Scan Engine integrations

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
  • Scan Engine integrates with other ServiceNow instances and external agile systems to synchronize definitions, manage exception reasons, create user stories, and enforce governance over app deployments.

    Scan Engine has the ability to integrate with your other environments running Impact so that you can:

    • Compare technical debt across instances
    • Sync custom definitions across instances
    • Enable approvals for finding exceptions in production
    • Create user stories from findings

    The following integrations are available for the Scan Engine.

    Table 1. Scan Engine integrations
    Integration Description
    Definitions integration Allows users to synchronize definition overrides and custom definitions between non-production and production instances. Ensuring a consistent ruleset is being applied throughout the instance stack.
    Exception reason integration
    • Synchronizes exception reasons between non-production and production instances.
    • Facilitates the approval or rejection of exception reasons in the production environment.
    User story integration Creates tasks for findings from a ServiceNow instance to:
    • ServiceNow production Instance
    • Jira
    • Azure DevOps
    • Others
    Deployment and synchronization integrations
    • Update sets: Synchronizes update set summary scans to the production instance from instances where this integration is enabled.
    • AES/AEMC: Provides automated governance for custom app deployments by validating deployment requests against admin-defined conditions before approval. When a developer submits a deployment request, the system automatically runs checks to ensure all required rules are met, blocking deployment if conditions fail.

    Prerequisites

    Most integrations share the same foundational setup. Complete the following before configuring any specific integration.

    Note:
    Azure DevOps and the Other integration type authenticate via Basic auth records and API tokens configured directly in Scan Engine Properties, as they do not use My SN Instances. AES/AEMC only requires one My SN Instances record to designate the production controller, with no Authentication Type set.

    Role requirements

    Role Purpose Where required
    sn_se.scan_engine_admin Full admin access to Scan Engine configuration Integration user on all instances
    sn_se.internal_rest_integration Allows REST calls between instances Integration user on all instances
    admin Platform admin Update Set Scans integration only
    Important:
    Neither Scan Engine role is inherited by the platform admin role. Always assign both roles explicitly on every instance the integration user is imported to.

    Platform notes

    Key Management Framework (KMF)
    KMF replaced the Glide Encryptor class for encrypting password_2 fields. KMF encryption is instance-specific, an encrypted value from one instance cannot be decrypted on another. Any Auth record that crosses an instance boundary requires a password re-entry on the receiving instance. If a pending Scan Engine scripting scope request is blocking authentication, it must be approved in the Key Management Framework module access policies before retrying.
    ECMAScript 2021 (ES12) mode
    For User Story integrations, enable ECMAScript 2021 (ES12) mode in Scan Engine Properties to use modern JavaScript syntax in field mapping scripts. Without this mode, only the application default JavaScript mode is available.