Skip to main content
The Generic CI/CD integration lets you run Pentest-Tools.com scans from any CI/CD platform, including GitLab CI, Jenkins, CircleCI, Azure DevOps, and more.
Available on WebNetSec and Pentest Suite plans.

Benefits

Platform agnostic

Works with any CI/CD system that can make HTTP requests.

Automated security

Run scans as part of your deployment pipeline.

Fail conditions

Stop deployments when vulnerabilities are detected.

Flexible output

Get results in text or JSON format.

Setting up CI/CD integration

1

Create a pipeline action

Go to Settings > Integrations > Generic CI/CD and click Create action.
2

Configure settings

Set the target URL, scan type, output format, and fail condition.
3

Get your API key

The Docker command takes your Pentest-Tools API key as the --key argument. Store it as a secret in your CI/CD system, not directly in pipeline files.
4

Run the Docker command

Copy the generated Docker command and add it to your pipeline. It runs in any CI/CD system that supports Docker.

Configuration options

SettingDescription
NameIdentifier for the pipeline action
TargetURL or IP address to scan
Scan typelight or deep
Output formattext or json
Fail conditionSeverity threshold to fail

Fail conditions

ConditionPipeline fails when…
NoneNever fails based on findings
LowLow or higher severity found
MediumMedium or higher severity found
HighHigh or higher severity found
CriticalCritical severity found

Running the scan

The integration generates a Docker command using the pentesttoolscom/ptt-scan image. Run it from any pipeline that supports Docker: GitLab CI, Jenkins, CircleCI, Azure DevOps, or anything else. 
docker run --rm pentesttoolscom/ptt-scan:latest \
  --key <API_KEY> \
  --fail high \
  run website_scanner \
  --format text \
  --scan_type deep \
  https://your-website.com
Use the API key stored in your CI/CD secrets for <API_KEY>. The other values come from your action configuration in Pentest-Tools.com.

Output handling

Text format

Suitable for console output and log review: 
Scan completed for example.com
Found 3 findings:
  - HIGH: SQL Injection in /login
  - MEDIUM: Missing security headers
  - LOW: Information disclosure

JSON format

Parse programmatically for custom handling: 
{
  "scan_id": 12345,
  "target": "example.com",
  "status": "completed",
  "findings": [
    {
      "title": "SQL Injection",
      "severity": "high",
      "cvss_score": 8.6,
      "description": "SQL injection vulnerability found in the login parameter.",
      "url": "https://example.com/login"
    }
  ]
}
This is a simplified example. See the API reference for the complete finding schema.

Best practices

Use environment variables or secrets management for your action secret. Never hardcode credentials in pipeline files.
Make sure your CI/CD runner can reach app.pentest-tools.com. Check firewall rules if scans fail to start.
  • Run Light scans for quick validation, Deep scans for thorough testing
  • Set fail conditions based on your pipeline stage (stricter for production)
  • Store scan results as artifacts for later review
  • Set appropriate timeouts for scan completion

Troubleshooting

  • Verify the secret is correctly configured
  • Check that the secret hasn’t expired
  • Check that the environment variable is accessible
  • Deep scans may take longer; adjust pipeline timeout
  • Verify the target is accessible from the internet
  • Check for network restrictions
  • Review the fail condition setting
  • Check scan results for findings above threshold
  • Verify the action name is correct