Add IP addresses for Security Scanner tool #6130
Conversation
jeff-matthews
added
the
Internal Dev
jeff-matthews
requested review from
hguthrie,
meker12,
piotrekkaminski and
MaxSavich
|
An additional note about this topic-- the Security Scan tool has quite a bit of user help on the site. Perhaps, we should consider looking at that to determine whether we can just link to that information instead of having the details in the DevDocs and Merchdocs. |
|
@jeff-matthews There is a backlog item for Security scan tool: https://magento2.atlassian.net/browse/MAGECLOUD-3736 |
Co-Authored-By: hguthrie <hguthrie@users.noreply.github.com>
Co-Authored-By: Margaret Eker <meker@adobe.com>
jeff-matthews
added
the
Technical
|
running tests |
Actually, I think we should consider moving the content from https://account.magento.com/scanner/index/dashboard/ to devdocs/merchdocs. @piotrekkaminski's request came to us because it's unclear who owns those PDFs and source files, so it's difficult to update. |
|
Hi @jeff-matthews, thank you for your contribution! |
| To review the report: | ||
|
|
||
| 1. When the report completes, a notification displays. | ||
| 1. In the site row, select the report you want to view from the **Reports** column. The order is latest to oldest. | ||
|
|
||
| The report lists issues including Failed Scans, Unidentified Results, and Successful Scans. Each entry provides detailed information for the scan, a list of issues to investigate, and actions to take. Some of these actions may require downloading and installing security patches. You can add those to a development branch on your local workstation. | ||
|
|
||
| Scan results include a general label that describes whether a site passed or failed plus detailed information about the checks performed. Failed indicates that the website contains a serious vulnerability, while unidentified suggests that a deeper review is required by your team or hosting provider to determine if further action is required. We also provide suggested remediation steps for each failed security test. Security scan results are protected and viewable only by the registered user, and notifications of scan completion are restricted to the users designated in the site registration process. | ||
| Scan results include a label that describes scan pass or fail status with detailed information about the checks performed: | ||
|
|
There was a problem hiding this comment.
Probably we have to add a description for "Pass" - it means the store "behaviors as expected" and it's responses on the certain requests are considered to be "correct"
| Scan results include a general label that describes whether a site passed or failed plus detailed information about the checks performed. Failed indicates that the website contains a serious vulnerability, while unidentified suggests that a deeper review is required by your team or hosting provider to determine if further action is required. We also provide suggested remediation steps for each failed security test. Security scan results are protected and viewable only by the registered user, and notifications of scan completion are restricted to the users designated in the site registration process. | ||
| Scan results include a label that describes scan pass or fail status with detailed information about the checks performed: | ||
|
|
||
| * "Failed" indicates that the website contains a serious vulnerability. |
There was a problem hiding this comment.
I would avoid the word "serious" since, e.g. SSL TLS check has a minor "weight" and not SO serious... Also the failure is possible on the multiple reasons in addition to found vulnerability: undetected patch, malware found, server misconfiguration, vulnerable extension found.
Maybe instead of "...website contains a serious vulnerability..." we should put something like "... scanner fund a known vulnerability that should be reviewed and addressed accordingly..."
|
@MaxSavich, I'll create another PR to address your comments. |
Purpose of this pull request
This pull request (PR):
See internal staging build 1173 for a preview.
Affected DevDocs pages
whatsnew
Updated the Cloud Guide with more information about the Magento Security Scanner, including which IP addresses, ports, and user agent strings it uses.