Skip to main content

Supply Chain Scanner (WSCS)

The Web Supply Chain Scanner (WSCS) monitors your web applications for client-side supply chain threats. It crawls your pages, inventories every loaded asset (scripts, stylesheets, fonts, iframes, pixels, XHR/fetch requests), and analyzes them for compromises — from malicious script injections to data exfiltration endpoints.

Why Client-Side Supply Chain Security Matters

Modern web applications load dozens of third-party scripts: analytics, tag managers, payment processors, chat widgets, A/B testing tools. Each one is a potential attack vector:

  • Magecart-style attacks — Attackers compromise a third-party script to skim payment data
  • Dependency confusion — A malicious package with the same name as an internal one gets loaded
  • Typosquatting — A script URL with a subtle misspelling serves malware
  • Supply chain compromise — A legitimate vendor is breached, and their CDN serves tampered code

WSCS detects all of these by continuously monitoring what your pages actually load.

Dashboard Overview

The WSCS section has six tabs:

TabPurpose
FindingsSecurity issues detected in your web supply chain
Scan HistoryPast scan runs with asset diff views (added/removed between scans)
Asset InventoryAll discovered assets grouped by domain and classified as 1st-party, 3rd-party, or 4th-party
TargetsCrawl target configuration (URLs, frequency, credentials)
PCI DSS ComplianceCompliance checking for PCI DSS 4.0 Requirements 6.4.1 and 6.4.3
CSP GeneratorAuto-generated Content-Security-Policy based on scan data (Enterprise plan)

Configuring Scan Targets

Step 1: Add a Target

Navigate to Supply Chain → Targets and click Add Target. Configure:

  • URL — The page to crawl (e.g., https://yoursite.com/checkout)
  • Page Type — Categorize the page: homepage, checkout, login, contact, or custom
  • Scan Frequency — How often to scan: daily, hourly, or continuous

Step 2: Configure Authentication (Optional)

For pages behind a login, add scan credentials:

MethodUse Case
Form LoginSubmits username/password to a login form
CookieSends a pre-authenticated session cookie
HeaderAdds a custom authorization header
Basic AuthHTTP Basic Authentication

Step 3: Set Trusted Domains

Add domains you trust to your allow-list under Trusted Domains. Assets loaded from trusted domains receive lower severity scores. Each trusted domain entry supports an optional expiration date for time-limited approvals.

Step 4: Trigger a Scan

Click Scan Now on any target to run an immediate crawl, or wait for the scheduled frequency to trigger automatically.

Understanding Findings

WSCS uses multiple analyzers to detect threats:

AnalyzerWhat It Detects
Domain ReputationScripts loaded from domains with poor reputation or known malicious history
Script ChainMulti-hop script loading chains that obscure the true source
Exfiltration EndpointNetwork requests to known data exfiltration or C2 endpoints
CDN IntegrityTampered scripts on CDNs (missing or mismatched SRI hashes)
SteganographyData hidden in image or media assets
Tag ManagerSuspicious scripts injected via Google Tag Manager or similar platforms
Asset DiffNew or changed assets since the last scan (highlights unexpected additions)

AI-Powered Remediation

For Professional plan users and above, each finding offers an AI Remediation button. This uses AI to analyze the specific threat and generate actionable remediation steps tailored to your technology stack.

Asset Inventory

The Inventory tab classifies every asset your pages load:

ClassificationDefinition
1st-partyLoaded from your own domains
3rd-partyLoaded directly from external vendors
4th-partyLoaded by third-party scripts (not requested by your code directly)

Fourth-party assets are particularly risky because you have no direct relationship with the provider — a compromise at that level is entirely outside your control.

PCI DSS Compliance

The Compliance tab checks your pages against PCI DSS 4.0 requirements:

  • Requirement 6.4.1 — Script inventory: all payment page scripts must be inventoried and justified
  • Requirement 6.4.3 — Script integrity: all scripts must use Subresource Integrity (SRI) hashes and be explicitly authorized

WSCS generates a compliance report showing which scripts pass or fail each requirement, with remediation guidance for non-compliant assets.

CSP Generator

Enterprise Plan

The CSP Generator is available on Enterprise plans only.

The CSP tab auto-generates a Content-Security-Policy header based on your scan data. It analyzes all assets loaded by your pages and produces a policy that:

  • Allows all legitimate 1st-party and approved 3rd-party sources
  • Blocks unknown or unauthorized script sources
  • Includes report-uri directive for policy violation monitoring

Scan History & Diffs

The Scan History tab shows all past scan runs. Click any scan to see:

  • Assets discovered during that scan
  • Diff view — What was added or removed compared to the previous scan
  • Findings associated with that scan

Asset diffs are critical for detecting supply chain attacks: an unexpected new script appearing on your checkout page is a strong indicator of compromise.

Troubleshooting

Scan Not Completing

If a scan appears stuck:

  1. Verify the target URL is accessible from the public internet
  2. Check that authentication credentials are still valid (for authenticated scans)
  3. Ensure the page doesn't block automated browsers (check for CAPTCHAs or bot protection)

Too Many Third-Party Findings

If legitimate third-party scripts generate findings, add their domains to your Trusted Domains list with an appropriate expiration date.

Missing Assets in Inventory

Some assets load dynamically after user interaction (e.g., chat widgets on scroll). WSCS crawls the page as-rendered — assets that require specific user actions may not appear. Consider adding separate targets for different page states.