Skip to content
VAPT Insights

CI/CD Pipeline Setup

Integrating VAPT Insights into your automated software development workflows ensures that every code commit and deploy is audited for known vulnerabilities, security misconfigurations, and compliance risks.

This guide provides platform-specific, copy-pasteable configuration files to generate a Software Bill of Materials (SBOM) using Trivy and securely ingest it into the VAPT Insights platform.

🔐 Security Best Practices

Section titled “🔐 Security Best Practices”

Before configuring your pipelines, ensure you have:

  1. Generated a secure API key from the dashboard:
    • Click Account Settings (under the “Account” section) in the bottom of your VAPT Insights sidebar.
    • Click the API Tokens tab on the top menu navigation bar.
    • Click Generate New Token, name it (e.g., GitHub Actions CI/CD), and copy the secret key immediately.
    • Alternatively, go directly to the VAPT Insights API Settings Dashboard.
  2. Saved it as a secret named VAPT_INSIGHTS_API_KEY in your GitHub repository configurations.

1. GitHub Actions Setup

Section titled “1. GitHub Actions Setup”

To run automated vulnerability scanning using Trivy on push events to your main branch, create a workflow file at .github/workflows/vapt-scan.yml with the following configuration:

name: VAPT Insights Security Scan


on:
  push:
    branches: [ main ]
  workflow_dispatch:


jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    env:
      VAPT_ARTIFACT_NAME: ${{ github.event.repository.name }}
      FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
    steps:
      - name: Checkout code
        uses: actions/checkout@v4


      - name: Set Short SHA
        run: echo "VAPT_ARTIFACT_VERSION=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_ENV


      - name: Setup Trivy
        uses: aquasecurity/setup-trivy@v0.2.6
        with:
          cache: true


      - name: Check Trivy Version
        run: trivy --version


      - name: Generate Inventory SBOM (CycloneDX)
        run: |
          trivy fs . \
            --format cyclonedx \
            --output sbom.json \
            --scanners vuln


      - name: Upload Artifacts to VAPT Insights
        env:
          VAPT_INSIGHTS_API_KEY: ${{ secrets.VAPT_INSIGHTS_API_KEY }}
        run: |
          echo "Uploading Inventory SBOM..."
          curl -X POST "https://svc.vaptinsights.com/webhook/inventory-sbom" \
            -H "X-API-Key: ${VAPT_INSIGHTS_API_KEY}" \
            -H "X-Artifact-Name: ${VAPT_ARTIFACT_NAME}" \
            -H "X-Artifact-Version: ${VAPT_ARTIFACT_VERSION}" \
            -H "Content-Type: application/json" \
            --data-binary @sbom.json

🔍 Verifying the Integration

Section titled “🔍 Verifying the Integration”

Once your pipeline runs:

  1. Go to your VAPT Insights Dashboard.
  2. Select your project and navigate to SBOM Reports.
  3. You should see a new scan report matching the timestamp and commit hash of your pipeline run.