FAQ-000918 - External Service Security Testing / Scan Configuration and Setup

Yes, you can limit external security scans to specific URLs rather than crawling entire applications or domains for managed packages. When scoping scans to specific URLs, ensure they're relevant to the security review and fall within the defined testing scope. Additionally, obtain permissions from third parties owning the external endpoints before performing security testing.

The original answer was unnecessarily repetitive, stating the same concept twice in different ways ('Yes, an external security scan can be scoped to a specific URL instead of the entire domain' followed by 'You can limit security scans to specific URLs rather than crawling entire applications'). The recommended update removes this redundancy while preserving all key information: confirmation that URL-specific scans are possible, the requirement for relevance to security review, staying within testing scope, and obtaining third-party permissions. The structure and level of detail remain the same, just with improved clarity and flow. For the related security rule ApexInsecureEndpoint: This rule is relevant because the FAQ discusses external security scanning and URL endpoints. The ApexInsecureEndpoint rule detects insecure HTTP endpoints in Apex code, which directly relates to the FAQ's focus on external endpoint security testing. When conducting security scans on specific URLs as described in the FAQ, developers need to ensure those endpoints use secure protocols, which is exactly what the ApexInsecureEndpoint rule helps enforce.