S4 allows you to manage scan configurations on a Global Level and on a per Salesforce org basis. This gives you and your team a great deal of flexibility of when and how S4 will scan for vulnerabilities.
It both the Global and Org level, the same settings are configured. The Org setting will override the Global Setting.
Global Scan Settings
To manage your global settings, use the left hand navigation by selecting the "Configure" option. In a full-width desktop display, you should see this represented as a gear icon with a "Configure" label. In narrower displays, only the icon will appear or the left hand navigation bar may be hidden until clicking on the grid icon in the upper-left and corner.
The settings controls are the default panel on the tab interface.
Per Salesforce Org Scan Settings
To manage your org settings, you will use the modal function menu found on the Salesforce Instances Under Monitoring to select "Edit Org Settings," also associated with a gear icon.
On the resulting screen, you can use the Scan Rules or Scan Settings to modify the way S4 Scan Your Org.
The Scan Rules tab allows you to modify the severity of a Rule and whether the Rule should be part of your scan.
The Scan Type tab allows you to modify the Types of scan that will run. This set is similar to what is available at the Global level, but will override those values.
Scan Type Setting Controls
You have the ability to control which scans are run when a scan command is sent to S4.
Auto Scan - This function is currently disabled.
Static Code Analysis (SAST) - This will evaluate your code for common errors that may cause vulnerabilities. By itself, this scan may produce several false-positive vulnerability findings. However, it is what you need to run for a code evaluation only.
Dynamic Testing (IAST) - This takes the results of our SAST scan and runs them through an interactive testing harness with dummy data to eliminate false positives. Use this scan in concert with an active Salesforce Org.
Software Composition Analysis (SCA) - This scan reviews your code's external libraries and remotely referenced libraries against a 30 database watchlist for CVEs.
Configuration Testing - This scan reviews your Salesforce Admin configuration to look for settings that may create vulnerabilities.
Third Party Packages - This scan will only look at third party packages that you have installed with Salesforce. This can be useful to run when you need to isolate the vulnerabilities from a new app.
Notify All Users of Vulnerabilities - This setting will generate a report notification message to all of your S4 users that a report has been completed. When in the off position, only the user initiating the scan will receive the notification message.
