FAQ-000927 - External Service Security Testing / Scan Report Issues and Requirements

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How should I document the results of an external scan for the security review team?
Answer
To document the results of an external scan for the security review team, follow these steps: 1. **Scan Reports**: Include updated scan reports from tools like ZAP or Burp Suite, ensuring they cover all external endpoints in your solution. 2. **False Positives Documentation**: If there are false positives in the scan results, document them using the False Positive Documentation template. For each flagged issue, provide: - **Location**: The code location of the reported vulnerability. - **Explanation**: A rationale explaining why the flagged code does not pose a security risk. 3. **Additional Details**: Add any special use cases, circumstances, or exceptions to clarify the context of flagged issues. 4. **Submission**: Upload the scan reports and false-positive documentation (if applicable) to the AppExchange Partner Console as part of your security review submission. Ensure all documentation is clear and complete to streamline the review process.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Question
How should I document the results of an external scan for the security review team?
Recommended Answer Update
To document the results of an external scan for the security review team, follow these steps: 1. **Scan Reports**: Include updated scan reports from tools like ZAP or Burp Suite, ensuring they cover all external endpoints in your solution. 2. **False Positives Documentation**: If there are false positives in the scan results, document them using the False Positive Documentation template. For each flagged issue, provide: - **Location**: The code location of the reported vulnerability. - **Explanation**: A rationale explaining why the flagged code doesn't pose a security risk. 3. **Additional Details**: Add any special use cases, circumstances, or exceptions to clarify the context of flagged issues. 4. **Submission**: Upload the scan reports and false-positive documentation (if applicable) to the AppExchange Partner Console as part of your security review submission. Ensure all documentation is clear and complete to streamline the review process.
Reasoning
The FAQ content is accurate and well-structured overall. I made one minor improvement to enhance clarity and readability: changed 'does not pose' to 'doesn't pose' in the explanation section to follow the conversational tone guidelines and make the text more natural. This maintains the same meaning while making it slightly more readable. No security rules from the available list directly relate to this FAQ because it focuses on documentation and submission processes rather than specific code security vulnerabilities that the scanner rules detect.