FAQ-000937 - External Service Security Testing / Scanning Tool Troubleshooting

If the required web application vulnerability scanner fails to run against your external endpoints, you should: 1. Use an alternative scanner such as OWASP ZAP, Burp Suite, HCL AppScan, or WebInspect. 2. File a support ticket to report the issue with the scanner so the relevant team (e.g., SR Ops) can investigate. 3. Perform the necessary scans using the alternative tool and include the reports in your submission. If the required security scanner won't run against an external service's endpoint, you can use an alternative tool like OWASP ZAP, as long as you either own the external integration service or have permission from the service owner to perform the scan. Make sure to document the use of the alternative tool and any findings properly to align with the security review process.

The FAQ content is well-structured and accurate. I made a minor clarification change from 'will not run' to 'won't run' to align with the conversational tone guidelines, making the text more natural while preserving all existing information and structure. Regarding security rule selection: I selected ApexInsecureEndpoint because this FAQ specifically discusses scanning external endpoints for security vulnerabilities. The ApexInsecureEndpoint rule detects when Apex code makes HTTP callouts to insecure endpoints, which directly relates to the FAQ's focus on 'external endpoints' that need vulnerability scanning. The FAQ discusses using vulnerability scanners like OWASP ZAP and Burp Suite against 'external endpoints' and 'external service's endpoint', which aligns with this rule's purpose of identifying insecure endpoint usage in Apex applications.