Creating Instance Scan Scan Checks based on implementation experience

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

Hi there,

Out-of-the-box Instance Scan comes with a limited number of Scan Checks (64), and almost all are security related. You can install the "Instance Troubleshooter" plugin which will add an additional number of Scan Checks (146). Though to really utilize the powerful scan engine of Instance Scan: create your own Scan Checks! Over the past few months, using Instance Scan I've set up 539 Scan Checks for our company. All based on ServiceNow best practices, JavaScript best practices, company best practices, implementation best practices, etcetera.

You might ask yourself, 539 Scan Checks, how do you come up with that?! As mentioned several external best practices, though also experiences gained on the job. With this blog, I'll share some thoughts on the last point mentioned: implementation best practices.

Ideas gained during implementations

Recently I've been working on an HR Service Delivery implementation. While we have a huge number of Scan Checks in place already, during the implementation several times I thought "Can we create an Instance Scan Scan Check for this?" Scan Checks which support:

- Doing the initial setup of HR Service Delivery;
- While configuring and customizing HR Service Delivery;
- While checking/performing System Administrative tasks on HR Service Delivery.

A total number of 23(!) new Scan Checks were identified this way. Below I'll share some of these new Scan Checks, which might help you imagine how you can also use your implementation experiences to identify new Scan Checks. Scan Checks to enrich your use of Instance Scan and utilize its powerful scan engine even more!
Most Scan Checks can be created quite quickly just using a Scan Table Check and the condition builder.

Core Configuration

- Disable out-of-the-box HR Record Producers
Upon activating the "Human Resources Scoped App: Core" plugin (without demo data), several out-of-the-box artifacts like Record Producers will be added to your instance. Artifacts that you most likely won't use in your production instance.

- glide.pop3.process_locked_out property should not be set to TRUE
There is a security risk with system property "glide.pop3.process_locked_out" being set to true when the HR application is activated.

- Remove sn_hr_core.admin role from admin role
After system configuration, remove the sn_hr_core.admin role from the admin role to prevent unwanted inheritance of the sn_hr_core.admin role to all users with the admin role. This will prevent admin users from viewing sensitive HR information.

Best Practices

- HR Service created in wrong Scope
The creation of new HR Services should be done in the "Humen Resources: Core" application scope.

- HR Integrations Schema Mapping use script checked while script is empty
The "Source script" field (visibility) is controlled by the "Use script" checkbox. When this checkbox is checked, it is presumed that the script field will be used.

Data

- Active HR Cases for deactivated HR Service
If your HR Service design includes deactivating an HR Service, be sure to close out any existing, open cases before deactivation.

- Active HR Tasks with Inactive parent record
When the parent HR Case is inactive, the associated HR Tasks should not be modified and therefore be set to inactive. Investigate why the HR Task is still active while the parent HR Case is not. This could for example be due to corrupt scripting, an incorrect Flow or Workflow, etcetera.

- Orphan HR Tasks
Every HR Task should have a parent HR Case associated as they always should be a part of an HR Case. Investigate why there is an HR Task without a parent HR Case associated. This could for example be due to corrupt scripting, invalid data, etcetera.

Sanity Test

- No active user has sn_hr_core.admin role
The ServiceNow Docs actually mentions: "Ensure that you have at least two users with the HR Administrator role. If you assign only one person with the role and that person is deactivated, you no longer have a user that can perform the HR admin duties."

Use your implementations to identify new Scan Checks 

I shared just some examples of ideas for new Scan Checks, gained from a recent implementation. I'm sure most of you can come up with similar ideas while working on an implementation!

- What repetitive core configuration tasks are you running into during an implementation?
- Which security settings do you handle during an implementation?
- Which configuration/customization best practices do you review every implementation?
- What typical System Administrative tasks do you foresee when a company is going to work with what you implemented on the instance?

How to create Scan Checks

Help needed on how to create Scan Checks for Instance Scan? Here are two articles which I wrote on creating Scan Checks. If interested in examples of multiple Scan Checks, review the list of Instance Scan articles, blogs, videos I publiced.

- Creating your own Instance Scan, Scan Checks
- Getting Instance Scan Linter Check working

---

And that's it! When coming up with ideas for new Scan Checks, do share 😀.

Kind regards,

Mark Roethof

ServiceNow Technical Platform Architect @ Eraneous

2x ServiceNow Developer MVP
2x ServiceNow Community MVP

---

LinkedIn