S4 allows you to manage scan configurations on a Global Level and on a per Salesforce org basis. This gives you and your team a great deal of flexibility of when and how S4 will scan for vulnerabilities.
It both the Global and Org level, the same settings are configured. The Org setting will override the Global Setting.
Global Scan Settings
To manage your global settings, use the left hand navigation by selecting the "Configure" option. In a full-width desktop display, you should see this represented as a gear icon with a "Configure" label. In narrower displays, only the icon will appear or the left hand navigation bar may be hidden until clicking on the grid icon in the upper-left and corner.
The settings controls are the default panel on the tab interface.
Salesforce Org Scan Settings
To manage your org settings, you will use the modal function menu found on the Salesforce Instances Under Monitoring to select "Edit Org Settings," also associated with a gear icon.
Please note, while these settings screens appear similar, the Global configuration screen uses a tab interface beneath a header reading "Global Configurations" while the Org configuration screen uses a tab interface beneath a header reading "Salesforce Org Settings".
Scan Setting Controls
You have the ability to control which scans are run when a scan command is sent to S4.
Auto Scan - This will run all the requested scans on a regular basis.
Static Code Analysis (SAST) - This will evaluate your code for common errors that may cause vulnerabilities. By itself, this scan may produce several false-positive vulnerability findings. However, it is what you need to run for a code evaluation only.
Dynamic Testing (IAST) - This takes the results of our SAST scan and runs them through an interactive testing harness with dummy data to eliminate false positives. Use this scan in concert with an active Salesforce Org.
Software Composition Analysis (SCA) - This scan reviews your code's external libraries and remotely referenced libraries against a 30 database watchlist for CVEs.
Configuration Testing - This scan reviews your Salesforce Admin configuration to look for settings that may create vulnerabilities.
Third Party Packages - This scan will only look at third party packages that you have installed with Salesforce. This can be useful to run when you need to isolate the vulnerabilities from a new app.
Notify All Users of Vulnerabilities - This setting will generate a report notification message to all of your S4 users that a report has been completed. When in the off position, only the user initiating the scan will receive the notification message.