Hi there,

When talking about Instance Scan, mostly mentioned for setting up Scan Checks is about performing checks on code, certain settings on Business Rules / Client Scripts / Script Includes, etcetera. Though why limit ourselves to only best practices on the coding front? Instance Scan has a really powerful scan engine, with which you can interrogate your instance on way more.

Core Configuration

In this article I'll share some examples of Scan Checks which you could use for a "Core Configuration" suite. Core Configuration checks which you could perform when working on configuration settings on an instance, or when working on a fresh instance to be implemented. What I see out there in the field, is that configuring an instance depends too much on which Business Process Consultant or Technical Consultant is working on this. Often there's no full list of settings to look at, settings are forgotten, etcetera. Core Configuration checks could help with this.

Core Configuration examples

Table Check: Activate Service Catalog user criteria

Category
Upgradeability

Description
Service catalog user criteria records provide access control for service catalog items and categories. Migrate to user criteria to provide more reuse, control, and flexibility compared to entitlements.

Documentaton
https://docs.servicenow.com/csh?topicname=c_MigrtSvcCatUserCriteria.html&version=latest

Table
sys_properties

Condition
name=glide.sc.use_user_criteria^value!=true

Table Check: Upgrade Visual Task Board without (admin) members

Category
Upgradeability

Description
Upgrade visual task board (VTB) members must be admins. In absence of this property, the system adds all active admin users as members.

Documentaton
https://docs.servicenow.com/csh?topicname=uc-properties.html&version=latest

Table
sys_properties

Condition
name=glide.upgrade_center.task_board.members

Script

(function (engine) {

	// Define variables
	var table_name = 'sys_properties',
		encoded_query = 'name=glide.upgrade_center.task_board.members';

	// Query record
	var getSystemProperty = new GlideRecord(table_name);
	getSystemProperty.addQuery(encoded_query);
	getSystemProperty.setLimit(1);
	getSystemProperty._query();

	// Create scan finding
	if(getSystemProperty._next()) {
		if(!getSystemProperty.value) {
			engine.finding.setCurrentSource(getSystemProperty);
			engine.finding.increment();
			return;	
		}
	}

	// Define variables
	var table_name = 'sys_user_has_role',
		members = gs.getProperty('glide.upgrade_center.task_board.members').split(',');

	var l = members.length;
	for(var i = 0; i < l; i++) {
		// Define variables
		var	encoded_query = 'user=' + members[i] + '^role.name=admin^user.active=true^user.web_service_access_only=false^user.internal_integration_user=false';

		// Query record
		var getRecord = new GlideRecord(table_name);
		getRecord.addEncodedQuery(encoded_query);
		getRecord.setLimit(1);
		getRecord._query();

		// Create scan finding
		if(!getRecord.hasNext()) {
			engine.finding.setCurrentSource(getSystemProperty);
			engine.finding.increment();
			return;
		}
	}

})(engine);

Script Only Check: The "Go To" search should not default to using the "contains" operator

Category
Performance

Description
Changing the default search behavior to contains can cause performance issues as both search options return more results than a greater than search.

Documentation
https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/using-lists/task/t_SearchAList.html

Script

(function (finding) {

	// Define variables
	var table_name = 'sys_properties',
		encoded_query = 'name=glide.ui.goto_use_contains',
		additional_query = '^value!=false';

	// Query record
	var getRecord = new GlideRecord(table_name);
	getRecord.addQuery(encoded_query + additional_query);
	getRecord.setLimit(1);
	getRecord._query();

	// Create scan finding
	if(getRecord._next()) {
		finding.setCurrentSource(getRecord);
		finding.increment();
	}

})(finding);

Script Only Check: Using the RCA plugin is recommended

Category
Security

Description
It is recommended to utilize the Restricted Caller Access plugin when using the Human Resources Core Application. This will ensure server-side code does not inadvertently run against HR data or tables.

Script

(function (finding) {

	// Define variables
	var table_name = 'v_plugin',
		encoded_query = 'id=com.glideapp.report_security^activeNOT INactive,upgradable';

	// Query record
	var getRecord = new GlideRecord(table_name);
	getRecord.addQuery(encoded_query);
	getRecord.setLimit(1);
	getRecord._query();

	// Create scan finding
	if(getRecord._next()) {
		finding.setCurrentSource(getRecord);
		finding.increment();
	}

})(finding);

Script Only Check: Add Messages field to Catalog Client Script form lay-out

Category
Manageability

Description
A good practice is to use the messages field to enter message strings that the catalog client script can use as a key to look up a localized message. Out-of-the-box though, the messages field is not on the Catalog Client Script form lay-out.

Script

(function (finding) {

	// Query record
	var getRecord = new GlideRecord('sys_ui_element');
	getRecord.addQuery('element', 'messages');
	getRecord.addQuery('sys_ui_section.name', 'catalog_script_client');
	getRecord.addQuery('sys_ui_section.view.title', 'Default view');
	getRecord.setLimit(1);
	getRecord._query();

	// Create scan finding
	if(!getRecord._next()) {
		finding.setCurrentSource(getRecord);
		finding.increment();
	}

})(finding);

Table Check: Remote instance registered for itself

Category
Manageability

Description
It is not possible to register the instance you are on as a remote instance. When doing so manually, this is prevented. However, there is a remote instance record that is the same as the instance you are on. This might be due to cloning, out-of-the-box the sys_update_set_source records are not excluded/preserved.

Table
sys_update_set_source

Script

(function (engine) {

	// Define variables
	var current_instance = gs.getProperty('glide.servlet.uri').replace(/\/$/, ""),
		remote_instance = engine.current.url.replace(/\/$/, "");
	
	// Create scan finding
	if(current_instance == remote_instance) {
		engine.finding.increment();
	}

})(engine);

GitHub example-instancescan-checks

The example Linter Checks mentioned in this article can also be found on the "example-instancescan-checks" GitHub repository. Also other Scan Checks can be found there which have been contributed by several people.

---

And that's it actually. Hope you like it. If any questions or remarks, let me know!

👍	If this post helped you in any way, I would appreciate it if you hit bookmark or mark it as helpful. Interested in more articles, blogs, videos, and Share projects on Instance Scan I published? - Instance Scan

Kind regards,
Mark
2020-2021 ServiceNow Community MVP
2020-2021 ServiceNow Developer MVP

---

LinkedIn