Currently, Security for Confluence scans:

  • pages

  • blog posts

Note that comments, drafts, and macro bodies are not yet scanned.

Permissions

Due to Confluence Cloud’s permissions model, Security for Confluence can only scan pages which it has permission to read. By default, Security for Confluence has read permissions for all spaces.

Permissions aren’t customizable in Confluence Cloud’s free plan. See this page for more information.

This means:

  • If Security for Confluence’s read permissions for a space are explicitly removed, that space will no longer be able to be scanned.

  • If a page’s viewing is restricted such that Security for Confluence cannot view it, it will not be scanned when a Space Scan is run, nor will it be selectable in the Scan Report.

    A Confluence page with viewing and editing restrictions.

    A Confluence page with viewing and editing restrictions.

  • If space scan has findings, but then the page is restricted, the Security for Confluence scan report will not be able to display the finding. Security for Confluence does not store any potentially sensitive content.

Space administrators can audit for pages which have restrictions which might prevent Security for Confluence from scanning them, and change those restrictions, by going to Space Settings > Manage Pages > Restricted.

The space administrator restricted pages view.

The space administrator restricted pages view.

Site Administrators on Confluence Cloud Premium & Enterprise plans can use an admin key to temporarily view restricted content without changing the restrictions. See this page for more information.