This article answers some Frequently Asked Questions (FAQ) about the Adobe Commerce Security Scan Tool.
The Security Scan Tool is a free tool available to our merchants, developers, and the personnel they designate as responsible, to monitor their sites for security risks. It can proactively and efficiently detect malware on merchant stores and notify merchants if there are any security risks, malware, or threats.
Yes, the Security Scan Tool is available to all Adobe Commerce and Magento Open Source merchants.
No, a merchant ties their site to their Adobe Commerce account when requesting a scan via a token. This is unique per site.
The Security Scan Tool is designed to scan vulnerabilities on Adobe Commerce domains. Scanning non-Adobe Commerce pages for vulnerabilities using the Security Scan Tool can lead to unreliable results. We strongly recommend our merchants not to use the Security Scan Tool to scan pages generated by other non-Adobe Commerce platforms.
The Security Scan Tool merchants cannot exclude specific security tests from Security Scan Tool scans for Adobe Commerce. Each Security Scan Tool security test is written to assist merchants in identifying security risks, malware, and threats.
The Security Scan Tool is free. Merchants must accept a legal disclaimer that absolves Adobe Commerce of liability based on the results of the security scan or their site’s configuration.
The Security Scan Tool is web-based and accessed from the merchant’s online Adobe Commerce account (account.magento.com). The security scan operates over both HTTP and HTTPS. It checks for known security issues and identifies missing Adobe Commerce patches and updates.
We recommend to our merchants to investigate all failed scans and take appropriate steps to resolve such issues. After investigation, if merchants come across a scan result that appears to be a false positive, we request the merchant to notify Adobe to take appropriate action.
To submit a false positive report, enter a ticket with Adobe Commerce merchant support so that we can evaluate the false positive, make necessary changes, and/or provide recommendations to avoid seeing such notifications in the future. Merchants can also report a false positive by emailing us at firstname.lastname@example.org.