diff --git a/_assets/images/pages/build-scans.png b/_assets/images/pages/build-scans.png new file mode 100644 index 000000000..8e11dd8bb Binary files /dev/null and b/_assets/images/pages/build-scans.png differ diff --git a/_data/pages/navigation.yml b/_data/pages/navigation.yml index 57b3fc833..ee3aad77d 100644 --- a/_data/pages/navigation.yml +++ b/_data/pages/navigation.yml @@ -86,6 +86,8 @@ sidenav: href: /pages/documentation/custom-headers/ - text: Federalist.json href: /pages/documentation/federalist-json/ + - text: Build Scans + href: /pages/documentation/build-scans/ - text: For developers href: /pages/documentation/ subfolderitems: diff --git a/_pages/pages/documentation/build-scans.md b/_pages/pages/documentation/build-scans.md new file mode 100644 index 000000000..f3cfdf484 --- /dev/null +++ b/_pages/pages/documentation/build-scans.md @@ -0,0 +1,22 @@ +--- +title: Build Scans +permalink: /pages/documentation/build-scans/ +layout: docs +navigation: pages +sidenav: pages-documentation +--- + + +Builds Scans are a new experimental feature being offered by Pages. + +For select site builds, users can see scan results which check their website for security vulnerabilities, accessibility violations, and other relevant information to help improve their site. These scans begin running after a build completes. When the scan finishes, the results are available as downloadable HTML files for easy sharing among team members. There are currently two scans available: ZAP Security Scan and Accessibility Scan. If you are interested in being part of the beta test of this new feature, please email us at pages-support@cloud.gov. + +![Build Scan Example]({{site.baseurl}}/assets/images/pages/build-scans.png) + +## ZAP Security Scan + +The ZAP Security Scan tests your published website for common security vulnerabilities. It uses the [Zed Attack Proxy (ZAP)](https://www.zaproxy.org/) software to passively scan the site for vulnerabilities but does not perform any attack or attempt to maliciously modify your site code. Example security findings include unintended exposure of sensitive data, SQL injection opportunities, cross-site scripting (XSS) flaws, and the use of components with known vulnerabilities. More details about the scan mechanisms and the resulting file output can be found at [ZAP - Baseline Scan](https://www.zaproxy.org/docs/docker/baseline-scan/) + +## Accessibility Scan + +This scan identifies website accessibility violations from [Section 508](https://www.section508.gov/) and the [latest WCAG version](https://www.w3.org/TR/WCAG22/). The scan first crawls your website to identify all pages to test. It then uses the open source portion of [`axe`](https://www.deque.com/axe/) to identify accessibility violations. The final scan is a custom report generated from the `axe` output.