Network - Infisical

Network discovery scans network endpoints over TLS to discover certificates served by hosts across IP ranges and domains. Optionally, you can use an Infisical Gateway to reach endpoints in private networks that are not accessible from the internet.

If you are self-hosting Infisical, you can alternatively set the ALLOW_INTERNAL_IP_CONNECTIONS environment variable to true on your instance to scan private networks directly without a gateway.

Infisical UI
API

In Certificate Manager, go to Discovery and click Add Job.
Fill in the discovery job details and click Create:
- Name: A slug-friendly name for the discovery job (e.g., prod-tls-scan).
- Description: An optional description.
- Targets: Domains, IP addresses, or CIDR ranges to scan (e.g., example.com, 192.168.1.1, 10.0.0.0/24).
- Ports: Ports to scan for TLS certificates. Defaults to common TLS ports if not specified.
- Gateway (optional): The Infisical Gateway for scanning private networks.
- Auto Scan: Enable automatic periodic scanning with a configurable interval.
At least one target (domain or IP) must be specified.
Trigger a scan manually by pressing Scan Now, or wait for the next automatic scan if enabled.
After a scan completes, view the results:
- Installations: Unique locations where certificates were found.
- Certificates: Details including common name, issuer, and expiration date.
- Scan History: Log of all scans with status and timestamps.

To create a Network discovery job, make an API request to the Create Discovery API endpoint.

Sample request

Request

curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "prod-tls-scan",
    "description": "Scan production network for TLS certificates",
    "type": "network-tls",
    "gatewayId": "550e8400-e29b-41d4-a716-446655440000",
    "isAutoScanEnabled": true,
    "scanIntervalInDays": 1,
    "targetConfig": {
      "ipRanges": ["10.0.0.0/24", "192.168.1.1"],
      "domains": ["example.com"],
      "ports": "443, 8443"
    }
  }'

To trigger a scan, make a request to the Trigger Scan endpoint:

Request

curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery/<discoveryId>/scan \
  --header 'Authorization: Bearer <access-token>'

Limits

The following limits apply to Network discovery jobs:

Max individual IPs: 256
Max domains: 20
Max ports: 5
Minimum CIDR prefix: /24 (256 hosts)

​Sample request

​Limits

Sample request

Limits