Automating the different Instance Scan scan types

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

Hi there,

So you've touched on Instance Scan, maybe read my previous blogs on Instance Scan, or saw Live Coding Happy Hour of last Friday on Instance Scan. And now, wanting to automate scan checks. Are there any possibilities for this? Obviously you could schedule scans, though what about tying scans to Automated Test Framework, a Flow, or a Business Rule.

There are scripted possibilities 😀. Documenting the undocumented!

Executing scans through script

Digging around a bit I noticed these two lines of code:

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerFullScan();

After executing these two lines of code, a scan would be started for a full Instance scan. That looks interesting and seeing such code I immediately wonder if there might be more. Unfortunately, we can't read sn_instance_scan. Though performing a code search, Script Include "ScanAjaxProcessor" shows some more scan.trigger* functions. I've listed them below:

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerSuiteScan(suiteId);

(executes a full Instance scan)

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerAppScan(scopeId);

(executes a Application scan)

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerUpdateSetScan(updatesetId);

(executes a Update Set scan)

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerScanFromCombo(comboId);

(executes a scan according to the source and target of the Combo record)

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerPointScan(tableName, sysId);

(executes a scan on a certain Process record)

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerTestScan(scancheckId);

(executes test scan on a scan check)

Tested them all, and all work fine, and immediately start a scan. Only the scan.triggerScanFromCombo() and scan.triggerPointScan() could cause some confusion.

The scan.triggerScanFromCombo() need a sys_id of an existing scan_combo record, while scan.triggerPointScan() needs to be run against a Process record that has available checks applicable to the record, the user has read access to the record, the record is on a table that extends sys_metadata, and the role of the user must be scan_user.

After searching a bit more, I noticed a function to get a combo record or to create a combo record if the combination for the source and targert does not exist yet.

new sn_instance_scan.ScanUtil().getOrCreateComboFromSuiteAndTargets(suiteId, targetTable, targetIds);

Usage could be something like:

var comboId = new sn_instance_scan.ScanUtil().getOrCreateComboFromSuiteAndTargets('', 'sys_ui_action', ['1218f7b3cb100200d71cb9c0c24c9cdf']);

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerScanFromCombo(comboId);

Automating

Knowing the above opens a lot of possibilities for automating scans (other than scheduling). An example could be having an after or async Business Rule responding to a certain logic, like Automated Test Framework being executed or changing the state of a Story to Testing. Just adding these few lines of code to the script of the Business Rule (or through a Flow and using an Action), would automate your scan! It's just a simple example of what you could do. I'm sure some of you will come up with some really interesting cases for automated scans.

---

And that's it! If any questions or remarks, let me know!

Kind regards,

Mark Roethof

ServiceNow Technical Platform Architect @ Quint Technology

2x ServiceNow Developer MVP

2x ServiceNow Community MVP

---

LinkedIn