Platform Integrations
Technical guide for configuring third-party integrations for cloud assets, vulnerability scanning, alerts, and ticketing
Slack
MS Teams
Webhook
Jira
GitHub
GitLab
Linear
AWS
GCP
Azure
Alibaba
Kubernetes
Cloudflare
Fastly
DigitalOcean
Notification Integrations
Alerting integrations support notifications as part of scanning and asset discovery, and include Slack, Microsoft Teams, Email, and custom Webhooks. Navigate to Scans → Configurations → Alerting to configure your alerts.
Slack
ProjectDiscovery supports scan notifications through Slack. To enable Slack notifications provide a name for your Configuration, a webhook, and an optional username.
Choose from the list of Events (Scan Started, Scan Finished, Scan Failed) to specify what notifications are generated. All Events are selected by default
- Refer to Slack’s documentation on creating webhooks for configuration details.
MS Teams
ProjectDiscovery supports notifications through Microsoft Teams. To enable notifications, provide a name for your Configuration and a corresponding webhook.
Choose from the list of Events (Scan Started, Scan Finished, Scan Failed) to specify what notifications are generated.
- Refer to Microsoft’s documentation on creating webhooks for configuration details.
ProjectDiscovery supports notifications via Email. To enable email notifications for completed scans simply add your recipient email addresses.
Webhook
ProjectDiscovery supports custom webhook notifications, allowing you to post events to any HTTP endpoint that matches your infrastructure requirements.
To implement webhook notifications, provide:
- Configuration name
- Webhook URL
- Authentication parameters (if required)
Example endpoint format:
Ticketing Integrations
The integrations under Ticketing support ticketing functionality as part of scanning and include support for Jira, GitHub, GitLab, and Linear. Navigate to Scans → Configurations → Ticketing to configure your ticketing tools.
Jira
ProjectDiscovery provides integration support for Jira to create new tickets when vulnerabilities are found.
Provide a name for the configuration, the Jira instance URL , the Account ID, the Email, and the associated API token.
Details on creating an API token are available in the Jira documentation here.
GitHub
ProjectDiscovery provides integration support for GitHub to create new tickets when vulnerabilities are found.
Provide a name for the configuration, the Organization or username, Project name, Issue Assignee, Token, and Issue Label. The Issue Label determines when a ticket is created. (For example, if critical severity is selected, any issues with a critical severity will create a ticket.)
- The severity as label option adds a template result severity to any GitHub issues created.
- Deduplicate posts any new results as comments on existing issues instead of creating new issues for the same result.
Details on setting up access in GitHub are available here.
GitLab
ProjectDiscovery provides integration support for GitLab to create new tickets when vulnerabilities are found.
Provide your GitLab username, Project name, Project Access Token and a GitLab Issue label. The Issue Label determines when a ticket is created. (For example, if critical severity is selected, any issues with a critical severity will create a ticket.)
- The severity as label option adds a template result severity to any GitLab issues created.
- Deduplicate posts any new results as comments on existing issues instead of creating new issues for the same result.
Refer to GitLab’s documentation for details on configuring a Project Access token.
Linear
ProjectDiscovery integrates with Linear for automated issue tracking. The integration requires the following API parameters:
- Linear API Key
- Linear Team ID
- Linear Open State ID
To retrieve these parameters:
- API Key Generation:
- Path: Linear > Settings > API > Personal API keys
- Direct URL: linear.app/[workspace]/settings/api
- Team ID Retrieval:
- Open State ID Retrieval:
For detailed API documentation, refer to the Linear API Documentation.
Cloud Asset Discovery
ProjectDiscovery supports integrations with all popular cloud providers to automatically sync externally facing hosts for vulnerability scanning. This comprehensive approach ensures all your cloud resources with external exposure are continuously monitored, complementing our external discovery capabilities. The result is complete visibility of your attack surface across cloud environments through a simple web interface.
AWS (Amazon Web Services)
Configure AWS Integration
Click here to open the AWS integration configuration page in the ProjectDiscovery Cloud platform
ProjectDiscovery’s AWS integration allows the platform to automatically discover and monitor cloud assets across your AWS accounts. By connecting AWS to ProjectDiscovery, security teams and DevOps engineers gain continuous visibility into EC2 instances, S3 buckets, DNS records, and other resources without manual inventory. This integration leverages ProjectDiscovery’s open-source Cloudlist engine to enumerate assets via AWS APIs. In short, it helps ensure no cloud asset goes unnoticed, enabling proactive security monitoring and easier management of your attack surface.
Supported AWS Services:
Service | Description |
---|---|
EC2 | VM instances and their public IPs |
Route53 | DNS hosted zones and records |
S3 | Buckets (especially those public or with DNS) |
Cloudfront | CDN distributions and their domains |
ECS | Container cluster resources |
EKS | Kubernetes cluster endpoints |
ELB | Load balancers (Classic ELB and ALB/NLB) |
ELBv2 | Load balancers (Classic ELB and ALB/NLB) |
Lambda | Serverless function endpoints |
Lightsail | Lightsail instances (simplified VPS) |
Apigateway | API endpoints deployed via Amazon API Gateway |
By covering these services, ProjectDiscovery can map out a broad range of AWS assets in your account. (Support for additional services may be added over time.)
AWS Integration Methods
ProjectDiscovery supports three methods to connect to AWS, each suited for different use cases and security preferences:
- Single AWS Account (Access Key & Secret) – Direct credential-based authentication using an IAM User’s Access Key ID and Secret Access Key to connect one AWS account. Choose this for quick setups or single-account monitoring.
- Multiple AWS Accounts (Assume Role) – Use one set of credentials to assume roles in multiple accounts. This method is ideal for organizations with multiple AWS accounts (e.g. dev, prod, etc.). You provide one account’s credentials and the common role name that exists in all target accounts.
- Cross-Account Role (Role ARN) – Use a dedicated IAM role with an External ID for third-party access. This option lets you create a cross-account IAM role in your AWS account and grant ProjectDiscovery access via that role’s Amazon Resource Name (ARN). This is the most secure integration method, as it follows AWS best practices for third-party account access.
Prerequisites
Before configuring the integration, make sure you have:
- AWS Account – Access to an AWS account where you can create IAM identities
- Admin Access to IAM – Permissions to create IAM users and roles
- ProjectDiscovery Account – Access to ProjectDiscovery’s Cloud platform
- Basic AWS IAM Knowledge – Understanding of IAM users, access keys, and roles
1. Single AWS Account (Access Key & Secret)
To connect a single AWS account directly:
- Create a Read-Only IAM User: In the AWS IAM console, create a new IAM user for ProjectDiscovery integration. Assign programmatic access (which generates an Access Key ID and Secret Access Key).
- Attach Required Policies: Grant the user read-only permissions to the AWS services you want to monitor. You can use AWS-managed policies like AmazonEC2ReadOnlyAccess, AmazonS3ReadOnlyAccess, etc. for each service (see the Required Permissions section below).
- Configure in ProjectDiscovery:
- Select Single AWS Account (Access Key & Secret)
- Enter your AWS Access Key ID and AWS Secret Access Key
- Optionally provide a Session Token (only for temporary credentials)
- Give the integration a unique name
- Select the AWS services you want to monitor
Tip: Use an IAM user with minimal read-only permissions and rotate keys periodically for security.
2. Multiple AWS Accounts (Assume Role)
For monitoring multiple AWS accounts from a central account:
- Choose a Primary Account: Create an IAM user in one AWS account (the “primary”) with programmatic access.
- Create an IAM Role in Each Target Account: In each AWS account you want to monitor, create a role that:
- Uses the same role name across all accounts (e.g., “ProjectDiscoveryReadOnlyRole”)
- Has a trust relationship allowing your primary account to assume it
- Has the required read-only permissions
- Configure in ProjectDiscovery:
- Select Multiple AWS Accounts (Assume Role)
- Enter the primary account’s AWS Access Key ID and Secret Access Key
- Specify the Role Name to Assume (the common role name)
- List all AWS Account IDs to monitor (one per line)
- Give the integration a unique name
- Select the AWS services you want to monitor
3. Cross-Account Role (Role ARN)
The most secure method using ProjectDiscovery’s service account:
- Create an IAM Role in Your AWS Account:
- In your AWS console, go to IAM → Roles → Create Role
- Select “Another AWS account” as the trusted entity
- Enter ProjectDiscovery’s ARN:
arn:aws:iam::034362060511:user/projectdiscovery
- Enable “Require External ID” and enter the External ID shown in the ProjectDiscovery UI
- Attach the necessary read-only permissions
- Configure in ProjectDiscovery:
- Select Cross-Account Role (Role ARN)
- Enter the Role ARN of the role you created
- Give the integration a unique name
- Select the AWS services you want to monitor
Required Permissions
ProjectDiscovery needs read-only access to your AWS assets. The following AWS-managed policies are recommended:
- EC2 - AmazonEC2ReadOnlyAccess
- Route53 - AmazonRoute53ReadOnlyAccess
- S3 - AmazonS3ReadOnlyAccess
- Lambda - AWSLambda_ReadOnlyAccess
- ELB - ElasticLoadBalancingReadOnly
- Cloudfront - CloudFrontReadOnlyAccess
Alternatively, you can use this custom policy for minimal permissions:
Verifying the Integration
After configuring the integration, it’s important to verify that ProjectDiscovery is successfully connected and enumerating your AWS assets:
- Check Asset Discovery: In the ProjectDiscovery platform, navigate to the cloud assets or inventory section. After a successful integration, you should start seeing resources from your AWS account(s) listed (for example, EC2 instance IDs, S3 bucket names, etc., corresponding to the integrated accounts). It may take a short while for the initial discovery to complete. If you see those assets, the integration is working.
- Test with a Known Resource: As a quick test, pick a known resource (like a specific EC2 instance or S3 bucket in your AWS account) and search for it in ProjectDiscovery’s asset inventory. If it appears, the connection is functioning and pulling data.
- Troubleshooting Errors: If the integration fails or some assets are missing, consider these common issues:
- Incorrect Credentials: Double-check that the Access Key and Secret (if used) were entered correctly and correspond to an active IAM user. If you recently created the user, ensure you copied the keys exactly (no extra spaces or missing characters).
- Insufficient Permissions: If certain services aren’t showing up, the IAM policy might be missing permissions. For example, if S3 buckets aren’t listed, confirm that the policy includes
s3:ListAllMyBuckets
. Refer back to the Required Permissions and make sure all relevant actions are allowed. You can also use AWS IAM Policy Simulator or CloudTrail logs to see if any AccessDenied errors occur when ProjectDiscovery calls AWS APIs. - Assume Role Failures: In multi-account or cross-account setups, a common issue is a misconfigured trust relationship. If ProjectDiscovery cannot assume a role, you might see an error in the UI or logs like “AccessDenied: Not authorized to perform sts:AssumeRole”. In that case, check the following:
- The trust policy of the IAM role (in target account) trusts the correct principal (either your primary account’s IAM user/role ARN for multi-account, or ProjectDiscovery’s external account ID for cross-account) and the External ID if applicable.
- The role name or ARN in the ProjectDiscovery config exactly matches the one in AWS (spelling/case must match).
- The primary credentials (for multi-account) have permission to call
AssumeRole
.
- External ID Mismatch: For cross-account roles, if the external ID in ProjectDiscovery and the one in the IAM role’s trust policy do not match, AWS will deny the assume request. Ensure you didn’t accidentally copy the wrong value or include extra spaces. It must be exact.
- AWS CloudTrail Logs: As an additional verification, you can check AWS CloudTrail in your account. When ProjectDiscovery connects, you should see events like
DescribeInstances
,ListBuckets
, etc., being called by the IAM user or assumed role. For cross-account roles, you will see anAssumeRole
event from ProjectDiscovery’s AWS account ID, and subsequent calls under the assumed role’s identity. This audit trail can confirm that the integration is working as intended and using only allowed actions.
If all checks out, ProjectDiscovery is now actively monitoring your AWS environment. New resources launched in AWS should be detected on the next scan cycle, and any changes to your cloud footprint will be reflected in the platform. Make sure to regularly review the integration and update the IAM permissions if you start using new AWS services.
References:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_read-only-console.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
- https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html
- https://docs.logrhythm.com/OCbeats/docs/aws-cross-account-access-using-sts-assume-role
Google Cloud Platform (GCP)
Configure GCP Integration
Click here to open the GCP integration configuration page in the ProjectDiscovery Cloud platform
ProjectDiscovery’s GCP integration allows the platform to automatically discover and monitor cloud assets across your GCP account. The integration supports two discovery approaches to accommodate different organizational structures and permission models.
Supported GCP Services:
GCP Integration Methods:
-
Organization-Level Asset API (Recommended for Enterprises)
- Uses Google Cloud’s Asset Inventory API for comprehensive organization-wide discovery
- Discovers assets across entire GCP organization with a single configuration
- Requires organization-level permissions:
roles/cloudasset.viewer
androles/resourcemanager.viewer
- Ideal for large organizations with multiple projects
-
Individual Service APIs (Default)
- Uses individual GCP service APIs for project-specific discovery
- Faster execution with detailed resource metadata
- Requires project-level permissions for each service
- Ideal for focused, single-project discovery
Multi-Organization Support
ProjectDiscovery supports monitoring multiple GCP organizations simultaneously. Simply configure multiple integrations with different organization IDs to get consolidated asset discovery across all your GCP environments (e.g., production, staging, development organizations).
Finding Your Organization ID
-
Via Google Cloud Console:
- Go to the Google Cloud Console
- In the top navigation, click on the project selector (next to “Google Cloud Platform”)
- Click All tab to view all resources
- Look for your organization name - the Organization ID is displayed next to it
- Alternatively, go to IAM & Admin > Settings - your Organization ID will be shown at the top
-
Via gcloud CLI:
-
Via Organization Policies Page:
- Navigate to Organization Policies in the Console
- Your Organization ID will be displayed in the URL and page header
Checking Your Permissions
Before setting up the integration, verify you have the necessary permissions:
-
For Organization-Level Integration:
-
For Project-Level Integration:
Step-by-Step Setup Instructions
Option 1: Organization-Level Asset API Setup
-
Verify Organization Access:
- Ensure you have
roles/cloudasset.viewer
androles/resourcemanager.viewer
at the organization level - You can check this in IAM & Admin > IAM by switching to your organization scope
- Ensure you have
-
Create Service Account:
- Navigate to any project within your organization
- Go to IAM & Admin > Service Accounts
- Click Create Service Account
- Name it something like
projectdiscovery-org-scanner
- Click Create and Continue
-
Grant Organization-Level Permissions:
- Go to IAM & Admin > IAM
- Switch to your Organization scope (not project)
- Click Grant Access
- Enter your service account email:
projectdiscovery-org-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com
- Assign these roles:
Cloud Asset Viewer
Organization Viewer
- Click Save
-
Generate Service Account Key:
- Return to Service Accounts
- Click on your service account
- Go to Keys tab
- Click Add Key > Create New Key
- Choose JSON format
- Download and securely store the key file
Option 2: Individual Service APIs Setup
-
Select Target Project:
- Choose the specific project you want to monitor
- Note the Project ID (not the display name)
-
Create Service Account:
- Navigate to IAM & Admin > Service Accounts in your target project
- Click Create Service Account
- Name it something like
projectdiscovery-scanner
- Click Create and Continue
-
Grant Project-Level Permissions:
- On the same page, assign these roles:
Compute Viewer
DNS Reader
Storage Object Viewer
Cloud Run Viewer
Cloud Functions Viewer
Kubernetes Engine Viewer
Browser
(for basic project access)
- Click Continue and then Done
- On the same page, assign these roles:
-
Generate Service Account Key:
- Click on your service account
- Go to Keys tab
- Click Add Key > Create New Key
- Choose JSON format
- Download and securely store the key file
References:
- https://cloud.google.com/iam/docs/service-account-overview
- https://cloud.google.com/iam/docs/keys-create-delete#creating
- https://cloud.google.com/asset-inventory/docs/overview
Azure
Configure Azure Integration
Click here to open the Azure integration configuration page in the ProjectDiscovery Cloud platform
Supported Azure Services:
- Virtual Machines
Azure Integration Method:
To connect ProjectDiscovery to your Azure account, you will need to create and configure an App Registration in Azure Active Directory. This process generates a Service Principal with the necessary credentials and permissions to monitor your cloud assets in a secure, read-only manner.
The required credentials are:
- Azure Tenant ID
- Azure Subscription ID
- Azure Client ID
- Azure Client Secret
Below are the steps to get the above credentials:
- Create App Registration:
- Go to Azure Active Directory > App registrations > + New registration.
- From the app’s Overview page, collect the Application (client) ID and Directory (tenant) ID.
- Generate Client Secret:
- In the app, navigate to Certificates & secrets > + New client secret.
- CRITICAL: Copy the secret Value immediately, as it is shown only once.
- Assign Permissions:
- Go to your Subscription > Access control (IAM).
- Add a role assignment to grant the Reader role to the App Registration you created.
- Note your Subscription ID from the subscription’s overview page.
- Connect:
- Enter the four collected credentials (Tenant ID, Client ID, Client Secret, and Subscription ID) into ProjectDoscovery Cloud Platform to configure the integration.
To use CLI, follow the instructions mentioned in the references below.
References:
- https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli
- https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac
- https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli
Alibaba Cloud
Configure Alibaba Cloud Integration
Click here to open the Alibaba Cloud integration configuration page in the ProjectDiscovery Cloud platform
Supported Alibaba Cloud Services:
- ECS Instances
Alibaba Integration Method
This guide details the secure, best-practice method for connecting to Alibaba Cloud using a dedicated RAM user with read-only permissions.
-
Create a RAM User for API Access:
- Navigate to the RAM (Resource Access Management) console. Ref
- From the left menu, go to Identities > Users and click Create User.
- Enter a Logon Name (e.g.,
projectdiscovery-readonly
). - For Access Mode, select OpenAPI Access and click OK. This is for programmatic access, not console login.
-
Securely Store the Access Key: An AccessKey pair is generated immediately after the user is created. This is the only time the secret is shown.
On the confirmation screen, copy the AccessKey ID and the AccessKey Secret. Store them in a secure location immediately. The secret cannot be retrieved after you close this dialog.
-
Grant Read-Only Permissions:
- Return to the Users list.
- Find the user you just created and click Add Permissions in the Actions column.
- Select the System Policy type.
- Search for and select the
AliyunReadOnlyAccess
policy and click OK. This is the official, managed policy for read-only access to all cloud resources.
-
Find Your Region ID and Connect:
- Identify the Region ID for the resources you plan to monitor. You can find the official list in the Alibaba Cloud documentation here: Regions and zones (This link lists the specific IDs required for API configuration).
- Use the credentials you have collected to fill in the fields in ProjectDiscovery:
- Alibaba Region ID: The target region, for example,
us-east-1
. - Alibaba Access Key: The AccessKey ID from Step 2.
- Alibaba Access Key Secret: The AccessKey Secret from Step 2.
- Alibaba Region ID: The target region, for example,
- Enter a unique Integration Name and click Verify.
References:
- https://www.alibabacloud.com/help/faq-detail/142101.htm
- https://www.alibabacloud.com/help/doc-detail/53045.htm
Kubernetes
Configure Kubernetes Integration
Click here to open the Kubernetes integration configuration page in the ProjectDiscovery Cloud platform
Supported Kubernetes Services:
- Services
- Ingresses
- Cross-cloud cluster discovery
Kubernetes Integration Method
-
Prepare Base64-Encoded Kubeconfig
-
Your kubeconfig file is typically located at:
-
Encode it using:
-
Paste the output into the Kubeconfig field in the UI.
⚠️ Ensure the entire content is copied without extra whitespace.
-
-
Specify Context (Optional)
-
If your kubeconfig has multiple contexts, find them with:
-
To view the current context:
-
Use the relevant context name if required.
-
-
Define Integration Name & Verify
Choose a unique, descriptive name for this integration and click **Verify **to complete the integration.
References
Cloudflare
Configure Cloudflare Integration
Click here to open the Cloudflare integration configuration page in the ProjectDiscovery Cloud platform
Supported Cloudflare Services:
- DNS and CDN assets
Cloudflare Integration Methods:
You can integrate Cloudflare into ProjectDiscovery via one of two methods:
- Global API Key
- Go to Cloudflare Dashboard.
- Under “API Keys”, locate the Global API Key and click View.
- Authenticate and copy the key.
- Now enter the Cloudflare account email and Global API Key copied in above step into ProjectDiscovery Cloud Platform.
- Give a unique Integration name and click Verify.
- API Toekn
- From the Cloudflare dashboard ↗, go to My Profile > API Tokens for user tokens. For Account Tokens, go to Manage Account > API Tokens.
- Select Create Token.
- Give required permission (follow reference 2 for details) and create token. Copy the Token
- Now enter API Token in ProjectDiscovery Cloud Platform.
- Give a unique Integration name and click Verify.
References:
- https://developers.cloudflare.com/api/keys
- https://developers.cloudflare.com/fundamentals/api/get-started/create-token/
Flastly
Configure Fastly Integration
Click here to open the Fastly integration configuration page in the ProjectDiscovery Cloud platform
Fastly Integration Method
-
Go to Fastly account settings.
-
Under API, click Create API token if you don’t already have one.
-
Copy the API Key.
-
Now enter API Key in ProjectDiscovery Cloud Platform.
-
Give a unique Integration name and click Verify.
Tip: In Fastly’s documentation and interfaces, “API Key” and “API Token” refer to the same thing. You can use the terms interchangeably throughout this guide.
References:
DigitalOcean
Configure DigitalOcean Integration
Click here to open the DigitalOcean integration configuration page in the ProjectDiscovery Cloud platform
DigitalOcean Integration Method
- Go to DigitalOcean API Settings.
- Click Generate New Token
- Provide a name and enable read-only access scope
- Copy the token
- Now enter token in ProjectDiscovery Cloud Platform.
- Give a unique Integration name and click Verify.
Supported Services:
- Droplets and managed services
References: