Security scan

The enhanced security scan allows you to monitor each of your Adobe Commerce and Magento Open Source sites, including PWA, for known security risks and malware, and to receive patch updates and security notifications.

  • Gain insight into the real-time security status of your store.
  • Receive suggestions based on best practices to help resolve issues.
  • Schedule security scan to run weekly, daily, or on demand.
  • Run over 21,000 security tests to help identify potential malware.
  • Access historical security reports that track and monitor the progress of your sites.
  • Access the scan report that shows successful and failed checks, with any recommended actions.

The Security scan tool is available for free from the dashboard of your Commerce/Magento account. For technical information, see Set up the Security Scan Tool in the Commerce on Cloud Infrastructure Guide.

Security scan tool

Run a security scan

  1. From the Commerce home page, sign in to your Commerce/Magento account.

  2. Review and accept the terms for using the Security scan tool.

    • In the left panel, choose Security Scan.
    • Click Go to Security Scan.
    • Read the Terms and Conditions.
    • Click Agree to continue.
  3. On the Monitored Websites page, click +Add Site.

    If you have multiple sites with different domains, configure a separate scan for each domain.

    Monitored Sites {width="600" modal="regular"}

  4. To verify your ownership of the site domain by adding a confirmation code, do one of the following:

    Commerce storefront:

    • Enter the Site URL and Site Name.

    • Click Generate Confirmation Code.

    • Click Copy to copy your confirmation code to the clipboard.

      Generate Confirmation Code {width="400" modal="regular"}

    • Log in to the Admin of your store as a user with full administrator privileges and do the following:

      • In the Admin sidebar, go to Content > Design > Configuration.

      • Find your site in the list, and click Edit.

      • Expand Expansion selector the HTML Head section.

      • Scroll down to Scripts and Style Sheets and click in the text box at the end of any existing code and paste the confirmation code into the text box.

        Scripts and Style Sheets {width="600" modal="regular"}

      • When complete, click Save Configuration.

    PWA storefront:

    • Enter the Site URL and Site Name.

    • For Confirmation Code, choose the META Tag option and then click Generate Code.

    • Click Copy to copy the generated confirmation code META Tag to the clipboard.

      Generate Confirmation Code {width="400" modal="regular"}

    • Go to the PWA Studio storefront project directory and do the following:

      • Under the PWA Studio project directory, go to packages > venia-concept > template.html.

      • Add the copied confirmation code (the generated META Tag) to the HTML head and save the changes.

        Copy Confirmation Code {width="600" modal="regular"}

      • Go back to the PWA Studio CLI, and use yarn to install project dependencies and run the project build command.

        code language-sh
        yarn install &&
        yarn build
      • In your Cloud project, create a pwa folder and copy the content inside your storefront project’s dist folder.

        code language-sh
        mkdir pwa && cp -r <path to your storefront project>/dist/* pwa
      • Use the Git CLI tool to stage, commit, and push these changes to your Cloud project.

        code language-sh
        git add . &&
        git commit -m "Added storefront file bundles" &&
        git push origin

        After the build process completes, the changes will be deployed to your PWA store front.

  5. Return to the Security Scan page in your Commerce account, and click Verify Confirmation Code to establish ownership of the domain.

  6. After a successful confirmation, configure the Set Automatic Security Scan options for one of the following types:

    Scan Weekly (recommended):

    • Choose the Week Day, Time, and Time Zone that the scan is to take place each week.

    • By default, the scan is scheduled to begin each week at midnight Saturday, UTC, and continue through early Sunday.

      Scan Weekly {width="500" modal="regular"}

    Scan Daily:

    • Choose the Time, and Time Zone that the scan is to take place each day.

    • By default, the scan is scheduled to begin each day at midnight, UTC.

      Scan Daily {width="500" modal="regular"}

  7. Enter the Email Address where you want to receive notifications of completed scans and security updates.

    Email Address {width="400" modal="regular"}

  8. When complete, click Submit.

    After the ownership of the domain is verified, the site appears in the Monitored Websites list of your Commerce account.

  9. If you have multiple websites with different domains, repeat this process to set up a security scan for each.