Proactive Code Check scan suite matrix for the Impact Store Application

Rversion finale: Australia

Mis à jour 12 mars 2026

15 minutes de lecture

Refer to the Proactive Code Check (PCC) scan suite matrix for details on the checks performed during a PCC scan.

Remarque :

Starting with Impact Zurich version 6.0.8 ServiceNow Store release, Proactive Code Check is being prepared for future deprecation. It will be hidden and no longer installed on new instances but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support Knowledge Base.

Scan suite matrix

Australia Impact

Proactive Code Check scan suite matrix for the Impact Store Application

Tableau 1. Proactive Code Check scan suite matrix
Category	Name	Short_description	Description
Performance	HSD0001049 Avoid Global UI Scripts	Avoid Global UI Scripts	Global UI scripts are loaded on every single page/form in ServiceNow even if the code within them is not called.
Manageability	HSD0001058 SCRIPT Scoped app uses logging utils or deprecated methods	Scoped app uses logging utils or deprecated method - gs.log	Scoped applications should use scoped logging APIs rather than legacy methods.
Manageability	HSD0001058 XML Scoped app uses logging utils or deprecated methods	Scoped app uses logging utils or deprecated method - gs.log	Scoped applications should use scoped logging APIs rather than legacy methods.
Performance	HSD0001116 Client Scripts should not be defined against the Global table	Client Scripts should not be defined against the Global table	A global client script is any client script where the selected Table is Global. Global client scripts have no table restrictions; therefore they will load on every page in the system introducing browser load delay in the process. There is no benefit to loading this kind of scripts on every page.
Performance	HSD0001126 SCRIPT Unnecessary dot walking to sys_id from current object	Unnecessary dot walking to sys_id from current object	Reference fields already store the Sys ID of the referenced record. Using gr.fieldname.sys_id is a dot-walk and instructs the platform to perform another query only to return the same value. This is an unnecessary overhead.
Performance	HSD0001126 XML Unnecessary dot walking to sys_id from current object	Unnecessary dot walking to sys_id from current object	Reference fields already store the Sys ID of the referenced record. Using gr.fieldname.sys_id is a dot-walk and instructs the platform to perform another query only to return the same value. This is an unnecessary overhead.
Performance	HSD0001128 SCRIPT Client-side code should not use synchronous AJAX methods	Client-side code should not use synchronous AJAX methods	Code that uses synchronous AJAX can possibly cause delays in processing UI events. It can be detrimental to performance and negatively impact user experience. Wherever possible, we should try to employ asynchronous AJAX.
Upgradability	HSD0001142 SCRIPT Client-side code should not use DOM manipulation technique	Client-side code should not use DOM manipulation technique	This customization technique gives a lot of control, but does frequently cause upgrade challenges. It is recommended not to use jQuery, PrototypeJS, gel and other techniques.
Manageability	HSD0001153 SCRIPT Hard coded instance URL	Hard coded instance URL	Raises a finding for hard coded instance URLs as their use can be detrimental to functionality across environments.
Manageability	HSD0001153 XML Hard coded instance URL	Hard coded instance URL	Raises a finding for hard coded instance URLs as their use can be detrimental to functionality across environments.
Manageability	HSD0001174 REST Scripted Web Services writing data directly	Scripted Web Services writing data directly	Scripted Web Services insert/update/delete data directly, whereas it is recommended to utilize Script Includes because it provides a structured and documented approach for managing data operations, ensuring consistency, security, and maintainability within the platform.
Manageability	HSD0001174 SOAP Scripted Web Services writing data directly	Scripted Web Services writing data directly	Scripted Web Services insert/update/delete data directly, whereas it is recommended to utilize Script Includes because it provides a structured and documented approach for managing data operations, ensuring consistency, security, and maintainability within the platform.
Security	HSD0001235 XML Avoid Dynamic JEXL Expressions inside Jelly tag	Avoid Dynamic JEXL Expressions inside Jelly tag	When writing Jelly code, avoid using dynamic JEXL expressions inside the Jelly tag (or <g2:evaluate> for phase two). While the code appears to work, it affects a memory resource (called PermGen) in the Java Virtual Machine, which can lead to performance issues and even system outages over time. The exception to using JEXL expressions inside <g:evaluate> tags is with static values, including: ${AMP}\, ${AND}, ${GT}, ${LT}, and ${SP} (and their phase two counterparts: $[AMP], $[AND], and so on).
Upgradability	HSD0001247 Use of deprecated API RESTMessage (V1)	Use of deprecated API RESTMessage (V1)	The API allowed to send outbound REST messages using JavaScript. However the version 1 of RESTMessage has been deprecated.
Manageability	HSD0001275 Scripts should not contain hard-coded IDs	Scripts should not contain hard-coded IDs	Hard coding sys_ids makes the system more difficult to manage, and less able to move functionality between instances.
Manageability	HSD0001278 Before Business Rules should not update() or insert() on other tables	Before Business Rules should not update() or insert() records on other tables	Running an insert() or update() in a onBefore BR will cause updates to other tables, even though the update may be cancelled.
Manageability	HSD0001281 getMessage() called in Client Script without preloading message key	getMessage() called in Client Script without preloading message key	getMessage used in a client script needs to have the message key added to the Messages field on the script record.
Manageability	HSD0001312 SCRIPT Avoid console.log() usage in code	Code should not contain the console.log() debugging method	The client-side function console.log could cause errors in certain browser versions. Furthermore, there is a good chance that what's being logged is information you would not want publicly exposed, and that persons with malicious intent could manipulate the script to reflect PII. It is never a good idea to go to production with console logging enabled. Console.log is invalid server side and therefore should not be there either.
Manageability	HSD0001312 XML Avoid console.log() usage in code	Code should not contain the console.log() debugging method	The client-side function console.log could cause errors in certain browser versions. Furthermore, there is a good chance that what's being logged is information you would not want publicly exposed, and that persons with malicious intent could manipulate the script to reflect PII. It is never a good idea to go to production with console logging enabled. Console.log is invalid server side and therefore should not be there either.
Performance	HSD0001338 Business Rules should not be defined on the Global table	Business Rules should not be defined on the Global table (Global Business Rule)	A Global Business Rule is any Business Rule where the selected table is Global. Any other script can call Global Business Rules. Global Business Rules have no condition or table restrictions and load on every page in the system.
Performance	HSD0001347 SCRIPT Client-side code should not use GlideRecord	Client-side code should not use GlideRecord	The client side GlideRecord object is often inefficent, because it returns lots of unecessary data. GlideRecord and g_form.getReference are both involved.
Performance	HSD0001358 SCRIPT Server-side code should not use GlideRecord.getRowCount()	Server-side code should not use GlideRecord.getRowCount() to count records	The GlideRecord.getRowCount() works by getting the whole result set without using the build-in arithmetic functions of the database. GlideAggregate does use the database, therefore is often drastically faster. The exception to this recommendation is if you intend to loop through the records and process them anyway.
Performance	HSD0001358 XML Server-side code should not use GlideRecord.getRowCount()	Server-side code should not use GlideRecord.getRowCount() to count records	The GlideRecord.getRowCount() works by getting the whole result set without using the build-in arithmetic functions of the database. GlideAggregate does use the database, therefore is often drastically faster. The exception to this recommendation is if you intend to loop through the records and process them anyway.
Manageability	HSD0001392 Scripts should not use the eval() method	Scripts should not use the eval() method	The eval() function evaluates or executes an argument. Improper use of eval() opens up your code for injection attacks and debugging can be more challenging, as no line numbers are displayed with an error.
Performance	HSD0001554a JDBC Data Srcs with "Use last run datetime" disabled for update sets	JDBC Data Sources should have the "Use last run datetime" option check	Repeatedly importing data that has not changed leads to many skipped rows and unnecessarily bounds system resources.
Performance	HSD0001560 Use 'track by' in ngRepeat loops	Use 'track by' in ngRepeat loops	When using the ngRepeat directive without a 'track by' clause, the DOM elements are destroyed and rebuilt every time the source data is updated. Adding a 'track by' clause with a unique key (such as a sys_id) allows the DOM elements to be reused rather than rebuilt, which significantly improves the performance of pages with large, complex lists.
Manageability	HSD0001578 Business Rules should not use the SOAP getResponse() method	Business Rules should not use the SOAP getResponse() method	getResponse blocks the transaction, waiting until a response is received. This is better done asynchronously.
Performance	HSD0001623 Read ACLs (Security rules) should not have GlideRecord/GlideAggregate	Read ACLs (Security rules) should not have GlideRecord/GlideAggregate	Read ACLs are frequently executed. Having complex database lookups can harm performance.
Security	HSD0002016 Server scripts in widgets should use GlideRecordSecure	Server scripts in widgets should use GlideRecordSecure instead of GlideRecord	The best practice should be that server scripts in widgets should use GlideRecordSecure rather than GlideRecord. This is to ensure that security ACLs are considered in all server interactions. To detect deviation from this, any instantiation of GlideRecord should be marked as a finding. Note that $sp.getRecord() currently returns a GlideRecord object. This call should actually return a GlideRecordSecure object to be as secure as possible. While that is a separate enhancement outside of the HealthScan tool, it does pose a challenge in that it will be harder for HealthScan to detect the use of the GlideRecord object returned by $sp.getRecord.
Performance	HSD0002144 Leverage c.server.get() for better widget performance	Leverage c.server.get() for better widget performance	On the client script, c.server.get() allows you to pass specific data to the server script. Doing this can have performance improvements over c.server.update(), which sends the entire data object.
Performance	HSD0002150 Remove unused services from widget client script.	Remove unused services from widget client script.	If injected services are not used in a widget's client controller script, consider removing them. Services which are injected and not used will be instantiated, which may have a performance impact. It is also good practice from a code readability perspective to only inject services that are required.
Performance	HSD0002154 Don't use $rootScope.$on in a widget's client script.	Don't use $rootScope.$on in a widget's client script.	$rootScope.$on should only be used in a service. Using event listeners on $rootScope in a widget's client controller script can cause memory leaks if the listeners are not manually destroyed. Every time a widget is loaded, the controller is initialized, and every listener initialized on the $rootScope will not be destroyed with the controller, unless done so manually. Services have no other alternative but to fire events on $rootScope, and the listen for events on $rootScope. This is because services are initialized once across the app and do not have their own scope. It is okay to use $rootScope.$on in a service.
Manageability	HSD0002808 Client Scripts without description	Client Scripts without description	Client Scripts where the description is either empty, very short or the same as the script name.
Manageability	HSD0002808 Script Includes without description	Script Includes without description	Script Includes where the description is either empty, very short or the same as the script name.
Manageability	HSD0002827 All events should have a description	All events should have a description	All custom events in the event registry should have the "description" field populated. This will ensure that the event's purpose is easily identifiable by administrators who did not create the registry entry and improve maintainability of the instance.
Manageability	HSD0002828 All events should have the "fired by" field populated	All events should have the "fired by" field populated	All custom events in the event registry should have the "fired_by" field populated. This will ensure that the event's trigger is easily identifiable by administrators who did not create the registry entry and improve maintainability of the instance.
Manageability	HSD0003076 Basic authentication credentials on SOAP Message definition	Basic authentication credentials on SOAP Message definition	Basic Authentication for outbound SOAP Messages should use Basic Auth Profiles instead of putting the credentials on the function definition itself.
Manageability	HSD0003081 Basic authentication credentials on REST Message definition	Basic authentication credentials on REST Message definition	Basic Authentication for outbound REST Messages should use Basic Auth Profiles instead of putting the credentials on the function definition itself.
Upgradability	HSD0003307 Change Request table should not be extended	Change Request table should not be extended	At least one child table extending Change Request has been created. Extending Change Request with custom child tables should not be done: To support a custom Change Request table a high amount of customization to the other ITSM processes is required New functionality in future releases might not work on extended tables or would require further customization
Manageability	HSD0003625 Business Rule script should be encapsulated in executeRule function	Script code in Business Rules should be encapsulated in the executeRule function	The code should check if there is any business rule that have some code that is not encapsulated in the executeRule function.