Scan Engine integrations

Australia Impact

Release

australia

ft:locale

en-US

ft:publication_title

Australia Impact

ft:clusterId

ipact

bundleId

ipact

Scan Engine integrations

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Scan Engine integrations

Scan Engine integrates with multiple ServiceNow instances and external agile systems to streamline synchronization, governance, and task creation related to application scanning and technical debt management. It enables customers to compare technical debt across environments, sync custom definitions, manage exception approvals, and generate user stories from scan findings.

Show full answer Show less

Key Features

Definitions integration: Synchronizes definition overrides and custom definitions between non-production and production instances to maintain consistent scanning rules.
Exception reason integration: Syncs exception reasons for findings, allowing approval or rejection of exceptions in production.
User story integration: Creates agile tasks and user stories from scan findings, supporting ServiceNow, Jira, Azure DevOps, and other external systems.
Deployment and synchronization integrations:
- Update sets: Synchronizes update set scan summaries from integrated instances to production.
- AES/AEMC: Enforces automated governance on custom app deployments by validating deployment requests against predefined conditions, blocking unauthorized deployments.
Other integration type: Allows creation of work items in any external system using custom payload scripts and basic authentication.

Prerequisites and Configuration

Create a dedicated integration user account with required Scan Engine roles in both development and production environments.
Register each participating ServiceNow instance in the My SN Instances table, designating one as production.
Configure authentication, preferably OAuth for production, or Basic authentication as needed.
Validate connectivity between instances through the Validate Connection action.
Note that Azure DevOps and other external integrations authenticate via basic auth and API tokens configured in Scan Engine properties.

Role Requirements

snse.scanengineadmin: Full admin access to Scan Engine configuration, assigned to integration users.
snse.internalrestintegration: Enables REST integration between instances.
admin: Required for Update Set Scans integration.
Roles must be explicitly assigned to integration users; platform admin role does not inherit Scan Engine roles.

Platform Notes

Key Management Framework (KMF): Used for encrypting credentials; encrypted values are instance-specific requiring password re-entry when shared across instances.
ECMAScript 2021 (ES12) mode: Recommended to enable for User Story integration to support modern JavaScript syntax in field mapping scripts.

Benefits for ServiceNow Customers

By leveraging these Scan Engine integrations, customers can ensure consistent scanning policies across their ServiceNow environments, streamline exception handling and approvals, automate user story creation linked to findings, and enforce governance on application deployments. This leads to improved visibility into technical debt, better collaboration between development and operations teams, and enhanced control over application lifecycle processes.

Scan Engine integrates with other ServiceNow instances and external agile systems to synchronize definitions, manage exception reasons, create user stories, and enforce governance over app deployments.

Scan Engine has the ability to integrate with your other environments running Impact so that you can:

Compare technical debt across instances
Sync custom definitions across instances
Enable approvals for finding exceptions in production
Create user stories from findings

The following integrations are available for the Scan Engine.

Table 1. Scan Engine integrations
Integration	Description
Definitions integration	Allows users to synchronize definition overrides and custom definitions between non-production and production instances. Ensuring a consistent ruleset is being applied throughout the instance stack.
Exception reason integration	Synchronizes exception reasons between non-production and production instances. Facilitates the approval or rejection of exception reasons in the production environment.
User story integration	Creates tasks for findings from a ServiceNow instance to: ServiceNow production Instance Jira Azure DevOps Others
Deployment and synchronization integrations	Update sets: Synchronizes update set summary scans to the production instance from instances where this integration is enabled. AES/AEMC: Provides automated governance for custom app deployments by validating deployment requests against admin-defined conditions before approval. When a developer submits a deployment request, the system automatically runs checks to ensure all required rules are met, blocking deployment if conditions fail.

Prerequisites

Most integrations share the same foundational setup. Complete the following before configuring any specific integration.

Create an integration user account in development and production environments.
Register your instance: Register each participating instance in the My SN Instances table. Only one instance in your stack may be designated as Production.
Configure authentication using Basic or OAuth. OAuth is strongly recommended for all production environments. See Configure the OAuth authentication method development instance and Configure the OAuth authentication method production instance or Configure the Basic authentication method for details.
Validate your instance connection: Validate each instance connection using the Validate Connection action on each My SN Instances record.

Note:

Azure DevOps and the Other integration type authenticate via Basic auth records and API tokens configured directly in Scan Engine Properties, as they do not use My SN Instances. AES/AEMC only requires one My SN Instances record to designate the production controller, with no Authentication Type set.

Role requirements


Role	Purpose	Where required
`sn_se.scan_engine_admin`	Full admin access to Scan Engine configuration	Integration user on all instances
`sn_se.internal_rest_integration`	Allows REST calls between instances	Integration user on all instances
`admin`	Platform admin	Update Set Scans integration only

Important:

Neither Scan Engine role is inherited by the platform admin role. Always assign both roles explicitly on every instance the integration user is imported to.

Platform notes

Key Management Framework (KMF): KMF replaced the Glide Encryptor class for encrypting password_2 fields. KMF encryption is instance-specific, an encrypted value from one instance cannot be decrypted on another. Any Auth record that crosses an instance boundary requires a password re-entry on the receiving instance. If a pending Scan Engine scripting scope request is blocking authentication, it must be approved in the Key Management Framework module access policies before retrying.
ECMAScript 2021 (ES12) mode: For User Story integrations, enable ECMAScript 2021 (ES12) mode in Scan Engine Properties to use modern JavaScript syntax in field mapping scripts. Without this mode, only the application default JavaScript mode is available.