Using the Instance Scan
The Out-of-the-Box Instance Scan tool was introduced in Quebec as a free product any customer can use However, there are still many customers out there that do not seem to know about it. Here is a article explaining how to use it for those who may need a nudge.
Installing it on old instances
New instances have it enabled by default, but old instances may need to install it from the list of plugins. It's unique name is "com.glide.instance_scan":
Understanding it
The Instance Scan application comes with a set of Checks that will be performed on any of the following depending on what our choice is:
- The whole instance
- A specific application
- A specific update set
- A specific record
Once it is executed, it will generate a Scan Result that will contain all the Findings the Checks detected. It must be noted that only "admin" and "scan_user" can run a scan.
Before we talk about how we run it I will talk about the different elements that are part of the Instance Scan tool.
Suites
Checks come in Suites depending on what they look for. Some examples of OOB Suites are:
- Auditor
- Deployment Pipeline
- Deprecated APIs
- Instance Scan
- Instance Security Center
- Instance Security Hardening Settings
- Security Center
- Schema for contextual security
- System Properties Update API
These Suites come along with other applications/plugins installed. For instance, the "Deployment Pipeline" Store application installs the "Deployment Pipeline" Suite and its checks.
Checks
These records are the ones that come inside Suites and detect bad practices. They also come with a description of the issue, resolution details explaining how to fix the issue being detected, and potentially a documentation URL taking the user to an official page offering further details.
Checks can be of four types:
- Linter: It analyses the code and makes a syntax tree for the code of the script being analysed, allowing us to perform checks on them
- Table: Allows to perform checks by specifying the table and fields that need to be checked
- Column: Allows to perform checks on all tables for a given type of field (i.e: script, string, integer, boolean...)
- Script: Allows to build any complex check we need it to. If none of the other options work for us, this will
Results
As mentioned above, once we execute the Instance Scan -we well see how to do that later- it generates a Scan Result record. This Scan Result record will contain a list of checks performed, suites involved, scan findings (issues found), and other log and statistic information.
Findings
When a check finds a bad practice, a new finding will be created. Findings specify the check that went wrong, on which record, the number of occurrences of such issue and more useful information. One critical thing we must know is that findings can be "muted" to ignore them. This can be done by clicking on the "Mute" button shown at the top right corner:
If we click on "Mute" we are offered the following options:
- Not Applicable: Useful to mute false positives
- Risky change: The bad practice is acknowledged but fixing it could cause way more issues
- Not priority: The bad practice is acknowledged but there are other bad practices that take preference
Further "Mute reasons" can be created by going to the "scan_mute_rule_reason" table and creating them manually.
Executing it
As mentioned above, there are several types of scans we can perform, let's go through each of them in the subsections below.
Scheduled Scan
In order to do this we need to go to "Instance Scan > Checks" and click on the "Schedule Full Scan" button located at the top right corner:
After that we will see the standard form to define a scheduled execution of any sort, letting us specify a condition, a periodicity, time zone, etc...
Full Scan
If we want to run a full scan of the instance to check how it is at this very precise moment, we can go to "Instance Scan > Checks" and click on "Execute Full Scan" close to the "Scheduled Full Scan" button mentioned above.
It must be highlighted that this process takes some time.
Application Scan
If all we want is running a scan on a scoped application only we can do so by going to the application record and clicking on the "Scan Application" link below.
Update Set Scan
Update sets can be analysed by clicking on "Scan Update Set" in their related links section:
Point Scan
This type of scan allows us to scan a single record (must extend "sys_metadata"), meaning we will get the results much faster than scanning the whole instance. Bear in mind the property "glide.scan.enable_point_scan_ui_action" must be "true" for this link to appear.
Analysing the data generated
Scan Results and findings are used to show some charts in the standard Dashboards that come with the application:
- Instance Scan Results Dashboard: Can be accessed by going to "Instance Scan > Dashboard"
- Results Dashboard: Found in any "Scan Result" as a related link:
This dashboard is quite useful, especially because of the "Average Findings Over Time" chart. With this chart we can understand if we are getting rid of issues, they are neither increasing nor decreasing or if we can worsening things.
Conclusion
Although this blog article isn't an exhaustive list of everything you can find in the Instance Scan application, its aim was to provide a good overview of what is it and how can you leverage it on your instance. For further information it you should check out the official documentation here.
Running Scheduled tests is important to understand how your instance is progressing in terms of bad practices so that you can take the right decision before it is too late, but also running them ad hoc on update sets, applications or specific records is highly recommended depending on the case.
Not using this application is a terrible idea, especially since it is free of charge and comes enabled in new instances, but remember it can spot false positives, issues that could be way too risky to be fixed or issues that are not so critical. It is up to you to "mute" them accordingly.
Please, like the article if it was useful and feel free to share it with anyone that may find it interesting.
8 Comments
