DocumentationCommerceAdmin Systems Guide

Security scan

Last update: Tue Jun 10 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Beginner
  • Intermediate
  • Admin

The Adobe Commerce Security Scan Tool provides free security monitoring for your Adobe Commerce and Magento Open Source sites. The tool operates as a web-based service that you can access through your online Adobe Commerce account at account.magento.com.

Security Scan Tool {width="600" modal="regular"}

NOTE
Adobe provides this service at no cost, though merchants must accept terms that limit Adobe’s liability based on scan results and site configuration.

Scan coverage

The Security Scan Tool operates over both HTTP and HTTPS protocols to detect malware, identify security vulnerabilities, and help you maintain the security posture of your store. The tool is available to all merchants, developers, and designated personnel responsible for site security.

The Security Scan Tool provides comprehensive security monitoring capabilities that help you maintain a secure store environment:

  • Gain insight into the real-time security status of your store.
  • Receive suggestions based on best practices to help resolve issues.
  • Schedule a security scan to run weekly, daily, or on demand.
  • Run over 21,000 security tests to help identify potential malware.
  • Access historical security reports that track and monitor the progress of your sites.
  • Access the scan report that shows successful and failed checks, with any recommended actions.
NOTE
You cannot exclude specific security tests from Security Scan Tool scans for Adobe Commerce. However, you can self-serve in ignoring failures as false positives if applicable.

Access

The Security Scan Tool maintains strict access controls to protect your site information. Only you can scan your site because the tool requires verification of domain ownership through your Adobe Commerce account. Each site connects to your account through a unique token, preventing unauthorized scanning by third parties.

The tool focuses specifically on Adobe Commerce domains and their security vulnerabilities. While your webstore may include pages from other platforms, the Security Scan Tool should only scan Adobe Commerce-generated content to ensure reliable results. Scanning non-Adobe Commerce pages may produce unreliable vulnerability assessments.

Run a scan

The scanning process checks your site against known security issues and identifies missing Adobe Commerce patches and updates that could leave your store vulnerable to attacks.

TIP
For Commerce on cloud infrastructure projects, see Setup the Security Scan Tool.

To run a scan:

  1. From the Commerce home page, sign in to your Commerce/Magento account.

  2. Review and accept the terms for using the Security Scan Tool.

    1. In the left panel, choose Security Scan.
    2. Click Go to Security Scan.
    3. Read the Terms and Conditions.
    4. Click Agree to continue.

  3. On the Monitored Websites page, click +Add Site.

    If you have multiple sites with different domains, configure a separate scan for each domain.

    Monitored Sites {width="600" modal="regular"}

  4. To verify your ownership of the site domain by adding a confirmation code, do one of the following:

    Commerce storefront:

    1. Enter the Site URL and Site Name.

    2. Click Generate Confirmation Code.

    3. Click Copy to copy your confirmation code to the clipboard.

      Generate Confirmation Code {width="400" modal="regular"}

    4. Log in to the Admin of your store as a user with full administrator privileges and do the following:

      1. In the Admin sidebar, go to Content > Design > Configuration.

      2. Find your site in the list, and click Edit.

      3. Expand Expansion selector the HTML Head section.

      4. Scroll down to Scripts and Style Sheets and click in the text box at the end of any existing code. Paste the confirmation code into the text box.

        Scripts and Style Sheets {width="600" modal="regular"}

      5. When complete, click Save Configuration.

    PWA storefront:

    1. Enter the Site URL and Site Name.

    2. For Confirmation Code, choose the META Tag option and then click Generate Code.

    3. Click Copy to copy the generated confirmation code META Tag to the clipboard.

      Generate Confirmation Code {width="400" modal="regular"}

    4. Go to the PWA Studio storefront project directory and do the following:

      1. Under the PWA Studio project directory, go to packages > venia-concept > template.html.

      2. Add the copied confirmation code (the generated META Tag) to the HTML head and save the changes.

        Copy Confirmation Code {width="600" modal="regular"}

      3. Go back to the PWA Studio CLI, and use yarn to install project dependencies and run the project build command.

        code language-sh 
        yarn install &&
yarn build

      4. In your Cloud project, create a pwa folder and copy the content inside your storefront project’s dist folder.

        code language-sh 
        mkdir pwa && cp -r /dist/* pwa

      5. Use the Git CLI tool to stage, commit, and push these changes to your Cloud project.

        code language-sh 
        git add . &&
git commit -m "Added storefront file bundles" &&
git push origin

        After the build process completes, the changes will be deployed to your PWA store front.

  5. Return to the Security Scan page in your Commerce account, and click Verify Confirmation Code to establish ownership of the domain.

  6. After a successful confirmation, configure the Set Automatic Security Scan options for one of the following types:

    Scan Weekly (recommended):

    Choose the Week Day, Time, and Time Zone that the scan is to take place each week.

    By default, the scan is scheduled to begin each week at midnight Saturday, UTC, and continue through early Sunday.

    Scan Weekly {width="500" modal="regular"}

    Scan Daily:

    Choose the Time, and Time Zone that the scan is to take place each day.

    By default, the scan is scheduled to begin each day at midnight, UTC.

    Scan Daily {width="500" modal="regular"}

  7. Enter the Email Address where you want to receive notifications of completed scans and security updates.

    Email Address {width="400" modal="regular"}

  8. When complete, click Submit.

    After the ownership of the domain is verified, the site appears in the Monitored Websites list of your Commerce account.

  9. If you have multiple websites with different domains, repeat this process to set up a security scan for each.

Manage scan failures

The Security Scan Tool allows you to manage scan failures directly from the report view. You can mark specific scan failures as false positives and exclude them from your risk score.

Benefits of managing scan failures

Managing scan failures helps you maintain a more accurate security overview of your store by:

  • Reducing false positives in your security reports.
  • Focusing on relevant security issues that need attention.
  • Maintaining a clearer view of your store’s true security status.
  • Eliminating the need to contact support for known false positives.
  • Saving time by self-managing scan failures that you have already investigated.

Common scenarios where you might want to mark a scan failure as a false positive include:

  • When you have already applied a security patch that the scan tool has not detected.
  • When a detected issue is not applicable to your specific store configuration.
  • When you have implemented an alternative security measure that addresses the concern.
  • When the scan failure is based on a configuration that you have intentionally set for your business needs.

Ignore scan failures

To manage scan failures that you have identified as false positives, follow these steps:

  1. From the Monitored Websites page, click View Report for the site you want to manage.

  2. In the report view, locate the failed scan you want to mark as a false positive.

  3. Click Ignore for the specific scan failure.

    Ignore scan failures {width="600" modal="regular"}

  4. Click Apply Changes to save your selection.

The ignored scan failure moves to the Ignored Results section and is excluded from your risk score.

Stop ignoring scan failures

If you need to restore a previously ignored scan failure to your active monitoring, follow these steps:

  1. In the report view, scroll to the Ignored Results section.

  2. Click Stop Ignoring for the scan failure you want to restore.

    Unignore scan failures {width="600" modal="regular"}

  3. Click Apply Changes to save your selection.

The scan failure moves back to the Failed Scans section and is included in your risk score.

View ignored scan failures

Ignored results appear in a separate section of the report, and the risk score is automatically updated to reflect only active scan failures. You can manage multiple scan failures at once by selecting multiple items before applying changes.

View ignored scan failures {width="600" modal="regular"}

recommendation-more-help
d3c62084-5181-43fb-bba6-1feb2fcc3ec1