Back to Integrations
Argo CD logo

Connect APVISO with Argo CD

CI/CD

Integrate APVISO security scans with Argo CD GitOps deployments. Validate Kubernetes workloads for vulnerabilities before and after sync.

Why connect APVISO with Argo CD?

GitOps Security Validation

Automatically trigger APVISO scans when Argo CD syncs a new application version, catching vulnerabilities introduced by Kubernetes manifest or image changes.

Pre-Sync Security Hooks

Run APVISO scans as Argo CD pre-sync hooks to validate application security before the new version goes live in the cluster.

Drift Detection with Security Context

When Argo CD detects configuration drift, APVISO can assess whether the drift introduces security vulnerabilities, adding security context to your GitOps workflow.

Setup Guide

1

Configure the APVISO Webhook

In Argo CD's notification settings, add an APVISO webhook that fires on sync events. Provide your APVISO API key and target configuration.

2

Set Up Sync Hooks

Add an APVISO pre-sync or post-sync hook to your Argo CD application manifests. The hook triggers a scan against the deployed application endpoint.

3

Define Security Policies

Configure severity thresholds and scan profiles in APVISO to match your GitOps deployment policies. Critical findings can block the sync from completing.

Features

  • Automatic scans triggered by Argo CD sync events
  • Pre-sync and post-sync hook support for security gates
  • Scan results linked to specific Argo CD application versions
  • Severity-based sync blocking for critical vulnerabilities
  • Integration with Argo CD notifications for scan alerts

How APVISO Integrates with Argo CD

APVISO's Argo CD integration brings penetration testing into your GitOps workflow, ensuring that every deployment synced through Argo CD is validated for security vulnerabilities. For teams practicing GitOps with Kubernetes, this integration means security is assessed as part of the declarative deployment process rather than as an afterthought.

GitOps-Native Security Scanning

Argo CD continuously monitors your Git repository and reconciles the desired state with the live cluster state. The APVISO integration hooks into this reconciliation process. When Argo CD detects a change and initiates a sync, it can trigger an APVISO scan against the application endpoint either before or after the new version is deployed.

For pre-sync hooks, APVISO scans the currently running version or a preview environment to establish a baseline. For post-sync hooks, APVISO scans the newly deployed version to verify that the update has not introduced vulnerabilities. Both approaches ensure that security validation is an integral part of your deployment pipeline.

Sync Hook Configuration

The integration uses Argo CD's resource hook mechanism. You add a Kubernetes Job manifest annotated with argocd.argoproj.io/hook: PreSync or PostSync that runs the APVISO CLI to trigger and monitor a scan. The job exits with a non-zero code if vulnerabilities exceed your severity threshold, causing Argo CD to halt the sync.

This approach keeps the security gate configuration in Git alongside your application manifests, following the GitOps principle that all operational configuration is version-controlled and auditable.

Application Version Tracking

Each APVISO scan triggered by Argo CD is tagged with the application name, target revision (Git commit SHA), and sync ID. This creates a complete audit trail linking specific application versions to their security assessment results. You can trace any vulnerability back to the exact commit and manifest changes that introduced it.

Multi-Cluster and Multi-Application Support

For organizations running multiple Argo CD applications across several clusters, the integration scales naturally. Each application can have its own APVISO scan configuration, severity threshold, and notification preferences. The APVISO dashboard provides a consolidated view of security posture across all your Argo CD-managed applications.

Notification Integration

Argo CD's built-in notification system can forward APVISO scan results to Slack, email, or other channels. When a scan completes, the results are included in the Argo CD sync notification, giving your team a single notification that covers both deployment status and security assessment. This reduces context switching and ensures security findings are visible to the same audience that monitors deployments.

Frequently Asked Questions

Can APVISO block an Argo CD sync if vulnerabilities are found?

Yes. When configured as a pre-sync hook, APVISO runs a scan before the new version is deployed. If the scan discovers findings above your severity threshold, the hook fails and Argo CD does not proceed with the sync.

Does this work with Argo CD ApplicationSets?

Yes. The webhook integration works with both individual Argo CD Applications and ApplicationSets. Each application sync triggers its own APVISO scan against the corresponding endpoint.

Related Integrations

APVISO + JenkinsAPVISO + CircleCIAPVISO + Terraform

Related Terms

DevsecopsContinuous PentestingShift Left Security

Connect APVISO with Argo CD today

Set up the Argo CD integration in minutes and start routing security findings to your team.

Get Started