-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add IP addresses for Security Scanner tool #6130
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good to see. Too bad we don't have a Security note instead of plain note.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a number of suggested edits.
An additional note about this topic-- the Security Scan tool has quite a bit of user help on the site. Perhaps, we should consider looking at that to determine whether we can just link to that information instead of having the details in the DevDocs and Merchdocs. |
@jeff-matthews There is a backlog item for Security scan tool: https://magento2.atlassian.net/browse/MAGECLOUD-3736 |
Co-Authored-By: hguthrie <hguthrie@users.noreply.github.com>
Co-Authored-By: Margaret Eker <meker@adobe.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added my comment with some additions. otherwise looks good.
running tests |
Actually, I think we should consider moving the content from https://account.magento.com/scanner/index/dashboard/ to devdocs/merchdocs. @piotrekkaminski's request came to us because it's unclear who owns those PDFs and source files, so it's difficult to update. |
Hi @jeff-matthews, thank you for your contribution! |
To review the report: | ||
|
||
1. When the report completes, a notification displays. | ||
1. In the site row, select the report you want to view from the **Reports** column. The order is latest to oldest. | ||
|
||
The report lists issues including Failed Scans, Unidentified Results, and Successful Scans. Each entry provides detailed information for the scan, a list of issues to investigate, and actions to take. Some of these actions may require downloading and installing security patches. You can add those to a development branch on your local workstation. | ||
|
||
Scan results include a general label that describes whether a site passed or failed plus detailed information about the checks performed. Failed indicates that the website contains a serious vulnerability, while unidentified suggests that a deeper review is required by your team or hosting provider to determine if further action is required. We also provide suggested remediation steps for each failed security test. Security scan results are protected and viewable only by the registered user, and notifications of scan completion are restricted to the users designated in the site registration process. | ||
Scan results include a label that describes scan pass or fail status with detailed information about the checks performed: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably we have to add a description for "Pass" - it means the store "behaviors as expected" and it's responses on the certain requests are considered to be "correct"
Scan results include a general label that describes whether a site passed or failed plus detailed information about the checks performed. Failed indicates that the website contains a serious vulnerability, while unidentified suggests that a deeper review is required by your team or hosting provider to determine if further action is required. We also provide suggested remediation steps for each failed security test. Security scan results are protected and viewable only by the registered user, and notifications of scan completion are restricted to the users designated in the site registration process. | ||
Scan results include a label that describes scan pass or fail status with detailed information about the checks performed: | ||
|
||
* "Failed" indicates that the website contains a serious vulnerability. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would avoid the word "serious" since, e.g. SSL TLS check has a minor "weight" and not SO serious... Also the failure is possible on the multiple reasons in addition to found vulnerability: undetected patch, malware found, server misconfiguration, vulnerable extension found.
Maybe instead of "...website contains a serious vulnerability..." we should put something like "... scanner fund a known vulnerability that should be reviewed and addressed accordingly..."
@MaxSavich, I'll create another PR to address your comments. |
Purpose of this pull request
This pull request (PR):
See internal staging build 1173 for a preview.
Affected DevDocs pages
whatsnew
Updated the Cloud Guide with more information about the Magento Security Scanner, including which IP addresses, ports, and user agent strings it uses.