Scan Types

SCA Scans 

• Full scan - SOOS performs a full scan via integrated repositories or CI/CD systems when a commit is made or a build is kicked off.  Manually uploading a manifest to scan in the SOOS UI or running a GitHub QuickScan will also perform a full scan.  This scan obeys all Dependency and Scan settings at the global and/or project level found on the Configure page at the time of the scan.
  
  
• Refresh scan - SOOS performs an automatic daily refresh scan on all existing project branches configured for a daily scan in the Branch Filter found on the Configure page.  This scan uses the most recently scanned manifest versions and applies all scan settings that were in place at the time of the previous full scan, as well as the Scan Full Dependency Tree setting in place at the time of the scan.
  
  
• Rescan - Users can initiate a rescan at any time using the 'rescan now' link in the upper right corner of the project detail page.  Similar to a refresh scan, this scan will use the most recently scanned manifest and all previously applied scan settings, as well as the Scan Full Dependency Tree setting in place at the time of the scan.

DAST Scan Modes

• Baseline scan - The script does not perform an actual 'attack' and is quick to run, taking only a few minutes. 
  • To see the list of tests performed during baseline scan mode visit https://www.zaproxy.org/docs/alerts/ and filter for Passive type.
    
    
• FullScan - The script does perform actual 'attacks' and can take much longer to run.  Note that the time limit for SOOS DAST scans is 3 hours. 
  • To see the list of tests performed during baseline scan mode visit the Zaproxy link above and filter for Active type.
    
    
• API scan - This is used specifically to scan APIs defined by openapi, soap, or graphql via local file or URL

SBOM Scans

• Full scan - Each time an SBOM file is uploaded in the SOOS UI, a full scan is performed.  Scan settings on the Configure page do not apply to SBOM scans.
  
  
• Refresh scan - SBOM refresh scans will occur daily, there is no configuration needed to ensure refresh scans occur on SBOM projects.  The most recently uploaded SBOM version will be scanned.
  
  
• Rescan - Similar to SCA rescans, users can manually initiate a rescan for any SBOM using the 'rescan now' link.  The most recently uploaded SBOM data will be used.