DigitSec allows you to manage scan configurations on an Environment Level and on a per Workspace basis. This gives you and your team a great deal of flexibility of when and how the system will scan for vulnerabilities.
Environment level settings are established as defaults for your environment. Each time you create a new Workspace, your Environment settings are applied to that workspace at the time of creation. Modifying your Environmental settings DOES NOT automatically change Workspace Settings.
Environment Scan Settings
To manage your Environment Settings, click on the "Configure" option in the top-bar navigation indicated by the diagonal arrow below. Then click on the Scan Settings sub-tab navigation indicated by the vertical arrow. Please scroll to the end of this document to learn details about each setting option.
Per Workspace Scan Settings
As you can at the Environment level, you can control the Scan Types that will run for your Workspace. Once modified, these settings will be applied each time a scan is initiated for that Workspace.
Once you have accessed the Workspace you wish to modify, click on the Settings link in the Workspace Tab Navigation. It is indicated by the diagonal arrow in the screen capture below. Then, click on the Scan Settings sub-tab navigation indicated by the vertical arrow. You can now modify the on-off state for a particular Scan Type.
Note: If you wish to quickly modify the settings for several Workspaces, use the "Select Org" pull-down selector indicated by the horizontal arrow.
You also have the flexibility to manage the Rules and the Default Severity Assignments for each Rule on a per Workspace basis. You can access that control page by using the Settings link in the Workspace Tab navigation. It is indicated by the diagonal arrow in the screen capture below. Then, click on the Scan Rules sub-tab navigation indicated by the vertical arrow.
On this screen, you can control the default severity assignment for each rule by using the associated pull-down selector indicated by the horizontal arrow that is yellow with a dark-blue border located near the center of the screen capture. Each rule has a default severity assignment already assigned. These default severity assignments correspond to OWASP documentation. Critical and High severity assignments risk a security breach, while Medium and Low assignments are more oriented to "best practices."
You can also disable a rule from running entirely by using the toggle swtich indicated by the horizontal arrow that is blue with a yellow border near the right-hand side of the screen capture.
Note: Modifying these settings applies to this Workspace only and will apply to scans initiated subsequent to the completion of your settings changes. You can see which settings and rules were active at the time a scan was run by reviewing the scan statistics for a particular scan. Severity Assignments will be applied to findings when the scan is running. You can modify severity assignments on a per finding basis after a scan has been completed that will persist on that finding without impacting the settings for the workspace.
Scan Type Setting Controls
You can control which scans are run when a scan command is sent to DigitSec.
Static Code Analysis (SAST) - This will evaluate your code for common errors that may cause vulnerabilities. By itself, this scan may produce several false-positive vulnerability findings. However, it is what you need to run for a code evaluation only.
Dynamic Testing (IAST) - This takes the results of our SAST scan and runs them through an interactive testing harness with dummy data to eliminate false positives. Use this scan in concert with an active connection to a Salesforce Org or Salesforce Commerce Cloud
Software Composition Analysis (SCA) - This scan reviews your code's external libraries and remotely referenced libraries against a database watchlists for Common Vulnerabilities and Exceptions (CVEs). This scan can also be run on code evaluation only.
Configuration Testing - This scan reviews your Salesforce Admin configuration to look for settings that may create vulnerabilities. This scan will return results when running against a connected Salesforce Org or Salesforce Commerce Cloud.
Third Party Packages - If you have installed unmanaged, Third-Party packages or you are doing package-based development, you can activate this scanning to look at that code and apply SAST, IAST, or SCA scans as applicable. If this setting is not turned on, DigitSec will not scan unmanaged, package based code. Managed package code is inaccessible for Scanning.
