S4 security scans be configured for full coverage or for certain types of scanning. Security configurations are accessible by clicking on the Configure S4 link in the navigation bar (see below diagram with "1" indicated):
The following options can be configured for each security scan:
- Auto-Scan - Turn on Auto Scan to have S4 run a scan on your Org overnight (approximately midnight UTC).
- Static Code Analysis (SAST) - Your code is analyzed for common vulnerability errors.
- Dynamic Testing (IAST) - Code flagged in SAST scans run through a custom runtime testing engine specific to your Org, identifying injection flaws. Findings include proof-of-concept exploits indicating successful execution and verification.
- Software Composition Analysis (SCA) - This scan will evaluate any code libraries or remotely-referenced code libraries that are included in your code. These libraries are then checked against Common Vulnerability and Exploit databases to alert you to any possible threats or new vulnerabilities .
- Configuration Testing - This scan evaluates your online Salesforce Org's settings to evaluate if there are any vulnerabilities to objects or via user permissions.
- Third-Party Packages - External tools or Salesforce apps associated with your code or org are also analyzed for the same scans that we run on your own code.
- Notify All Users of Vulnerabilities - This setting will send an email to all users in your S4 account indicating that a scan has been run and found vulnerabilities. If set to off, only the user initiating the scan will receive a notification email.