Home > DevSecOps

Nikto in CI

Nikto in CI integrates the Nikto web server vulnerability scanner into automated pipelines so that every deployment is tested for common server-level weaknesses. Instead of running Nikto manually, CI pipelines can execute scans on every commit, build, or release. This ensures consistent coverage of misconfigurations, weak headers, outdated server components, and known vulnerabilities.

Understanding Nikto in CI

Nikto checks for:

• outdated server versions
• insecure HTTP headers
• dangerous HTTP methods
• default files and directories
• misconfigured SSL/TLS
• known vulnerabilities in web servers
• exposure of sensitive paths

Nikto is simple, lightweight, and ideal for baseline DAST in continuous integration pipelines.

Why Use Nikto in CI

Running Nikto in CI:

• prevents insecure web server deployments
• enforces baseline security checks automatically
• catches regressions early
• ensures headers and SSL remain hardened
• detects misconfigurations introduced by code, config, or infra updates
• provides consistent, repeatable validation

Nikto complements deeper DAST tools like ZAP or Burp.

How Nikto Works in CI

Nikto runs as:

• a normal CLI tool
• a Docker container
• a pipeline job in GitHub/GitLab/Jenkins
• part of DevSecOps testing stages

It scans a target URL and produces a text, XML, HTML, or JSON report.

Installing Nikto for CI Automation

Install via package manager

sudo apt install nikto

Install from source

git clone https://github.com/sullo/nikto.git
cd nikto/program

Nikto Docker image

docker pull sullo/nikto

This is the most common CI method.

Running Nikto in CI

Basic scan:

nikto -h https://target.com

Docker scan:

docker run --rm sullo/nikto -h https://target.com

Save output:

nikto -h https://target.com -o nikto_report.txt

Export in XML for pipeline parsing:

nikto -h https://target.com -o report.xml -Format xml

CI/CD Integration Options

GitHub Actions

GitLab CI

Jenkins

Azure DevOps

Bitbucket Pipelines

All support Nikto using simple commands.

GitHub Actions Integration

jobs:
  nikto_scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run Nikto Scan
        run: |
          sudo apt-get update
          sudo apt-get install -y nikto
          nikto -h https://yourapp.com -o nikto.txt

      - name: Upload Report
        uses: actions/upload-artifact@v4
        with:
          name: nikto-report
          path: nikto.txt

This runs Nikto on every push or PR.

GitHub Actions (Docker Version)

jobs:
  nikto:
    runs-on: ubuntu-latest
    steps:
      - name: Nikto Docker Scan
        run: |
          docker run --rm sullo/nikto \
            -h https://yourapp.com \
            -o nikto.html \
            -Format html

GitLab CI Integration

nikto_scan:
  stage: test
  image: kalilinux/kali-rolling
  script:
    - apt update
    - apt install -y nikto
    - nikto -h https://yourapp.com -o nikto.txt
  artifacts:
    paths:
      - nikto.txt

This runs Nikto during the pipeline test stage.

Jenkins Pipeline Integration

pipeline {
  stages {
    stage('Nikto Scan') {
      steps {
        sh """
          sudo apt-get update
          sudo apt-get install -y nikto
          nikto -h https://yourapp.com -o nikto.txt
        """
      }
    }
  }
  post {
    always {
      archiveArtifacts artifacts: 'nikto.txt'
    }
  }
}

Azure DevOps Pipeline

steps:
- script: |
    sudo apt-get update
    sudo apt-get install -y nikto
    nikto -h https://yourapp.com -o nikto.txt
  displayName: 'Run Nikto Scan'

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: 'nikto.txt'

Parsing Findings for Pipeline Failure

To fail pipeline on high-risk issues, parse the report.

Example simple grep:

if grep -i "OSVDB" nikto.txt; then exit 1; fi

Better:

• convert to XML
• parse XML with Python
• fail only if high-severity items found

Nikto Automation Best Practices

• run Nikto on staging or deployed test environments
• avoid running against local dev unless secure
• store reports as artifacts
• combine Nikto with ZAP/Burp for full DAST
• integrate with SIEM/JIRA for ticket creation
• set severity thresholds to block deployment
• run baseline scans on every commit
• run full scans nightly

Nikto is lightweight, so running it often is easy.

Full-Length Practical Section

Hands-on practicals for mastering Nikto in CI.

Practical 1: Install Nikto Locally and Run First Scan

nikto -h https://vulnerable-app.com

Review findings.

Practical 2: Export Nikto Results to XML

nikto -h https://vulnerable-app.com -o results.xml -Format xml

Use XML for pipeline parsing.

Practical 3: Run Nikto Container Locally

docker run --rm sullo/nikto -h https://vulnerable-app.com

Practical 4: Add Nikto to GitHub Actions

Set up YAML to run Nikto.

Store HTML report as pipeline artifact.

Practical 5: Prevent Deployment if Vulnerabilities Found

Parse report:

if grep -i "X-Frame-Options" nikto.txt; then exit 1; fi

Use pattern matching for risky findings.

Practical 6: Run Nikto in GitLab CI

Use the Kali container to install Nikto.

Download scan output from artifacts.

Practical 7: Jenkins Nikto Job

Configure Jenkins pipeline.

Upload report after scan.

Practical 8: Combine Nikto With ZAP in CI

Stage 1: Nikto baseline
Stage 2: ZAP active scan

This provides layered DAST.

Practical 9: Test for TLS and Header Issues

Run:

nikto -h https://yourapp.com -ssl

Check Cipher/SSL misconfigs.

Practical 10: Run Nikto Against Multiple URLs

for url in $(cat targets.txt); do
  nikto -h $url -o "$url.txt"
done

Useful for microservices.

Practical 11: Integrate With ELK

Ship Nikto logs into Elasticsearch for dashboards.

Practical 12: Create Nightly Full Scan

Schedule pipeline to run Nikto at midnight for long scans.

Practical 13: Trigger Nikto Scan on PR Only

Run Nikto lightweight scan on pull requests.

Practical 14: Test Security Headers

Nikto automatically identifies missing headers:

• HSTS
• CSP
• X-Frame
• X-Content-Type

Confirm fixes in next CI run.

Practical 15: Create Custom Nikto Plugin (optional)

Add rules for your application stack.

Practical 16: Parallelized Nikto Jobs

Run multiple Nikto instances for large target sets.

Practical 17: Integrate Nikto With JIRA

Push vulnerabilities into issue tracker via script.

Practical 18: Keep Nikto Updated in Container

Pull latest image regularly.

Practical 19: Add Nikto to Pre-Release Pipeline Stage

Run just before production deployment.

Practical 20: Build Full CI Architecture With Nikto

Architecture includes:

• Nikto Docker images in CI
• XML and HTML reporting
• severity-based pipeline failures
• combo testing with ZAP/Burp
• artifact storage
• nightly scans
• pipeline-level dashboards
• scriptable parsing logic

This creates a fully automated baseline dynamic scanner within DevSecOps workflows.

Intel Dump

• Nikto in CI automates server-level DAST
• Use Docker or apt installation in pipelines
• Scan URL → export report → parse → enforce gates
• Integrates with GitHub/GitLab/Jenkins/Azure
• Practicals include XML export, pipeline integration, automated parsing, multi-URL scanning, and full CI DAST architecture

HOME LEARN COMMUNITY DASHBOARD