There is a major shortcoming with the Remediation Project > Validation Scan
For customers using the R7 Scan Assistant service/agent for credentialed scanning, which is best practice, the Validation Scan does not support this!!!
In other words, the Validation scan uses the default scan template ‘full audit without web spider’, which does not support Scan Assistant due to the inability to edit the scan template to add the required Scan Assistant port tcp/21047.
Moreover, if you make a copy of the scan template to customize it, there is no way for the Validation scan to know nor is there a way to tell it which scan template to use!
These are facts based on my findings, which I validated with R7 support as well.
I submitted a feature request for this shortcoming (major in my opinion) to get fixed.
Lastly, this is a blocker for us since we cannot effectively use Remediation Projects with other teams to offer as turn-key solution and single pane of glass for validating and tracking remediation work.
Good spot thanks for flagging. I have been doing site scans to verify or waiting for agent to check in. I agree this is not ideal for working with remediation teams.
I consider this a MAJOR shortcoming and flaw in InsightVM!
How can Rapid7 market and offer Remediation Projects blade/feature, and the overall purpose of it, if the validation scan button does not support the preferred method to credential scan which is Scan Assistant service agent??
SO!!!
I finally got in touch with a VERY knowledgeable R7 support engineer (after multiple support cases and a feature request over the course of a year), and he told me the Remediation Project ‘Validation Scan’ button uses the scan template ‘platform-initiated-scan’, which is a custom template provided by Rapid7 and allows for editing to include the Scan Assistant port TCP/20147.
I am testing now to verify that this scan template supports Scan Assistant for credentialed scan…
Confirmed!!!
The scan template ‘platform-initiated-scan’ with the Scan Assistant port added does in fact scan assets as credentialed where the Scan Assistant service agent was installed.
This is great news!
I recommend Rapid7 support update their docs for Remediation Projects to explain this better for customers.
