Scan Engine integrations
Scan Engine integrates with other ServiceNow instances and external agile systems to synchronize definitions, manage exception reasons, create user stories, and enforce governance over app deployments.
Scan Engine has the ability to integrate with your other environments running Impact so that you can:
- Compare technical debt across instances
- Sync custom definitions across instances
- Enable approvals for finding exceptions in production
- Create user stories from findings
The following integrations are available for the Scan Engine.
| Integration | Description |
|---|---|
| Definitions integration | Allows users to synchronize definition overrides and custom definitions between non-production and production instances. Ensuring a consistent ruleset is being applied throughout the instance stack. |
| Exception reason integration |
|
| User story integration | Creates tasks for findings from a ServiceNow instance to:
|
| Deployment and synchronization integrations |
|
Prerequisites
Most integrations share the same foundational setup. Complete the following before configuring any specific integration.
- Create an integration user account in development and production environments.
- Register your instance: Register each participating instance in the My SN Instances table. Only one instance in your stack may be designated as Production.
- Configure authentication using Basic or OAuth. OAuth is strongly recommended for all production environments. See Configure the OAuth authentication method development instance and Configure the OAuth authentication method production instance or Configure the Basic authentication method for details.
- Validate your instance connection: Validate each instance connection using the Validate Connection action on each My SN Instances record.
Note:
Azure DevOps and the Other integration type authenticate via Basic auth records and API tokens configured directly in Scan Engine Properties, as they do not use My SN Instances. AES/AEMC only requires one My SN Instances record to designate the production controller, with no Authentication Type set.
Role requirements
| Role | Purpose | Where required |
|---|---|---|
sn_se.scan_engine_admin |
Full admin access to Scan Engine configuration | Integration user on all instances |
sn_se.internal_rest_integration |
Allows REST calls between instances | Integration user on all instances |
admin |
Platform admin | Update Set Scans integration only |
Important:
Neither Scan Engine role is inherited by the platform admin role. Always assign both roles explicitly on every instance the integration user is imported to.
Platform notes
- Key Management Framework (KMF)
- KMF replaced the Glide Encryptor class for encrypting
password_2fields. KMF encryption is instance-specific, an encrypted value from one instance cannot be decrypted on another. Any Auth record that crosses an instance boundary requires a password re-entry on the receiving instance. If a pending Scan Engine scripting scope request is blocking authentication, it must be approved in the Key Management Framework module access policies before retrying. - ECMAScript 2021 (ES12) mode
- For User Story integrations, enable ECMAScript 2021 (ES12) mode in Scan Engine Properties to use modern JavaScript syntax in field mapping scripts. Without this mode, only the application default JavaScript mode is available.