# Running a Web Scan

:::info
This feature is only available to organizations that have subscribed to the Web Application Scanning feature.
:::

## Setup

Here are the steps required before running a Web scan:

1. Register a web application (see [Registering a Web Application](/docs/g/getting-started/register-web-applications/index.md)).
2. Register endpoints to scan (see [Identifying Endpoints to Scan](/docs/g/getting-started/register-web-applications/collect-endpoints/index.md)).
3. Verify ownership of the web application to be scanned.

### Verifying Ownership of Your Web Application

Shisho Cloud requires proof of ownership of the application being scanned to prevent malicious use of this scanning feature. Shisho Cloud verifies ownership before running the scan. If verification fails, the scan will not start, and the scan job will end. Verification is performed against the host of the registered endpoint. If the endpoint consists of multiple hosts, each host is verified.

There are two ways to verify ownership. Ownership is proven if either of these methods is satisfied for all hosts of the application:

- The host of the web application to be scanned resides on a cloud resource linked to Shisho Cloud.
- The host of the web application to be scanned returns the expected response when a request is sent to a verification URL.

The results of the ownership verification are displayed in the "Scan Jobs" tab (`https://cloud.shisho.dev/[orgid]/applications/[appid]/jobs/scan`). Verification is also performed when this page is opened, allowing you to check the latest verification results.

![Verification Results of Scan Prerequisites](/docs/_md-assets/adbcb3d995-scan-prerequisites-verification-results.png)

#### Verifying Through Cloud Resources Linked to Shisho Cloud

If the host of the application being scanned is on a cloud resource linked to Shisho Cloud, that host is considered verified. If the connection already exists, there is typically no need for action. To link cloud resources, see [Configure external integrations](/docs/g/getting-started/integrate-apps/index.md).

Hosts detected by Shisho Cloud can be found in the "Applications > Attack Surfaces" tab.

![Attack Surface List](/docs/_md-assets/40908f5ac1-attack_surface_list.png)

:::warning
Depending on the configuration of your cloud resources, Shisho Cloud may not be able to correctly detect hosts even if they are linked. If that happens, please feel free to contact the operator (Flatt Security).
:::

If you are not using a cloud service, or if you are using one but have difficulty linking resources, consider verifying through the verification URL.

#### Verifying Through a Verification URL

To prove ownership of the host of the application to be scanned through a verification URL, the specified URL must return the application verification token.

**Requests sent by Shisho Cloud:**

```http
GET http[s]://<host>/.well-known/shisho-cloud/<application verification token>
```

**Responses returned by the host of the application being scanned:**

```http
Status: 200 OK
Body: <application verification token>
```

The application verification token can be found in the "General" tab (`https://cloud.shisho.dev/[orgid]/applications/[appid]`).

![Application Verification Token](/docs/_md-assets/64622abf8f-ownership-token.png)

For example, to verify the host `sample-app.com` with the token `01J5TAXF0RV6G9DVH4BPM1SX1G`, Shisho Cloud will send the following request:

```http
GET http://sample-app.com/.well-known/shisho-cloud/01J5TAXF0RV6G9DVH4BPM1SX1G
```

If `sample-app.com` returns a status code of `200 OK` and the following body in the response, the ownership of this host is proven:

```
01J5TAXF0RV6G9DVH4BPM1SX1G
```

## Customizing the Scan Schedule (Optional)

By default, web scans are run daily at 00:00 UTC (09:00 JST). You can customize the scan schedule using the cron format or disable scheduled execution to allow only manual execution.

Web application scans are run periodically by "Workflows." You can access the details screen for the workflow that runs the web scan [here](https://cloud.shisho.dev/*/workflows?wfid=prebundle-web-review) or [here](https://cloud.shisho.dev/*/workflows?wfid=free-trial-web-scanning).

![Web Application Scanning Workflow](/docs/_md-assets/a2e19911e9-scan-execution-workflow-list.png)

To change or disable the scan schedule, first click on the "Update" button on the right side of the screen.

The schedule is specified in `.triggers.schedule[].cron` as follows:

```yaml
version: 0.1.0
id: "free-trial-web-scanning"
name: "Review Web application posture (Free Trial)"
triggers:
  schedule:
    # highlight-next-line
    - cron: "0 0 * * *"
# (abbreviated)
```

To change the schedule, simply enter the desired schedule in cron format and click the "Save" button. For example, if you want to run the scan every day at 12:00 UTC (21:00 JST), set it as follows:

```yaml
version: 0.1.0
id: "free-trial-web-scanning"
name: "Review Web application posture (Free Trial)"
triggers:
  schedule:
    # highlight-next-line
    - cron: "0 12 * * *"
# (abbreviated)
```

:::caution
The cron schedule uses UTC time. Please consider the time difference between your time zone and UTC when setting the schedule.
:::

To disable the schedule, make the following changes and click the "Save" button:

```yaml
version: 0.1.0
id: "free-trial-web-scanning"
name: "Review Web application posture (Free Trial)"
triggers:
  # highlight-next-line
  schedule: []
# (abbreviated)
```

For more information about trigger settings for workflows, see [here](/g/concepts/workflow-manifest).

## Running a Scan

### Running a Scan from the Workflow (Optional)

By default, web application scans are run daily at 00:00 UTC (9:00 JST). If you want to run the scan immediately, without waiting for the scheduled execution, follow the steps below.

Web application scans are run periodically by "Workflows." You can access the details screen for the workflow that runs the web scan [here](https://cloud.shisho.dev/*/workflows?wfid=free-trial-web-scanning).

![Web Application Scanning Workflow](/docs/_md-assets/a2e19911e9-scan-execution-workflow-list.png)

This workflow runs the web scan. Click the "Run" button on this screen to run the web scan against all registered web applications.

To check the status and progress of the scan, open **Applications** ([https://cloud.shisho.dev/\*/applications](https://cloud.shisho.dev/*/applications)) in the top bar, click the target application from the list, and open the details page. Then, open the "Scan Jobs" tab (`https://cloud.shisho.dev/[orgid]/applications/[appid]/jobs/scan`) to view the execution history of the scans.

![List of Scan Jobs](/docs/_md-assets/20a4105d72-scan-job-list.png)

You can check the progress of the scan job by clicking the running scan job and opening the job details screen (`https://cloud.shisho.dev/[orgid]/applications/[appid]/jobs/scan/[jobid]`).

![Scan Job Details](/docs/_md-assets/f622ba6659-scan-job-details.png)

### Viewing Scan Results

Once the scan job successfully completes, the assessment results will appear on the [Dashboard](https://cloud.shisho.dev/*/dashboard) and in [Resources](https://cloud.shisho.dev/*/resources). For more information, see [Reviewing Findings](/docs/g/getting-started/review-findings.md).