FAQ-000929 - External Service Security Testing / Scan Report Issues and Requirements

If your external web application scan report includes a warning that the scan was incomplete, follow these steps: 1. **Document the Issue**: Provide detailed documentation about the incomplete scan and include it in your submission. 2. **Open a Support Case**: Submit a case on the support portal, explaining the issue with the scan progress. 3. **Request an Exception**: Based on the details you provide, you may be granted a one-time exception to proceed with the security review. 4. **Try Alternative Tools**: Consider using other scanning tools like OWASP ZAP or Burp Suite to complete the scan. 5. **Use an Appropriate Environment**: Ensure the scan is conducted in a suitable environment, such as a staging environment, rather than production. These steps will help address the issue and move forward with the security review process.

The FAQ content is procedurally accurate and provides appropriate guidance for handling incomplete external web application scans during the AppExchange security review process. I made one minor improvement to enhance clarity: changing 'ZAP or Burp' to 'OWASP ZAP or Burp Suite' to provide the full, proper names of these security scanning tools, making it clearer for users who may not be familiar with the abbreviations. Regarding security rules, this FAQ is purely procedural and focuses on administrative steps for handling scan report issues during the security review process. It doesn't contain any code examples, security implementation guidance, or technical content that would relate to the available security scanner rules. The rules in the provided list are all focused on detecting security vulnerabilities in code (Apex, JavaScript, Flow, etc.), while this FAQ deals with the procedural aspects of what to do when external scanning tools fail to complete their scans. Therefore, no security rules are directly applicable to this content.