Ideas on embedding Instance Scan into your way of working

Articles, Blogs, Videos, Podcasts, Share projects - Experiences from the field

Hi there,

So you've touched on Instance Scan, maybe read my previous blogs and articles on Instance Scan, or saw Live Coding Happy Hour of last Friday on Instance Scan. And now, wanting to embed Instance Scan to your way of working. I hope you do at least 😀. Instance Scan just deserves that everyone is going to embrace it. Already for a first (official) release, Instance Scan is so powerful! Oke the functional presentation could be improved a bit, though the Scan Engine = WOW!

There's no best practice or one road to travel when it comes to embedding Instance Scan into your way of working. This could just be so different between companies. I will try to share some ideas in this blog, to think about embedding Instance Scan into your way of working.

Having any ideas of your own, do share!

Scan Checks

Before embedding the Instance Scan into your way of working, we need to take a step back. The Scan Checks themselves. As mentioned on the Live Coding Happy Hour episode, you do have to create your own Scan Checks. ServiceNow does provide some Scan Checks, though these are limited (Quebec Patch 1, 64 Scan Checks). So if you would perform a full Instance Scan, these out-of-the-box Scan Checks might not result in that many Scan Findings and you might think "our Instance is perfectly fine", "we are doing a great job", "nothing to have a look at", etcetera. Though actually what are you interrogating your Instance with? Almost nothing...

So start creating your own Scan Checks! Scan Checks based on ServiceNow best practices, JavaScript best practices, your own company standards, etcetera. The official ServiceNow documentation on building Scan Checks is limited, though I've written a blog on Creating your own Scan Checks.

Ideas om embedding Instance Scan to your way of working

Ideas

I'll throw some ideas here. There's no right or wrong, it's just up to you. What you do at your company, what you are using within ServiceNow if you've got company specifics, etcetera.

- Performing a full Instance Scan every week
- Performing a full Instance Scan at the end of a Sprint
- Having an Update Set or Application scanned, when a Story is moved to state Testing
- Scanning a specific Update Set when it is marked as Complete
- Scanning all Update Sets and Applications touched at the end of a Sprint
- Tying a Full Instance Scan or Application scan to Automated Test Framework
- When one or more Scan Findings occur for one Scan Result, creating an automated Scan Task or maybe even an Incident if it's a Priority 1 Scan Finding

For some of these ideas, you might need an integration between your Production and Sub-Production instances. For example when you are performing a full Instance Scan on your Development environment, while your Stories are in your Production environment. Or what if you want to perform an Instance Scan on your Production environment (for data-related scan checks for example), and your Stories are in another product than ServiceNow (yes that happens).

I did mention briefly "creating an automated Scan Task". What's a Scan Task you might ask? With Instance Scan, in Quebec, a scan_task table has been introduced, extended from task. Scan Task which is intended to work on Scan Findings, a Task that you could assign to a user, etcetera.

Manually

With the ideas above, you could add to your way of working performing manual scans. Instance Scan offers several possibilities for this.

- Scan Suite form layout, UI Action form button "Execute Suite Scan". This opens a modal where you can select "Full Instance Scan", one or more "Scoped App", or one or more "Update Set".
- Scan Check list layout, UI Action banner button "Execute Full Scan". This immediately starts an Instance scan with all active Scan Checks.
- Scan Result form layout, UI Action form button "Rescan". This immediately starts an Instance scan against the same Combo as the current Scan Result you are on.
- Run Point Scan UI Action form link, which is visible when available checks that are applicable to the record, the user has read access to the record, the record is on a table that extends sys_metadata, the role of the user must be scan_user, and the system property glide.scan.enable_point_scan_ui_action must not be false.

Scheduled

Scheduling scans is also possible, and with the Quebec release table Scheduled Scan [sysauto_scan, extended from Scheduled Job] has been added. With this table, you can easily schedule your scans. Amongst others, you can add a daily, weekly, monthly, periodically scan. The only mandatory part is having a Scan Combo record available. When creating a Scheduled Scan from the modal (for example on the Scan Suite form layout, on related list Schedule, and adding a new Schedule), the Scan Combo record will be generated automatically.

Automated

Another option on Scheduled Scans, is Run "Once" or "On Demand". You could use this already if you would like to automate scans, tying scans to for example Automated Test Framework or Flows. You could create a sys_trigger record, which calls the Scheduled Scan record. The Job Context field should contain for example:

fcDocumentClass=sysauto_scan
fcDocumentKey=d9d33a032fba20104f99dc1a2799b61a

(where the sys_id is a sys_id of a Scheduled Scan record)

By using this approach, you would reuse the nice Scheduled Scan functionality. You will face that you do need a Scan Combo record available. If it's not available yet, you're stuck!

Diggin around for the undocumented on Instance Scan, I came across possibilities to execute scans directly from script. One of the examples is to execute a Combo scan:

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerFullScan();

Or what about executing a Suite Scan scripted:

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerScanFromCombo('comboSysId');

So what if there's no combo record available yet? More of the undocumented… using the below line of code, you could get an existing combo record sys_id, or if the combo for the suite and/or target does not yet exist this would create a new combo record.

new sn_instance_scan.ScanUtil().getOrCreateComboFromSuiteAndTargets(suiteId, targetTable, targetIds);

Usage could be something like:

var comboId = new sn_instance_scan.ScanUtil().getOrCreateComboFromSuiteAndTargets('', 'sys_ui_action', ['1218f7b3cb100200d71cb9c0c24c9cdf']);

var scan = new sn_instance_scan.ScanInstance();
var result = scan.triggerScanFromCombo(comboId);

For more available scripting for different scan types read this article:
- Automating the different Instance Scan scan types

---

And that's it! A few ideas on embedding Instance Scan to your way of working. Having any ideas of your own for embedding Instance Scan into your way of working, please do share!

Kind regards,

Mark Roethof

ServiceNow Technical Platform Architect @ Quint Technology

2x ServiceNow Developer MVP

2x ServiceNow Community MVP

---

LinkedIn