{% extends "base.html" %} {% block title %}Scan · ai-protect{% endblock %} {% block autorefresh %}window.AI_PROTECT_NO_AUTOREFRESH = true;{% endblock %} {% block content %}

Scan

Pick where the code lives, what to scan it with, and start. Two flows below — pick one.

{# ---- Mode segmented control ---- #}
Source code (SAST) Read code on disk · {{ sast_adapters|length }} adapters Live target (DAST) Probe a running system · {{ dast_adapters|length }} adapters

{{ mode_descriptions[mode] }}

{# ---- DAST safety banner: persistent, can't be dismissed within a session ---- #} {% if mode == 'dast' %}
Live target scan. This will send real HTTP requests to the chosen system. Verify the target is yours and you're authorized to test it. Hard-denied IPs (cloud metadata, etc.) cannot be overridden even by an internal-scan toggle.
{% endif %} {# ============================================================ SAST flow ============================================================ #} {% if mode == 'sast' %}
The app to scan. Its data_sensitivity, decision_impact, and integration_footprint drive the tier classification and which adapters fire.
v2.1 SDLC stage. build is the fastest SAST loop and is the default.
Narrow to one adapter for a focused re-scan, or run the full SAST suite for this stage.
Cancel
{% endif %} {# ============================================================ DAST flow ============================================================ #} {% if mode == 'dast' %}
{# Sub-tab: Known app vs Arbitrary URL (radio group per PAL's design note) #}
{# Known-app subform #}
Uses the manifest's target.base_url as the scan target. The manifest's network_allowed_zones override the internal-IP refusal.
{# Ad-hoc URL subform — hidden when sub-tab is "manifest" #}
DAST is normally run at preprod; intake limits to discovery (recon + endpoint enumeration). Heavier modes (ZAP active, Burp active, sqlmap, adversary emulation) require the opt-in below.
Safe defaults: passive web scanning, MCP scope checks. Heavy adapters require allow state-changing testing below.
Both require the target's allow_mutation=true on its manifest. Ad-hoc URLs cannot enable these — promote to a saved manifest first.
Cancel
{% endif %} {# ---- Pre-flight checks visible to both modes ---- #} {% if pre_flight_adapters %}
Always-run policy checks (when applicable):
{% for a in pre_flight_adapters %}{{ a }}{% endfor %}

These run alongside whichever mode you chose. manifest_validator and threat_model_check are policy gates (the latter applies to Tier 1/2 design-stage runs); intel_match cross-references manifest assets against the CVE/threat intel feeds. None require any operator action.

{% endif %}
{# ============================================================ Shared Recent scans (visible in both modes) ============================================================ #} {% if scans %}

Recent scans

{% for s in scans %} {% endfor %}
WhenAppStageAdapterStatusFindings before → after
{{ s.scan_id }} {{ s.app_name }} {{ s.stage }} {{ s.adapter or "all" }} {% if s.status == 'running' %}Running {% elif s.status == 'done' %}done {% elif s.status == 'failed' %}failed {% elif s.status == 'stopped' %}stopped {% else %}{{ s.status }} {% endif %} {% if s.findings_after is none %}{{ s.findings_before }} → ? {% else %}{{ s.findings_before }} → {{ s.findings_after }} ({{ s.findings_after - s.findings_before }}) {% endif %} View Findings →
{% endif %} {% endblock %}