Scan Engine integrations

Australia Impact

Release

australia

ft:locale

en-US

ft:publication_title

Australia Impact

ft:clusterId

ipact

bundleId

ipact

Scan Engine integrations

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Scan Engine integrations

Scan Engine integrates with multiple ServiceNow instances and external agile systems to streamline application governance and improve collaboration. It enables synchronization of technical debt definitions, management of exception reasons, creation of user stories directly from findings, and enforcement of deployment governance. These integrations help ServiceNow customers maintain consistent rule sets, approve exceptions efficiently, and track remediation tasks across environments.

Show full answer Show less

Key Features

Definitions integration: Synchronizes custom and overridden definitions between non-production and production instances to ensure consistent scanning rules across your instance stack.
Exception reason integration: Synchronizes exception reasons between instances, enabling approval or rejection of exceptions directly in production.
User story integration: Creates agile tasks or user stories from Scan Engine findings in ServiceNow, Jira, Azure DevOps, or other external systems, facilitating remediation tracking.
Deployment and synchronization integrations:
- Update sets: Synchronizes update set scan summaries to production from integrated instances.
- AES/AEMC: Automates governance of custom app deployments by validating deployment requests against admin-defined conditions and blocking non-compliant deployments.
Other integration type: Supports creating work items in any external system via custom scripts and basic authentication.

Prerequisites and Setup

Create dedicated integration user accounts in development and production environments with required Scan Engine roles for secure authentication and communication.
Register all participating ServiceNow instances in the My SN Instances table, designating one as production.
Configure authentication using Basic or OAuth methods, with OAuth strongly recommended in production.
Validate instance connections using the Validate Connection action on each registered instance.

Role Requirements

snse.scanengineadmin: Full admin access for Scan Engine configuration, assigned to integration users on all instances.
snse.internalrestintegration: Needed for REST communication between instances.
admin: Required for Update Set Scans integration.
Note: Scan Engine roles must be explicitly assigned as they are not inherited by the platform admin role.

Platform Notes

Key Management Framework (KMF): Handles encryption of authentication credentials per instance, requiring password re-entry when crossing instance boundaries.
ECMAScript 2021 (ES12) mode: Enable in Scan Engine Properties to support modern JavaScript syntax in user story field mapping scripts.

Practical Benefits for ServiceNow Customers

Maintain consistent scanning rules and governance policies across multiple ServiceNow instances.
Streamline approval workflows for exception reasons, reducing risk in production deployments.
Automate creation and tracking of remediation work items in familiar agile tools, improving collaboration and accountability.
Enforce deployment compliance automatically, preventing unauthorized or risky custom app releases.
Adapt integrations flexibly to external systems beyond ServiceNow using custom scripts.

Scan Engine integrates with other ServiceNow instances and external agile systems to synchronize definitions, manage exception reasons, create user stories, and enforce governance over app deployments.

Scan Engine has the ability to integrate with your other environments running Impact so that you can:

Compare technical debt across instances
Sync custom definitions across instances
Enable approvals for finding exceptions in production
Create user stories from findings

The following integrations are available for the Scan Engine.

Table 1. Scan Engine integrations
Integration	Description
Definitions integration	Allows users to synchronize definition overrides and custom definitions between non-production and production instances. Ensuring a consistent ruleset is being applied throughout the instance stack.
Exception reason integration	Synchronizes exception reasons between non-production and production instances. Facilitates the approval or rejection of exception reasons in the production environment.
User story integration	Creates tasks for findings from a ServiceNow instance to: ServiceNow production Instance Jira Azure DevOps Others
Deployment and synchronization integrations	Update sets: Synchronizes update set summary scans to the production instance from instances where this integration is enabled. AES/AEMC: Provides automated governance for custom app deployments by validating deployment requests against admin-defined conditions before approval. When a developer submits a deployment request, the system automatically runs checks to ensure all required rules are met, blocking deployment if conditions fail.

Prerequisites

Most integrations share the same foundational setup. Complete the following before configuring any specific integration.

Create an integration user account in development and production environments.
Register your instance: Register each participating instance in the My SN Instances table. Only one instance in your stack may be designated as Production.
Configure authentication using Basic or OAuth. OAuth is strongly recommended for all production environments. See Configure the OAuth authentication method development instance and Configure the OAuth authentication method production instance or Configure the Basic authentication method for details.
Validate your instance connection: Validate each instance connection using the Validate Connection action on each My SN Instances record.

Note:

Azure DevOps and the Other integration type authenticate via Basic auth records and API tokens configured directly in Scan Engine Properties, as they do not use My SN Instances. AES/AEMC only requires one My SN Instances record to designate the production controller, with no Authentication Type set.

Role requirements


Role	Purpose	Where required
`sn_se.scan_engine_admin`	Full admin access to Scan Engine configuration	Integration user on all instances
`sn_se.internal_rest_integration`	Allows REST calls between instances	Integration user on all instances
`admin`	Platform admin	Update Set Scans integration only

Important:

Neither Scan Engine role is inherited by the platform admin role. Always assign both roles explicitly on every instance the integration user is imported to.

Platform notes

Key Management Framework (KMF): KMF replaced the Glide Encryptor class for encrypting password_2 fields. KMF encryption is instance-specific — an encrypted value from one instance cannot be decrypted on another. Any auth record that crosses an instance boundary requires a password re-entry on the receiving instance. If a pending Scan Engine scripting scope request is blocking authentication, it must be approved in the Key Management Framework access policies before retrying.
ECMAScript 2021 (ES12) mode: For User Story integrations, enable ECMAScript 2021 (ES12) mode in Scan Engine Properties to use modern JavaScript syntax in field mapping scripts. Without this mode, only the application default JavaScript mode is available.