Set up the CI Gate¶
The CI Gate lets you run a Vex Raptor scan from your pipeline and fail the build when new issues cross a policy threshold — continuous pentesting instead of a once-a-year report.
Plan
The CI Gate / webhook automation requires a Pro (or higher) plan. On lower plans the endpoint is gated (HTTP 403).
How it works¶
- Create an org API key (header
X-Vex-Key) and choose a fail policy (for example, fail on any new Critical). - Your pipeline
POSTs the staging target to the webhook URL. - Vex Raptor runs a focused scan and returns
verdict: passorfailaccording to the policy. - Re-scan on each deploy so regressions that re-open issues fail the build.
Configure in the console¶
- Open CI Gate in the sidebar (route
/triggers— same page as threat triggers; the webhook block is at the top). - Copy the endpoint URL and the cURL / GitHub Actions snippet.
- Set
fail_on(critical,high,medium, ornever). - Create an API key under Organizations if you do not have one yet.
Endpoint: POST /api/v1/webhook/scan on your app host (for example
https://app.example.com/api/v1/webhook/scan).
Auth: X-Vex-Key: <org-api-key> — not a JWT.
Example¶
curl -sS -X POST 'https://app.example.com/api/v1/webhook/scan' \
-H 'Content-Type: application/json' \
-H 'X-Vex-Key: YOUR_VEX_API_KEY' \
-d '{"target":"https://staging.example.com","fail_on":"high"}'
# GitHub Actions (copy the live snippet from the CI Gate screen for your host)
- name: Vex Raptor CI Gate
env:
VEX_API_KEY: ${{ secrets.VEX_API_KEY }}
run: |
resp=$(curl -sS -X POST 'https://app.example.com/api/v1/webhook/scan' \
-H "Content-Type: application/json" \
-H "X-Vex-Key: $VEX_API_KEY" \
-d '{"target":"https://staging.example.com","fail_on":"high"}')
echo "$resp"
echo "$resp" | grep -q '"verdict":"pass"' || exit 1
Scope
Point the gate at staging/pre-prod targets you are authorized to test, not arbitrary third-party hosts.