Integrating Invicti Enterprise with HashiCorp Vault

Invicti Enterprise integrates with HashiCorp Vault Key-Value (KV) to enhance security and efficiency. It eliminates the need to share sensitive credentials for vulnerability scanning on password-protected web pages, automates credential retrieval to conduct vulnerability assessments on the target website, and simplifies credential management while ensuring comprehensive vulnerability scanning.

For more information, refer to What systems does Invicti integrate with? and Privileged Access Management and Invicti.

This document explains how to integrate Invicti Enterprise with HashiCorp Vault using authentication via an admin token or TLS certificate.  

What is HashiCorp Vault?

HashiCorp Vault is a secret management system that provides access to secret key values, such as passwords and API keys, in a secure way. Due to its centralized system, HashiCorp Vault also records an audit log to check who accessed different features, such as a database. In addition to these benefits, HashiCorp Vault also encrypts secrets at rest and in transit, and provides applications with access to these secrets for a limited time.  

How to integrate Invicti Enterprise with HashiCorp Vault

• Select Integrations > New Integration from the left-side menu.

• From the Secrets and Encryption Management section, select HashiCorp Vault.

• Enter a Name for the integration.
• In the URL field, enter your HashiCorp Vault Public Cluster URL or self-hosted Vault URL (hostname).
• Select an authentication type:

• Token: Authentication is performed using your HashiCorp Vault admin token.
• TLS Certificate: Authentication is performed using a TLS certificate that you provide.

Continue by following the relevant instructions below depending on your choice of authentication:

• Option A: Token authentication
• Option B: TLS Certificate authentication

Option A: Token authentication

• Enter your HashiCorp token in the Token field
• Fill in a Namespace if you have one. (For more information about HashiCorp Vault namespaces, refer to Vault Enterprise namespaces.)
• Under Agent Mode, select an option:

• Cloud: Invicti verifies the connection with a cloud agent available in the Invicti Enterprise environment.
• Internal: Invicti verifies the connection with an authentication verifier agent installed on your environment. For further information, refer to Configuring internal agents for Secrets Management services.

• Click Verify and Save to test the connection and save it. (If you have more than one authentication verifier agent, there is a drop-down to select the verifier agent.)

Option B: TLS Certificate authentication

• Select Certificate File… and upload the required file.
• If your certificate has a password configured, enter the password in the Certificate Password field. Leave this field blank if your certificate does not require a password.
• If your certificate is installed using the default path, then you do not need to enter anything into the Path field. The default path is: cert. If your certificate is installed in a different location, enter the path in the Path field.

• Enter your Namespace if you have one. (For more information about HashiCorp Vault namespaces, refer to Vault Enterprise namespaces.)
• Under Agent Mode, select an option:

• Cloud: Invicti verifies the connection with a cloud agent available on the Invicti Enterprise environment.
• Internal: Invicti verifies the connection with an authentication verifier agent installed on your environment. For further information, refer to Configuring internal agents for secrets management services.

• Click Verify and Save to test the connection and save it. (If you have more than one authentication verifier agent, there is a drop-down to select the verifier agent.)

You can now proceed to use the newly integrated HashiCorp Vault to verify form authentication during a vulnerability scan. For more information, refer to the Configuring internal agents for secrets management services document.