Deployment: Invicti Platform on-demand, Invicti Platform on-premises
Webhook integration
Integrating Invicti Platform with a webhook endpoint as an Issue tracker enables real-time issue creation when vulnerabilities are discovered. You can automatically create tickets in any issue tracking system, ticketing tool, or custom application that accepts HTTP requests.
Prerequisites
To set up this integration, you need:
- A publicly reachable HTTP/HTTPS endpoint that can receive HTTP requests from Invicti. The integration supports POST, GET, and PUT methods. If your endpoint requires authentication, Basic authentication (username and password) is supported.
Multiple integrations for different notification types
You can create multiple webhook integrations to route issues to different endpoints. Each integration targets one webhook URL. Consider these example configurations:
- Critical vulnerabilities: a dedicated integration posting to your incident management system for critical findings
- All vulnerabilities: a broader integration posting to your central issue tracking system
This allows you to configure different notification rules based on:
- Severity levels: Critical, High, Medium, Low, Informational
- Specific targets, collections, or applications
Step 1: Configure Invicti Platform integration
-
In Invicti, select Integrations from the left-side menu.
-
Switch to the Browse integrations tab.
-
Find the Webhook tile under Issue trackers and select Configure.
-
Under Webhook details:
- Enter an Integration name.
- Enter your Webhook URL (must be a valid HTTP or HTTPS URL, for example
https://example.com/webhook).
-
Under Authorization Details, choose an Authentication Type:
- None: (default) no authentication required.
- Basic: enter your username and password.
-
Under Webhook request details:
- HTTP method: Choose POST (recommended, default), GET, or PUT.
- POST: Sends data in the request body. Standard method for webhooks. Use for most integrations.
- GET: Appends data as URL query parameters. Limits data amount, not ideal for complex payloads.
- PUT: Updates an existing resource. PUT replaces the entire resource, whereas POST creates a new resource or performs an action.
- Parameters encoding: Choose JSON (recommended, default), Form, or QueryString.
- JSON: Modern standard, best for complex payloads, nested data structures, and sensitive information.
- Form: Traditional HTML form encoding (application/x-www-form-urlencoded). Use only if endpoint requires it.
- QueryString: Appends data to URL as query parameters. Avoid for complex payloads or sensitive data (limited URL length, visible in logs).
- HTTP method: Choose POST (recommended, default), GET, or PUT.
-
Under Webhook request data, optionally configure:
-
Custom HTTP headers: add any headers your endpoint requires as key-value pairs (for example,
X-Api-Key/your-token). Headers support placeholder substitution. You can use placeholder IDs as values (likeX-Severity: {Severity}) and the system replaces them with live data at send-time. You can also add multiple rows with the same header name, and the backend sends each separately.Headers are always sentCustom HTTP headers are always included in the request, even when you select None for the authentication type. You can use this to set headers like
Authorization: Bearer your-tokenas a manual override. -
Custom data fields: customize the data your webhook endpoint receives by mapping Invicti placeholder fields to the payload structure your endpoint expects. For each field:
- Key: Enter a field name (can be plain text like
vuln_idor use dot notation for nesting like{data.vulnerability.id}) - Value: Enter either a placeholder ID (like
{Vulnerability ID}) or a literal string (likemy-service)
The system substitutes known placeholder IDs with live data at send-time and passes literal strings through unchanged. For example, if you map
severity: {Severity}, your endpoint receivesseverity: "high"when a high-severity vulnerability is found.Only Vulnerability and Asset fields are substitutedFor Issue tracker webhooks triggered by Vulnerability found events, only Vulnerability and Asset fields are substituted. Scan fields will appear as literal text in your payload.
Available Vulnerability fields
Use these placeholders in your Custom data fields to map Invicti vulnerability data to your payload:
View available Vulnerability fields
Placeholder Description Type {Vulnerability}Vulnerability name string {Vulnerability ID}Unique vulnerability identifier string {Vulnerability type ID}Type identifier string {Description}Detailed description string {Details}Additional details string {Recommendation}Remediation recommendations string {Severity}Severity level (info, low, medium, high, critical) string {References}Related references and links string {Affected URL}URL where the vulnerability was detected string {Confidence}Detection confidence level number {CVSS Score}CVSS v2 score number {CVSS3 Score}CVSS v3 score number {CVSS4 Score}CVSS v4 score number {Impact}Impact description string {Vulnerability Link}Link to vulnerability details in Invicti string Available Asset fields
Use these placeholders in your Custom data fields to map Invicti asset data to your payload:
View available Asset fields
Placeholder Description Type {Asset ID}Unique asset identifier string {Asset name}Name of the asset string {Asset type}Type of asset string {Business impact}Business impact value string {Asset Description}Description of the asset string - Key: Enter a field name (can be plain text like
-
-
Click Send test webhook to verify your configuration. Your endpoint receives a test vulnerability notification.
-
Click Save and finish to complete the integration.
-
The Webhook integration is now visible in the list of My integrations.
Step 2: Configure automation
Click to expand step-by-step instructions
-
Select Automations from the left-side menu.
-
Click Add new automation.
-
In the dialog box populate these fields:
- Name: create issue on vulnerability found.
- Description: creates an issue in the tracking system when a vulnerability is discovered.
- Automation scope: specify the assets or collections.
-
Click Add automation.
-
Add an event: select Vulnerability found and click Save.
-
Add an action: select Create issue, then select the Webhook integration you created in Step 1.
Troubleshooting
Retry behavior
If your endpoint doesn't return a 200 response, Invicti retries the webhook up to 3 times. Retries occur on server errors (5xx). Client errors (4xx) stop retries; a 4xx response counts as a permanent failure.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center