Hi there,

Instance Scan, one of the great new features from the Quebec-release. Wrong! For all you out there still on the Paris-release or even the Orlando-release… Instance Scan is already on your instances. It's good to have that said 🙂

So how to use the Instance Scan? Or if it's already on Paris and Orlando instances, where is it?

I'll be sharing a few blogs on Instance Scan:
- Using Instance Scan on Orlando/Paris instances
- Creating your own Instance Scan, Scan Checks
- Unrevealing Instance Scan and sharing parts of the undocumented

The first blog to share how to get to the hidden Instance Scan on Orlando/Paris instances and to mention some of the differences to expect as opposed to Quebec.
The second blog to share experiences gained on how to build your own Scan Checks. At this moment, there's zero official ServiceNow documentation on this.
The third blog to share some thoughts and experiences I've gained the past few weeks on Instance Scan, to fill in some blanks because documentation on Instance Scan is really missing out there.

Let's get after it!

Instance Scan

With the Quebec-release (or at least officially) the Instance Scan is introduced as an out-of-the-box application. An application with which you can "interrogate your instance for configurations that indicate health issues and identify opportunities to address best practices".

The Instance Scan application is active on instances by default at no additional license costs. The application comes with a very powerful Scan Engine, with which you can scan Process Records (Business Rules, Script Includes, etcetera) and Data (Task records, Scheduled Jobs, Users, Groups, etcetera). Out-of-the-box 84 Scan Checks are provided, within the Scan Suite "Instance Security Center". Also, you have the ability to add your own Scan Checks which is phenomenal!

More high-level information can be found on the Docs.

Automated Configuration Evaluator (ACE), Health Scan, Instance Security Center (ISC)

Automated Configuration Evaluator (ACE)

ACE doesn't exist anymore, though still good to mention. This has been followed-up by the "Health Scan".

Health Scan

You can request a Health Scan, and after a few hours/days, you will receive a PDF report in your mailbox with the findings of your instance. Findings based on about 140 definitions in several categories, amongst others: Performance, Security. By default, you will receive a PDF with the findings with which you can investigate and solve already a lot. In some cases, you would need to know more details. ServiceNow can provide an Excel document with highly detailed information. Be aware though, there might be costs involved with this.

Instance Security Center

Not everyone is aware of this, though with the Madrid release Instance Security Center was introduced. Active on every instance, no additional costs. Instance Security Center which has a separate portal: /isc.

Getting Started using Instance Scan

The docs do contain high-level information about the Instance Scan and getting started. I'm not going to repeat all of it, though do want to highlight some pieces which are important to know, which might be limited described, or not mentioned at all.

Scan Checks

The Scan Checks are the minimum requirement for performing any actual scans. No Scan Checks, nothing to scan. Out-of-the-box with Quebec 84 Scan Checks are provided. Be aware though, most of them you already have on your instance, only in a different setting: Instance Security Center. 84 Scan Checks also isn't that much, so you really need to uplift these Scan Checks yourself. For example by applying the new Store Application Instance Troubleshooter or by creating your own Scan Checks. Scan Checks based on ServiceNow best practices, JavaScript best practices, company standards you might have, etcetera.
See this blog which I wrote on creating your own Scan Checks: Creating your own Instance Scan, Scan Checks.

Scan Checks can be easily tested. On Scan Checks there is a UI Action "Test Scan", which within seconds gives you any Scan Findings, any errors, etcetera. Very nice!

So any negatives on Scan Checks? Yes... I do believe the functional part could/should be improved a bit. For example, easily seeing if the Scan Check is attached to any Scan Suites or not, if the Scan Check is intended for a Production or Sub-Production instance, or if the Scan Check works on certain releases. Though biggest obstacle in my opinion: the read-only out-of-the-box Scan Checks. You can't update them, improve them, add missing documentation, and most of all… you can't deactivate them! Pre-Quebec you could mute Scan Checks, though that functionality has been deprecated.

Besides the missing parts I mentioned, there are also some hidden parts on Scan Checks. For example fields score_max, score_min, score_scale, and use_manifest. The score fields interesting because there's also a non-documented table scan_score. This table is also not made visible anywhere in the Instance Scan, no module, not as a related list, etcetera. It's on my to-do list to find out how this actually works. It does already calculate scores, though how exactly?!
Another hidden part, field use_manifest. No clue yet what this could be or that this might be left-over development.

There's one piece I didn't mention yet, and I'd avoid. On the Scan Check List Layout, there's a UI Action "Execute Full Scan". This will instantly perform a full Instance Scan, against all Scan Checks which are active. Sounds nice, though like mentioned earlier: you can't deactivate out-of-the-box Scan Checks with which you might not agree. So these will be scanned also. Be aware of this.

Scan Suites

All Scan Checks should be attached to one or more Scan Suites. Out-of-the-box there's only the Instance Security Center Scan Suite, though you can easily create your own, and create a parent-child structure if needed. Personally, I like to think of Scan Suites like "Core Instance", "Best Practices", "Data". Though you might also go for an approach which you will see in the Instance Troubleshooter application, like: "Authentication", "Email", "MID Server", etcetera.

Scan Suites can be executed instantly using the "Execute Suite Scan" UI Action. Using this UI Action will present you a model where you can select Full Instance Scan, Scanning one or more Scoped Applications, Scanning one or more Update Sets (these combinations will technically be stored in the scan_combo table).
Another really nice feature on Scan Suites: the related list "Schedule". This allows you to create a new Schedule record (on sysauto_scan). Again, also here a model will be presented where you can select Full Instance Scan, Scanning one of more Scoped Applications, Scanning one or more Update Sets.

Any hidden parts on Scan Suites? There's a field private, no clue yet what that might bring you or that this might be left-over development.

Let's get going

Having the Scan Checks and Scan Suites set, you're ready to go!

Scan Results

After performing a scan manually or scheduled, a Scan Result will be generated. The Scan Result holds basic information about the scan and is the container for all Scan Findings. Out-of-the-box the functional side of Scan Results is really poor in my opinion. This starts with the List Layout and Form Layout. Hopefully, ServiceNow will improve this immensely with the next release. While actually, a lot of useful information is already available, though just not presented?! For example, why not showing what the Scan Result was about. Which Scan Suite did you scan? Which Scoped Application or Update Set did you scan? The number of Scan Findings? The number of Scan Checks performed? All of this is already available on the Scan Result record itself, though not present on the List Layout and Form Layout.

On the Scan Result Form Layout, several Related Lists are shown. Obviously the most important part, "Scan Findings"! Though also Related Lists like any "Failures" which is really useful. One unknown… "Scan Statistics". No clue if this is still in development or that this might be left-over development. This related list is about the scan_statistics table, though I haven't seen any data generated in this table so far.

The Scan Result Form Layout also comes with two nice UI Actions. A form button to easily perform a "Rescan" and a Related Link to "Result Dashboard". This is a really nice Dashboard, be aware: this is not the same dashboard like the one you'll find in the Modules. The dashboard in the modules actually, forget about it, absolutely horrible, worthless, a waste of time. The "Result Dashboard" though, do have a look immediately! Nice setup! Only one thing I still haven't gotten to work on in the Result Dashboard, the "Unaddressed Findings" counter doesn't seem to change at all.

Are any bits missing on Scan Results? Personally, I would also like to see some progress about your Scan Result, especially the List Layout. How many Scan Findings did you already validate/acknowledge or mute, or how many Scan Findings are left to take care of? What is the completed date/time of the Scan Result?

Scan Findings

If there are any Scan Findings, you will find them in the Related List of the Scan Result or through the module "Findings". Scan Findings out-of-the-box is pretty complete in what it collects, only the functional presentation of the List Layout and Form Layout could be improved a bit. There are some fields on the List Layout and Form Layout which I ask myself, why to present it at all. Are you really interested in the sys_mod_count, or the domain? I would rather add fields like the priority, or the category which is both available by dot walking the Scan Check.

So how to handle a Scan Finding itself? The only option is to Mute the Scan Finding, it feels like there's an option missing, to validate/acknowledge the Scan Finding or something. You can also create a Scan Task, I guess as the administration part to work on a Scan Finding. Though this task won't validate/acknowledge the Scan Finding, or change the "Unaddressed Findings" on the Scan Result "Result Dashboard".
The Mute option, nicely done! You will even be presented with a model to select the reason for why muting a Scan Finding. Muting a Scan Finding will also change the values on the Scan Result "Result Dashboard". Out-of-the-box there are three options presented to select a Mute Reason. You can change these to your liking, have a look at the "Mute Reasons" table [scan_mute_rule_reason].

Are any bits missing on Scan Findings? Personally, I would also like to see when a Scan Source was updated, and for useability perhaps adding a Number field on Scan Findings. And like I mentioned, an option to validate/acknowledge a Scan Finding.

There's more

The Dashboard I'll just ignore, forget about it, absolutely horrible, worthless, a waste of time.

Module "Table Cleanup" is a good one to know. It is documented well on the Docs, though just to repeat: there are Auto Flush records in place, which will remove Scan Results. Be aware of this! Scan Results of Scan Type "Test Scan" are removed after 1 day, all other Scan Results are removed after 90 days.

Another one that is good to be aware of, the maximum duration of an individual Scan Check. Out-of-the-box the maximum duration is 10 minutes. This can be controlled by adding a new System Property "glide.scan.process_check.time_out" and setting a higher value to your liking (value in seconds).

Last piece which I'd like to mention… Run Point Scan. You might already have noticed, a UI action "Run Point Scan" is presented as a Related Link on Form Lay-outs. With this UI Action, you can scan individual Process Records or Data. Really nice!

Is that it?!

Pfff... yes 🙂 Now it's just a matter of regularly performing scans. Manually, or scheduled. Or thinking of embedding this into your way of working. Maybe having Update Sets scanned when you close them, having a scan performed when you move a Scrum Story to Testing, having a scan performed at the end of a release, etcetera.

Also regularly have a good look at your Scan Checks. Can you improve the Scan Checks, add new Scan Checks, etcetera. If adding any new Scan Checks, let me know, curious what everyone comes up with!

---

If any questions or remarks, let me know!

Kind regards,
Mark
2020-2021 ServiceNow Community MVP
2020-2021 ServiceNow Developer MVP

---

LinkedIn