Scan Results & Detection Rules

Scan Results Section#

Below the stat cards, the Scanning tab shows two side-by-side panels labeled “Scan Results”.

Scanner Findings Panel (left)#

Shows a severity breakdown of all currently active scanner findings (across all scan runs, not just the most recent):

• Four colored severity tiles (Critical, High, Medium, Low) with counts. Clicking each tile navigates to the Findings tab filtered by that severity and source=scanner.
• By Detector breakdown (horizontal bar chart): For each detector that has produced findings, a bar shows the count of active findings relative to the total, sorted from highest to lowest count.
• A “View in Findings →” link to jump to the full Findings tab filtered to scanner source.

If no active scanner findings exist: “No active scanner findings. Run a scan to detect secrets and PII.”

Scan History Panel (right)#

A chronological list of all scan job runs. Each entry is expandable: click any row to see the full detail panel for that run.

Summary row (always visible):

• Status lozenge: success (green), failed (red), running (blue), or gray for skipped/unknown.
• Date/time the run started.
• Detail line: For successful runs, “N pages · Xm Ys” (e.g., “1,204 pages · 26m 14s”). For failed runs, the error message. For skipped runs, the skip reason.

Expanded detail (click to open):

Note: Stats (Pages Scanned, New Findings, Reopened) are recorded when the scan finishes. Runs that are still running show live progress inside the Scanner Status card instead.

Recent Detections#

If any scanner findings exist, a Recent Detections panel appears below the Scan Results section. This is a paginated list (15 per page) of the most recent findings created by the scanner, showing:

Clicking any row navigates to the Findings tab filtered to scanner source.

Detection Rules (Admin Only)#

At the bottom of the Scanning tab, Admin users see a collapsible Detection Rules panel. Clicking the panel header expands a card grid showing all configured detectors. Each detector card shows:

• Name (e.g., “AWS Access Key”)
• Enabled/disabled indicator (green dot = enabled, gray dot = disabled)
• Category lozenge (secret, pii, cloud, key, service, financial, security, custom)
• Severity lozenge (critical, high, etc.)
• Description (one-line explanation of what the detector looks for)

Admin users can toggle a detector on or off by clicking its card. The change takes effect optimistically in the UI immediately and is saved to the backend. The toggle is reflected in the Active Detectors stat card count in real time.

How It Works (Expandable)#

A collapsible “How It Works” panel at the bottom explains the scanning architecture in plain English:

“The content scanner is triggered manually from Admin > Scanning. It fetches page body text via CQL, runs all enabled detectors, and creates findings for matches. Raw content is never stored, only SHA-256 hashes for deduplication. Resolved findings are automatically reopened if the same secret is detected again.”

Key points worth noting:

• Raw content is never stored: Aegis does not persist page body text. Only the SHA-256 hash of contentId + detectorId + matchedText is stored to enable deduplication across runs.
• Deduplication: If the same secret on the same page is detected in a subsequent scan, Aegis checks the existing finding’s status:
  • Open or Triaged → No duplicate created. The finding is already being tracked.
  • Resolved → The finding is reopened automatically with a “Scanner Reopened” badge. The reopenedAt timestamp is set.
  • Dismissed → Stays dismissed. If you dismissed a finding, the scanner will not recreate it.
• Single concurrent scan: Only one content scan can run at a time per installation. If you attempt to start a scan while one is already running, you will receive the error: “A content scan is already in progress”.

Scan Frequency Guidance#