- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi all
Does anyone have a high level understanding of the new Guarded Scripts Sandbox runtime and the impact?
Will this stop scripts working or will it simply alert admins of the issue?
Thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago - last edited 2 weeks ago
The informed dates and schedules are above. The about 30 days long cycle will include these phases:
Phase 1 - Detection (2 weeks): The system silently analyzes scripts for compatibility issues, recording any violations in a list without blocking execution.
Phase 2 - Syntax Enforcement (2 weeks): Guarded syntax rules are enforced, and API violations are recorded, but scripts still continue to execute.
Phase 3 - Full Enforcement (Permanent): Full restriction is applied, where scripts violating safety rules are blocked unless an exemption has been created
I have monitored several instances and my Australia patch 2 PDI, but have not yet observed any activity on the servers that would match the code examples (eg. system properties). Good to be on "alert" with this upgrade and security change. Risks could be higher than normal for anything to go wrong.
- Christian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
I have been assigned to review that situation by my boss. Phase 1 will detect, flag it, and put "risk" scripts in the list under Incompatible Guarded Script for you to review before Phase 2. Phase 3 will fully block flagged scripts from executing unless the code is updated following the requirements or an exemption is made. My question is, does that apply to only sandbox instance, non-prod instances, or all instances?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago - last edited 2 weeks ago
This is not about the instance type i.e. prod, test, dev or sandbox. All servers/versions are affected as long as they are listed on the KB-article. Upgrades and installs will begin on the 5th of May.
This is related to the Script Sandbox security feature:
"The script sandbox is an environment with restricted rights in which client-generated scripts run when they’re made available to the script sandbox."
https://www.servicenow.com/docs/r/api-reference/scripts/script-sandbox.html
Guarded Script Rollout Timeline:
Release
Zurich Patch 9 - 5.5.2026
Australia Patch 2 - 5.5.2026
Yokohama Patch 13 - 5.5.2026
Zurich Patch 7b - 14.5.2026
Yokohama Patch 12 HF1b - 14.5.2026
Brazil - 14.10.2026
- Christian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi @bbf35621 and @JC Moller
Do you know the timeline for phase 1, phase 2 and phase 3?
Main question is when will things start breaking 🙂
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago - last edited 2 weeks ago
The informed dates and schedules are above. The about 30 days long cycle will include these phases:
Phase 1 - Detection (2 weeks): The system silently analyzes scripts for compatibility issues, recording any violations in a list without blocking execution.
Phase 2 - Syntax Enforcement (2 weeks): Guarded syntax rules are enforced, and API violations are recorded, but scripts still continue to execute.
Phase 3 - Full Enforcement (Permanent): Full restriction is applied, where scripts violating safety rules are blocked unless an exemption has been created
I have monitored several instances and my Australia patch 2 PDI, but have not yet observed any activity on the servers that would match the code examples (eg. system properties). Good to be on "alert" with this upgrade and security change. Risks could be higher than normal for anything to go wrong.
- Christian
