defined in the Invicti Platform (string) | abcd1234-5678-efgh-ijkl-9876mnopqrst |
Import file patterns
The INVICTI_IMPORT_FILE_PATHS variable allows you to import traffic files, API definitions, or other scan data into the target before scanning begins. This variable accepts a comma-separated list of file paths or wildcard patterns.
- Cannot be used with the
TargetDefaultagent type - The scan fails if any specified pattern matches zero files
- Import files are automatically cleaned up from the target after the scan completes
Pattern syntax
Wildcard patterns:
- Supports standard wildcards:
*(matches any characters),?(matches single character) - Searches recursively in all subdirectories from the specified directory
- Each pattern is evaluated separately: directory path + filename pattern
- If no directory is specified, uses the current directory (
.)
Example patterns:
| Pattern | Description |
|---|---|
imports/*.har | All HAR files in the imports directory and its subdirectories |
test-data/traffic.saz | Specific file at the given path |
*.postman_collection.json | All Postman collection files in the current directory and subdirectories |
openapi/*.yaml | All YAML files in the openapi directory and subdirectories |
swagger*.json | All JSON files starting with "swagger" in the current directory and subdirectories |
*.har,*.xml,swagger*.json | Multiple patterns (comma-separated) |
Supported file types
Common import file formats include:
- HAR files (
*.har) - Fiddler SAZ files (
*.saz) - Postman collections (
*.postman_collection.json) - OpenAPI/Swagger definitions (
*.yaml,*.json) - XML files (
*.xml)
Scan agent types
The INVICTI_SCAN_AGENT variable determines which agent performs the scan and how the target configuration is handled:
TargetDefault(Default)
Uses the scan agent configured in the target settings. The scan runs with the target's existing configuration without any modifications. Use this option when you want the CI/CD scan to respect all settings defined in the Invicti Platform UI.
CloudAgent
Forces the scan to use Invicti's cloud-based scanning agent. This option modifies the target configuration to enable cloud scanning capabilities, including imports and other cloud-specific features. Use this option when you need cloud-based scanning regardless of the target's default configuration.
Example usage
# Single pattern
INVICTI_IMPORT_FILE_PATHS="imports/*.har"
# Multiple patterns
INVICTI_IMPORT_FILE_PATHS="test-data/*.har,openapi/*.yaml,*.postman_collection.json"
# Specific file
INVICTI_IMPORT_FILE_PATHS="recordings/api-traffic.saz"
For complete integration guidance, refer to the Integrate CI-driven scans document.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center