Discovery Scans
Discovery scans analyze your website to identify all external resources that need to be allowed in your Content Security Policy.
What is a Discovery Scan?
A discovery scan uses a headless browser to visit your website and automatically detect:
- External scripts - JavaScript files loaded from CDNs, analytics services, and third-party providers
- Stylesheets - CSS files from external sources
- Fonts - Web fonts loaded from Google Fonts, Adobe Fonts, or other providers
- Images - External images, including tracking pixels and CDN-hosted assets
- Connect sources - API endpoints, WebSocket connections, and fetch requests
- Frames - Embedded iframes and their sources
- Media - Video and audio resources
- Inline scripts/styles - Scripts and styles embedded directly in HTML (with SHA-256 hashes)
How Discovery Scans Work
When you trigger a discovery scan, ScriptAttest:
- Loads your pages - Visits each configured page using a headless Chromium browser
- Monitors network activity - Captures all network requests made during page load and interaction
- Analyzes resources - Categorizes each resource by type (script, style, image, etc.)
- Extracts domains - Identifies the source domain for each external resource
- Calculates hashes - Generates SHA-256 hashes for inline scripts and styles
- Reports findings - Presents all discovered sources in your dashboard for review
Running a Discovery Scan
To run a discovery scan:
- Navigate to your site in the dashboard
- Go to the CSP Management tab
- Click Start Discovery Scan
- Wait for the scan to complete (typically 30-60 seconds per page)
- Review the discovered sources in the Sources tab
Understanding Scan Results
After a discovery scan completes, you'll see a list of all discovered sources organized by:
- Type - Script, stylesheet, image, connect, etc.
- Domain - The source domain (e.g.,
cdn.example.com) - Status - Pending, approved, or rejected
- First seen - When this source was first detected
Inline Scripts and Styles
Inline scripts and styles are identified by their SHA-256 hash. This allows you to approve specific inline code blocks without allowing all inline content (which would require 'unsafe-inline').
Tip: Inline scripts with dynamic content (like user-generated data) will have different hashes each time. For these cases, you may need to use 'unsafe-inline' or refactor to use external scripts.
Multi-Page Scans
Discovery scans can analyze multiple pages simultaneously. This is useful for:
- Finding resources that only load on specific pages
- Ensuring your CSP covers all pages of your site
- Identifying page-specific third-party integrations
Configure which pages to scan in the Pages section of your site settings.
What Gets Detected
Discovery scans detect resources loaded through:
<script src="...">tags<link rel="stylesheet" href="...">tags<img src="...">tags- JavaScript
fetch()andXMLHttpRequestcalls - WebSocket connections
- Dynamically created script/style elements
- CSS
@importstatements - Font-face declarations
Limitations
Discovery scans may not detect:
- Resources loaded after user interaction (unless you configure interaction simulation)
- Resources loaded in iframes from different origins (these are blocked by CSP anyway)
- Resources that require authentication (unless you provide credentials)
- Resources loaded conditionally based on A/B tests or feature flags
For these cases, you may need to run multiple scans or manually add sources after reviewing violation reports.
Best Practices
- Scan key pages - Include your homepage, login page, checkout flow, and other critical pages
- Run scans regularly - New third-party integrations may introduce new sources
- Review before approving - Not all discovered sources should be approved
- Use scheduled scans - Automate discovery scans to catch new sources automatically
Next Steps
After running a discovery scan: