Identifies apps activated on your instance that have updated versions available.

Verify you’re running to the most up-to-date versions of store applications, which can include fixes to potential security issues.

Identifies scripts that are directly invokable by end users (such as Client-Callable Script Includes, Widgets, Processors, REST Endpoints)

These scripts should respect ACLs and use GlideRecordSecure or GlideRecord with canRead, canWrite, canCreate, canDelete.

Identifies scripts where JavaScript Content Access Control is used to allow or deny specific third-party JavaScript libraries.

Review instance customizations to verify that libraries aren’t in use before blocking access. The JavaScript Content provider Access Tracking [sys_js_content_provider_access_tracking] table can be reviewed to see the last date that the library was accessed.

Identifies client callable script includes that don’t have a corresponding ACL. These scripts use the default ("*") client callable script include ACL.

For these scripts, create ACLs that defines the appropriate criteria for access to verify that only expected users can interact with the functionality provided.

Identifies record producers that don’t have additional server-side validation. This check identifies custom tables with a Record Producer but without an associated business rule.

These may enable users to submit unexpected data into the associated table.

Identifies ACL records which have no script, condition, security attribute, or role, or ACLs with the public role.

Leaving ACLs empty or using the public role provides open access to any content protected by this ACL.

Identifies HTML fields where HTML Sanitization is inactive.

HTML sanitization removes or replaces potentially harmful elements and attributes within HTML code. Review HTML fields where sanitization is inactive to confirm whether this configuration is necessary.

Identifies plugins that aren’t activated that provide additional, configurable security controls. The findings produced by this check are provided for informational purposes.

Before enabling one of the identified plugins, verify that the plugin meets your use cases or requirements. You can mute these findings if you don't have a use case for the identified.

Identifies IP Address Access Control Ranges that contain a large number of IP Addresses.

Review and confirm that the current configuration aligns with your business needs.

Identifies public GraphQL schemas in the GraphQL API [sys_graphql_schema] table.

These schemas can be configured to be available without authentication. Depending on the endpoint's functionality, this may allow unauthenticated users to perform unexpected actions or interact with unexpected data.

Identifies knowledge bases and knowledge base Articles configured to enable access to unauthenticated users.

Review and confirm that the current configuration aligns with your business needs.

Identifies Rest API Endpoints in the Scripted REST Resource [sys_ws_operation] table that are configured to be available without authentication.

Depending on the endpoint's functionality, this may allow unauthenticated users to perform unexpected actions or interact with unexpected data.

Identifies Service Portal pages that are made public. Service Portal pages are made available to unauthenticated users by setting the "public" field to "true."

Review and confirm that the current configuration aligns with your business needs.

Identifies UI Pages that are made public. UI Pages can be made available to unauthenticated users using the [sys_public] page.

Review and confirm that the current configuration aligns with your business needs.

Identifies any roles (Roles [sys_user_role] table) that contains the admin role.

The admin role grants users administrative privileges and should be used only when necessary. Review and confirm that the current configuration aligns with your business needs. If this is an intentional configuration, this check can be muted.

Identifies UI Pages that don’t have an ACL for that UI Page.

UI Pages that don’t have a specific ACL default to a generic UI Page ACL, which may grant access to unintended users.

Identifies users with locally set passwords.

Users with local passwords may interact with the instance via APIs using the local credentials, even if local logins are disallowed. This password configuration is needed for integration user accounts to function correctly.

Review these user accounts to verify that only intended users (such as integration accounts) can authenticate with local authentication.

Identifies user accounts with passwords created in previous versions of the ServiceNow AI Platform, which may have used what is now considered a legacy or outdated hashing algorithm.

Accounts created on old platform versions that haven’t rotated their passwords may still have passwords stored with a legacy hashing algorithm. Review the identified accounts created consider password resets.

Identifies insecure record producers.

If not assigned to appropriate roles unauthorized users can access them, potentially revealing sensitive information. Assign appropriate roles to record producers to verify that they’re accessible only to users that need them.