Content can be scanned in one of two ways:

  • manually, by selecting the space or a specific page to scan, or

  • automatically once new content is published, by enabling the “Scan new content automatically“ toggle in the Security Scan page.

Only space administrators can access the space’s Security Scan page.

To view and trigger security scans, you will need Space administer permissions. Navigate to your space of choice, and then go to the Security Scan Tab.

The space’s scan status and all vulnerabilities found in the space will be displayed. You can select a page in the dropdown list to get the scan status and vulnerabilities list for that page.

Here, we see two vulnerabilities. For each of them, the specific text that matched the listed rule’s regex is highlighted in blue. Specifically, this is the group 0 match – what the entire expression captured. For more information, see the Java 8 Regular Expression documentation.

What is scanned for vulnerabilities?

Content

Scanned

Page body

(tick)

Blog posts

(tick)

Attachments

(error)

Comments (including inline)

(error)

Drafts

(error)

Space scans will scan the latest version of each page. Older versions can be scanned manually by selecting the page and page version you want to scan, followed by pressing the Scan Page button.