Drift Detection & Dynamic Domains

ScriptAttest monitors your scripts for changes between attestations. Learn how drift detection works and how to manage domains that change frequently.

What is Drift Detection?

Drift detection compares each new attestation against your baseline to identify script changes. This helps you catch:

  • Supply chain attacks - Malicious code injected into trusted scripts
  • Unauthorized changes - Scripts modified without your knowledge
  • New scripts added - Third-party scripts loaded unexpectedly
  • Scripts removed - Dependencies accidentally removed

Severity Levels

Drift is categorized by severity to help you prioritize your response:

Severity Color Meaning
HIGH Red Unexpected changes to scripts, new unknown scripts, or scripts removed. Requires immediate investigation.
MEDIUM Yellow Changes to known dynamic scripts (GTM, analytics, etc.). Expected behavior but worth monitoring.
NONE Green No changes detected. Your scripts match the baseline.

Dynamic Scripts

Some scripts are designed to change frequently. These include:

  • Google Tag Manager - Bundles regenerate per container configuration
  • Google Analytics (gtag.js) - Script content updates frequently
  • Facebook Pixel - Script content changes with updates
  • Hotjar - Script content changes frequently
  • HubSpot - Script generated per portal
  • Segment - Script bundled per source configuration
  • LinkedIn Insight Tag - Script updates with platform changes
  • Microsoft UET - Script content changes with updates

ScriptAttest automatically recognizes these scripts and treats their changes as MEDIUM severity instead of HIGH, since changes are expected.

Approved Dynamic Domains

Beyond the built-in list, you can mark additional domains as "expected to change." This is useful for:

  • Internal CDNs that serve frequently-updated content
  • Third-party services not in our built-in list
  • A/B testing platforms
  • Feature flag systems

Approving a Domain from the Attestation Report

When you view an attestation report showing script changes:

  1. Find the script in the Changed Scripts or Added Scripts section
  2. If it's from a domain you trust and expect to change, click Approve Domain
  3. The domain will be added to your approved list
  4. Future attestations will treat changes from this domain as MEDIUM severity

Managing Approved Domains

To view and manage your approved dynamic domains:

  1. Go to your site's ScriptAttest tab
  2. Expand the Approved Dynamic Domains section
  3. View all domains you've approved
  4. Click Remove to revoke approval for any domain

Security Note

Only approve domains you fully trust. Approving a domain reduces monitoring sensitivity for all scripts from that source. If you're unsure, leave the domain unapproved and investigate HIGH severity alerts individually.

Baseline Management

Your baseline is the reference point for all drift comparisons. The first attestation automatically becomes your baseline.

Setting a New Baseline

After reviewing and accepting changes, you can update your baseline:

  1. Open the attestation report
  2. Review all changes carefully
  3. Click Accept & Set as Baseline
  4. Future attestations will compare against this new baseline

Why Baselines Matter

ScriptAttest always compares against your explicit baseline, never against "the previous scan." This prevents supply chain attacks from being normalized:

Example: An attacker compromises a CDN and serves malicious code. Without baseline protection, if you ran two scans while the malicious code was live, the second scan would show "no changes" - the attack would be invisible. With baseline protection, you'll keep seeing HIGH severity drift until you explicitly investigate and accept.

Best Practices

  1. Set your baseline after review - Your first attestation becomes the baseline automatically, but verify it looks correct before relying on drift detection.
  2. Investigate HIGH severity immediately - Unexpected script changes could indicate a security incident.
  3. Don't over-approve domains - Only mark domains as dynamic if you expect them to change legitimately.
  4. Review MEDIUM severity periodically - While expected, dynamic script changes could still hide malicious behavior.
  5. Schedule regular attestations - Set up automated scans to catch drift quickly.

API Reference

You can manage approved dynamic domains via the API:

List Approved Domains

GET /api/sites/{siteId}/attestations/approve-dynamic-domain

Approve a Domain

POST /api/sites/{siteId}/attestations/approve-dynamic-domain
Content-Type: application/json

{
  "domain": "cdn.example.com",
  "reason": "Internal CDN with frequent updates"
}

Remove a Domain

DELETE /api/sites/{siteId}/attestations/approve-dynamic-domain
Content-Type: application/json

{
  "domain": "cdn.example.com"
}