Skip to main content

Salt Security Integration

Introduction

The Salt Security integration connects your Salt Security tenant to Conviso Platform in a bidirectional sync:

  • Inbound (Salt → Conviso): Salt discovers your APIs and detects posture gaps (API vulnerabilities). Conviso imports discovered APIs as assets and posture gaps as issues, keeping them up to date via webhooks and manual sync.
  • Outbound (Conviso → Salt): When you update an issue status in Conviso (e.g., mark as Fixed or Risk Accepted), that change is written back to the corresponding posture gap in Salt Security automatically.

Asset model

Salt Security surfaces two levels of assets in Conviso Platform:

Asset typeConviso sectionDescription
FQDN (Domain)Assets → FQDNsOne per Salt-discovered host. Acts as the sync anchor.
API (Endpoint)Assets → APIsOne per endpoint (method + path) under a domain. Issues (posture gaps) attach here.

Each FQDN asset has an APIs tab that lists all its child API endpoint assets. API assets link back to their parent domain via a breadcrumb.

Prerequisites

  • An active Salt Security account with at least one configured environment.
  • A Salt Security API key (Dashboard → Settings → Access → API Keys). The key must have perm-viewer scope for read operations and perm-executor for write-back.
  • Your Salt tenant region: US (api.secured-api.com) or EU (api.secured-api-eu.com).
  • A Conviso Platform account with permission to manage integrations.

Setup

1. Find Salt Security in Integrations

In the left sidebar, click Integrations. Search for Salt Security and click Connect on the card.

Integrations page showing the Salt Security card with the Connect button.

2. Enter credentials

On the Credentials step:

  1. Select your Region — US (api.secured-api.com) or EU (api.secured-api-eu.com).
  2. Paste your Salt Security API Key.
  3. Click Continue. Conviso validates the key before proceeding.

Credentials step showing the Region dropdown and API Key field.

3. Configure Status Mapping

On the Status Mapping step, drag Salt Security statuses onto Conviso Platform status rows to define how statuses are translated between the two systems.

Sync behavior:

  • Conviso → Salt Security: Only the first mapped Salt Security status in a row is applied on write-back.
  • Salt Security → Conviso: All mapped Salt Security statuses in a row are recognized on inbound sync.

Unmapped Conviso statuses are not synced. Changes apply only to future synchronizations.

The default mapping is:

Conviso statusSalt Security status
IdentifiedOpen
In ProgressInprocess
FixedResolved
Risk AcceptedIgnored

Click Continue when done.

Status Mapping step showing the drag-and-drop table with default mappings applied.

4. Select Severity Filters

On the Severity Filters step, enable the severity levels you want to import from Salt Security. All levels are enabled by default: Notification (maps from Salt's Info), Low, Medium, High, and Critical.

If no severity level is selected, no findings will be imported.

Click Continue.

Severity Filters step with toggles for each severity level, all enabled.

5. Associate domains (Configuration step)

On the Configuration step, click Add project to open the domain picker. The picker lists all hosts discovered in your Salt Security environment. Select the domains you want to track in Conviso and click Add.

Add new project dialog listing Salt Security-discovered domains.

For each associated domain, Conviso:

  • Creates an FQDN asset with asset_type = domain.
  • Eagerly imports all endpoint assets under that domain as API assets (asset_type = api).
  • Links the domain to any Salt Security labels as Conviso Applications and asset tags.

After adding domains, the first sync runs automatically. Depending on the number of endpoints and posture gaps, this may take a few minutes.

Configuration step showing the table of associated FQDN assets with their creation dates.

Viewing assets

FQDNs

Go to Assets → FQDNs to see all Salt Security-discovered domain assets. Each row shows the domain name, risk score, open vulnerabilities count, and business impact.

FQDNs asset list showing Salt Security domain assets with risk scores.

Click a domain to open its detail page. The APIs tab lists all child API endpoint assets under that domain, along with their method, path, risk score, and open findings count.

FQDN detail page with the APIs tab selected, showing child API endpoint assets.

APIs

Go to Assets → APIs to see all imported API endpoint assets across all associated domains. Each row shows the endpoint name, its parent FQDN, risk score, and open vulnerabilities. Use the FQDN filter to scope the list to a specific domain.

APIs asset list showing endpoint assets with their parent domain, risk score, and vulnerability count.

Managing an existing integration

To update credentials, status mappings, severity filters, or add/remove domains, go to Integrations, search for Salt Security, and click Settings on the card.

Integrations page showing Salt Security card with Connected status and Settings button.

The Configuration step shows all currently associated domains with their creation dates. From here you can:

  • Add project — associate additional Salt Security domains.
  • Remove integration — disconnect Salt Security entirely.
  • Check connection — verify the API key is still valid.

Real-time sync (Webhook)

Conviso provides a webhook endpoint that Salt Security can call whenever a posture gap changes. When a webhook fires, Conviso re-syncs only the affected domain rather than re-pulling all data.

Configure the webhook in your Salt Security dashboard under Settings → Integrations → Custom Webhook using the following template:

{
  "company_id":    "<your Conviso company ID>",
  "webhook_token": "<your integration webhook token>",
  "reference":     "{{host}}",
  "event":         "{{eventType}}"
}

Webhook URL:

https://<your-conviso-host>/api/v3/integrations/scanners/salt_security/webhook

Find your company_id and webhook_token on the Salt Security integration settings page in Conviso Platform.

Note: If the webhook template is misconfigured, real-time sync stops silently. Use Sync integration in the integration settings as a manual recovery path.

Bidirectional status sync

Status changes flow in both directions automatically:

DirectionTriggerWhat happens
Salt → ConvisoWebhook or manual syncPosture gap status mapped to Conviso issue status via Status Mapping table.
Conviso → SaltIssue status change in ConvisoFirst mapped Salt status for that Conviso status is written back to Salt via POST /v1/apigovern/posture/gaps.

Troubleshooting

  • Invalid credentials: Verify the API key was copied correctly and that the Salt region matches your tenant (US vs EU).
  • No domains listed in picker: The API key may lack perm-viewer scope, or no hosts have been discovered yet in your Salt environment.
  • Zero findings after sync: Salt's host filter may not match the stored domain reference. Use Sync integration to trigger a full re-pull. Check that severity filters include the relevant levels.
  • Domains in sync but findings missing: Confirm the Salt API key has access to posture gaps in the selected environment.
  • Webhook not triggering re-sync: Verify the template in Salt's dashboard matches the contract above (especially the reference and webhook_token fields).

Support

If you have any questions or need help with our product, please contact our support team according to your SLA.

Discover Conviso Platform!

Contribute to the Docs

Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.

How to contribute

Resources

By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.

Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.

Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.