Instance Scan "Core Configuration" Scan Check exam... - ServiceNow Community

Instance Scan "Core Configuration" Scan Check examples

Mark Roethof
Tera Patron
Tera Patron

‎11-21-2021 09:18 PM - edited ‎08-14-2024 11:08 AM

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Hi there,

 

When talking about Instance Scan, mostly mentioned for setting up Scan Checks is about performing checks on code, certain settings on Business Rules / Client Scripts / Script Includes, etcetera. Though why limit ourselves to only best practices on the coding front? Instance Scan has a really powerful scan engine, with which you can interrogate your instance on way more.


Core Configuration

In this article I'll share some examples of Scan Checks which you could use for a "Core Configuration" suite. Core Configuration checks which you could perform when working on configuration settings on an instance, or when working on a fresh instance to be implemented. What I see out there in the field, is that configuring an instance depends too much on which Business Process Consultant or Technical Consultant is working on this. Often there's no full list of settings to look at, settings are forgotten, etcetera. Core Configuration checks could help with this.


Core Configuration examples

Table Check: Activate Service Catalog user criteria

Category
Upgradeability

Description
Service catalog user criteria records provide access control for service catalog items and categories. Migrate to user criteria to provide more reuse, control, and flexibility compared to entitlements.

Documentaton
https://docs.servicenow.com/csh?topicname=c_MigrtSvcCatUserCriteria.html&version=latest

Table
sys_properties

Condition
name=glide.sc.use_user_criteria^value!=true


Table Check: Upgrade Visual Task Board without (admin) members

Category
Upgradeability

Description
Upgrade visual task board (VTB) members must be admins. In absence of this property, the system adds all active admin users as members.

Documentaton
https://docs.servicenow.com/csh?topicname=uc-properties.html&version=latest

Table
sys_properties

Condition
name=glide.upgrade_center.task_board.members

Script

(function (engine) {

	// Define variables
	var table_name = 'sys_properties',
		encoded_query = 'name=glide.upgrade_center.task_board.members';

	// Query record
	var getSystemProperty = new GlideRecord(table_name);
	getSystemProperty.addQuery(encoded_query);
	getSystemProperty.setLimit(1);
	getSystemProperty._query();

	// Create scan finding
	if(getSystemProperty._next()) {
		if(!getSystemProperty.value) {
			engine.finding.setCurrentSource(getSystemProperty);
			engine.finding.increment();
			return;	
		}
	}

	// Define variables
	var table_name = 'sys_user_has_role',
		members = gs.getProperty('glide.upgrade_center.task_board.members').split(',');

	var l = members.length;
	for(var i = 0; i < l; i++) {
		// Define variables
		var	encoded_query = 'user=' + members[i] + '^role.name=admin^user.active=true^user.web_service_access_only=false^user.internal_integration_user=false';

		// Query record
		var getRecord = new GlideRecord(table_name);
		getRecord.addEncodedQuery(encoded_query);
		getRecord.setLimit(1);
		getRecord._query();

		// Create scan finding
		if(!getRecord.hasNext()) {
			engine.finding.setCurrentSource(getSystemProperty);
			engine.finding.increment();
			return;
		}
	}

})(engine);


Script Only Check: The "Go To" search should not default to using the "contains" operator

Category
Performance

Description
Changing the default search behavior to contains can cause performance issues as both search options return more results than a greater than search.

Documentation
https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/using-lists/task/t_SearchA...

Script

(function (finding) {

	// Define variables
	var table_name = 'sys_properties',
		encoded_query = 'name=glide.ui.goto_use_contains',
		additional_query = '^value!=false';

	// Query record
	var getRecord = new GlideRecord(table_name);
	getRecord.addQuery(encoded_query + additional_query);
	getRecord.setLimit(1);
	getRecord._query();

	// Create scan finding
	if(getRecord._next()) {
		finding.setCurrentSource(getRecord);
		finding.increment();
	}

})(finding);


Script Only Check: Using the RCA plugin is recommended

Category
Security

Description
It is recommended to utilize the Restricted Caller Access plugin when using the Human Resources Core Application. This will ensure server-side code does not inadvertently run against HR data or tables.

Script

(function (finding) {

	// Define variables
	var table_name = 'v_plugin',
		encoded_query = 'id=com.glideapp.report_security^activeNOT INactive,upgradable';

	// Query record
	var getRecord = new GlideRecord(table_name);
	getRecord.addQuery(encoded_query);
	getRecord.setLimit(1);
	getRecord._query();

	// Create scan finding
	if(getRecord._next()) {
		finding.setCurrentSource(getRecord);
		finding.increment();
	}

})(finding);


Script Only Check: Add Messages field to Catalog Client Script form lay-out

Category
Manageability

Description
A good practice is to use the messages field to enter message strings that the catalog client script can use as a key to look up a localized message. Out-of-the-box though, the messages field is not on the Catalog Client Script form lay-out.

Script

(function (finding) {

	// Query record
	var getRecord = new GlideRecord('sys_ui_element');
	getRecord.addQuery('element', 'messages');
	getRecord.addQuery('sys_ui_section.name', 'catalog_script_client');
	getRecord.addQuery('sys_ui_section.view.title', 'Default view');
	getRecord.setLimit(1);
	getRecord._query();

	// Create scan finding
	if(!getRecord._next()) {
		finding.setCurrentSource(getRecord);
		finding.increment();
	}

})(finding);


Table Check: Remote instance registered for itself

Category
Manageability

Description
It is not possible to register the instance you are on as a remote instance. When doing so manually, this is prevented. However, there is a remote instance record that is the same as the instance you are on. This might be due to cloning, out-of-the-box the sys_update_set_source records are not excluded/preserved.

Table
sys_update_set_source

Script

(function (engine) {

	// Define variables
	var current_instance = gs.getProperty('glide.servlet.uri').replace(/\/$/, ""),
		remote_instance = engine.current.url.replace(/\/$/, "");
	
	// Create scan finding
	if(current_instance == remote_instance) {
		engine.finding.increment();
	}

})(engine);


GitHub example-instancescan-checks

The example Linter Checks mentioned in this article can also be found on the "example-instancescan-checks" GitHub repository. Also other Scan Checks can be found there which have been contributed by several people.

---

And that's it actually. Hope you like it. If any questions or remarks, let me know!

 

C

If this content helped you, I would appreciate it if you hit bookmark or mark it as helpful.

 

Interested in more Articles, Blogs, Videos, Podcasts, Share projects I shared/participated in?
- Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

 

Kind regards,


Mark Roethof

ServiceNow Technical Platform Architect @ Quint Technology

2x ServiceNow Developer MVP

2x ServiceNow Community MVP

---

LinkedIn

Preview file
266 KB
  • 2,803 Views
Comments
ghouse4
Tera Contributor
‎12-27-2021 09:11 AM

Hi Service now professionals ,

                     iam trying to create an instance scan check to find the List of Configuration Items (CI's) with empty Approval group fields and i have implemented the script as below .

var cigr = new GlideRecord("cmdb_ci");
cigr.addQuery("change_control", " ");
//cigr.setLimit(10);
cigr.query();
if (cigr.next()) {
finding.setCurrentSource(current);
finding.increment();
return;

when i try to save this check its prompting me this error as shown in screenshot , can anybody help me with this or please suggest me best way of implementing it . Thank you.

find_real_file.png

0 Helpfuls
Mark Roethof
Tera Patron
Tera Patron
‎12-27-2021 09:59 PM

Read about Blacklisted tables in Instance Scan, in this article which I wrote a while back:
2021-08-16 Blacklisted tables within Instance Scan

Kind regards,
Mark

0 Helpfuls
ghouse
Tera Contributor
‎12-27-2021 11:31 PM

Hi Mark ,

        Thanks for the Response and Reason provided by you . I have referred the article you shared , it actually makes sense and understandable . Would you suggest any best appraoch for setting up the instance scan for the requirement i have mentioned other than this . would script only check method can help me in obtaining my expected output . can you please provide me your inputs or suggestions , Thank you .

Regards,

Ghouse sharief

0 Helpfuls
Mark Roethof
Tera Patron
Tera Patron
‎12-27-2021 11:38 PM

Seeing your script, I don't see a reason for applying a Script Only Check. You could go for a Table Check.

Kind regards,
Mark

0 Helpfuls
ghouse
Tera Contributor
‎12-27-2021 11:46 PM

well , i face this error similar to screenshot i have shared , when i go for a table check .so is there any best approach to overcome this error and acheive my expected results . Thank you .

Regards,

Ghouse sharief.

0 Helpfuls
Nishi09
Tera Contributor
‎09-18-2024 03:44 PM

Hi, I have tried Table Check as suggested and guided by Mark. Here is the screenshot and it is working well.. Though the question asked is long back thought of posting so it could help anyone.

Nishi09_0-1726699415516.png

 

0 Helpfuls
Version history
Last update:
‎08-14-2024 11:08 AM
Updated by:
Tera Patron
Contributors