Skip to content

Set up the CI Gate

The CI Gate lets you run a Vex Raptor scan from your pipeline and fail the build when new issues cross a policy threshold — continuous pentesting instead of a once-a-year report.

Plan

The CI Gate / webhook automation requires a Pro (or higher) plan. On lower plans the endpoint is gated (HTTP 403).

How it works

  1. Create an org API key (header X-Vex-Key) and choose a fail policy (for example, fail on any new Critical).
  2. Your pipeline POSTs the staging target to the webhook URL.
  3. Vex Raptor runs a focused scan and returns verdict: pass or fail according to the policy.
  4. Re-scan on each deploy so regressions that re-open issues fail the build.

Configure in the console

  1. Open CI Gate in the sidebar (route /triggers — same page as threat triggers; the webhook block is at the top).
  2. Copy the endpoint URL and the cURL / GitHub Actions snippet.
  3. Set fail_on (critical, high, medium, or never).
  4. Create an API key under Organizations if you do not have one yet.

Endpoint: POST /api/v1/webhook/scan on your app host (for example https://app.example.com/api/v1/webhook/scan).

Auth: X-Vex-Key: <org-api-key> — not a JWT.

Example

curl -sS -X POST 'https://app.example.com/api/v1/webhook/scan' \
  -H 'Content-Type: application/json' \
  -H 'X-Vex-Key: YOUR_VEX_API_KEY' \
  -d '{"target":"https://staging.example.com","fail_on":"high"}'
# GitHub Actions (copy the live snippet from the CI Gate screen for your host)
- name: Vex Raptor CI Gate
  env:
    VEX_API_KEY: ${{ secrets.VEX_API_KEY }}
  run: |
    resp=$(curl -sS -X POST 'https://app.example.com/api/v1/webhook/scan' \
      -H "Content-Type: application/json" \
      -H "X-Vex-Key: $VEX_API_KEY" \
      -d '{"target":"https://staging.example.com","fail_on":"high"}')
    echo "$resp"
    echo "$resp" | grep -q '"verdict":"pass"' || exit 1

Scope

Point the gate at staging/pre-prod targets you are authorized to test, not arbitrary third-party hosts.