Skip to main content
availability

Deployment: Invicti Platform on-demand, Invicti Platform on-premises

Webhook integration

Integrating Invicti Platform with a webhook endpoint as an Issue tracker enables real-time issue creation when vulnerabilities are discovered. You can automatically create tickets in any issue tracking system, ticketing tool, or custom application that accepts HTTP requests.

Prerequisites

To set up this integration, you need:

  • A publicly reachable HTTP/HTTPS endpoint that can receive HTTP requests from Invicti. The integration supports POST, GET, and PUT methods. If your endpoint requires authentication, Basic authentication (username and password) is supported.

Multiple integrations for different notification types

You can create multiple webhook integrations to route issues to different endpoints. Each integration targets one webhook URL. Consider these example configurations:

  • Critical vulnerabilities: a dedicated integration posting to your incident management system for critical findings
  • All vulnerabilities: a broader integration posting to your central issue tracking system

This allows you to configure different notification rules based on:

  • Severity levels: Critical, High, Medium, Low, Informational
  • Specific targets, collections, or applications

Step 1: Configure Invicti Platform integration

  1. In Invicti, select Integrations from the left-side menu.

  2. Switch to the Browse integrations tab.

  3. Find the Webhook tile under Issue trackers and select Configure.

  4. Under Webhook details:

    • Enter an Integration name.
    • Enter your Webhook URL (must be a valid HTTP or HTTPS URL, for example https://example.com/webhook).
  5. Under Authorization Details, choose an Authentication Type:

    • None: (default) no authentication required.
    • Basic: enter your username and password.
  6. Under Webhook request details:

    • HTTP method: Choose POST (recommended, default), GET, or PUT.
      • POST: Sends data in the request body. Standard method for webhooks. Use for most integrations.
      • GET: Appends data as URL query parameters. Limits data amount, not ideal for complex payloads.
      • PUT: Updates an existing resource. PUT replaces the entire resource, whereas POST creates a new resource or performs an action.
    • Parameters encoding: Choose JSON (recommended, default), Form, or QueryString.
      • JSON: Modern standard, best for complex payloads, nested data structures, and sensitive information.
      • Form: Traditional HTML form encoding (application/x-www-form-urlencoded). Use only if endpoint requires it.
      • QueryString: Appends data to URL as query parameters. Avoid for complex payloads or sensitive data (limited URL length, visible in logs).
  7. Under Webhook request data, optionally configure:

    • Custom HTTP headers: add any headers your endpoint requires as key-value pairs (for example, X-Api-Key / your-token). Headers support placeholder substitution. You can use placeholder IDs as values (like X-Severity: {Severity}) and the system replaces them with live data at send-time. You can also add multiple rows with the same header name, and the backend sends each separately.

      Headers are always sent

      Custom HTTP headers are always included in the request, even when you select None for the authentication type. You can use this to set headers like Authorization: Bearer your-token as a manual override.

    • Custom data fields: customize the data your webhook endpoint receives by mapping Invicti placeholder fields to the payload structure your endpoint expects. For each field:

      • Key: Enter a field name (can be plain text like vuln_id or use dot notation for nesting like {data.vulnerability.id})
      • Value: Enter either a placeholder ID (like {Vulnerability ID}) or a literal string (like my-service)

      The system substitutes known placeholder IDs with live data at send-time and passes literal strings through unchanged. For example, if you map severity: {Severity}, your endpoint receives severity: "high" when a high-severity vulnerability is found.

      Only Vulnerability and Asset fields are substituted

      For Issue tracker webhooks triggered by Vulnerability found events, only Vulnerability and Asset fields are substituted. Scan fields will appear as literal text in your payload.

      Available Vulnerability fields

      Use these placeholders in your Custom data fields to map Invicti vulnerability data to your payload:

      View available Vulnerability fields
      PlaceholderDescriptionType
      {Vulnerability}Vulnerability namestring
      {Vulnerability ID}Unique vulnerability identifierstring
      {Vulnerability type ID}Type identifierstring
      {Description}Detailed descriptionstring
      {Details}Additional detailsstring
      {Recommendation}Remediation recommendationsstring
      {Severity}Severity level (info, low, medium, high, critical)string
      {References}Related references and linksstring
      {Affected URL}URL where the vulnerability was detectedstring
      {Confidence}Detection confidence levelnumber
      {CVSS Score}CVSS v2 scorenumber
      {CVSS3 Score}CVSS v3 scorenumber
      {CVSS4 Score}CVSS v4 scorenumber
      {Impact}Impact descriptionstring
      {Vulnerability Link}Link to vulnerability details in Invictistring

      Available Asset fields

      Use these placeholders in your Custom data fields to map Invicti asset data to your payload:

      View available Asset fields
      PlaceholderDescriptionType
      {Asset ID}Unique asset identifierstring
      {Asset name}Name of the assetstring
      {Asset type}Type of assetstring
      {Business impact}Business impact valuestring
      {Asset Description}Description of the assetstring
  8. Click Send test webhook to verify your configuration. Your endpoint receives a test vulnerability notification.

  9. Click Save and finish to complete the integration.

  10. The Webhook integration is now visible in the list of My integrations.

Step 2: Configure automation

Click to expand step-by-step instructions
  1. Select Automations from the left-side menu.

  2. Click Add new automation.

  3. In the dialog box populate these fields:

    • Name: create issue on vulnerability found.
    • Description: creates an issue in the tracking system when a vulnerability is discovered.
    • Automation scope: specify the assets or collections.
  4. Click Add automation.

  5. Add an event: select Vulnerability found and click Save.

  6. Add an action: select Create issue, then select the Webhook integration you created in Step 1.


Troubleshooting

Retry behavior

If your endpoint doesn't return a 200 response, Invicti retries the webhook up to 3 times. Retries occur on server errors (5xx). Client errors (4xx) stop retries; a 4xx response counts as a permanent failure.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?