Scan Results
The scanner consolidates findings from all checks into a single overall result: PASS, WARN, or FAIL. The overall result determines whether an import proceeds and what trust badge a marketplace package receives.
Overall Result Determination
The overall result is determined by the highest-severity finding across all checks:
| Highest Finding Severity | Overall Result | Import Action | Marketplace Action |
|---|---|---|---|
| None (zero findings) | PASS | Proceeds normally | Listed with green shield badge |
| Low or Medium only | WARN | Proceeds with warning recorded in audit log | Listed with yellow shield badge; warning count shown |
| High or Critical | FAIL | Blocked — package not installed, rollback if partially applied | Rejected — not listed; publisher notified |
Complete Scan Report Structure
// GET /api/installhub/imports/{importId}/scan-report
// GET /api/marketplace/submissions/{submissionId}/scan-report
{
"packageId": "mkt-pkg-a1b2c3",
"version": "3.0.0",
"overallResult": "WARN",
"scannedAt": "2026-05-25T14:05:22Z",
"durationMs": 2847,
"checkResults": [
{
"check": "ExpressionInjection",
"result": "PASS",
"findings": []
},
{
"check": "SqlInjection",
"result": "PASS",
"findings": []
},
{
"check": "DependencyVulnerability",
"result": "WARN",
"findings": [
{
"artifactType": "PackageDependency",
"artifactName": "acme-corp/form-utils",
"field": "packageDependencies",
"value": "acme-corp/form-utils@1.0.0",
"rule": "CVE-2026-12345",
"severity": "Medium",
"message": "Dependency 'acme-corp/form-utils@1.0.0' has CVE-2026-12345 (CVSS 5.4, Medium). Update to 1.0.1 or later."
}
]
},
{
"check": "ContentPolicy",
"result": "PASS",
"findings": []
}
],
"summary": {
"totalFindings": 1,
"critical": 0,
"high": 0,
"medium": 1,
"low": 0
}
}How WARN Is Presented to Importers
When an import completes with a WARN scan result, the import response includes the scan report and a warning message. The import is not blocked but the warning is permanently recorded in the import audit log:
{
"status": "Success",
"importId": "imp-f9a2c1e8",
"scanResult": "WARN",
"scanWarnings": 1,
"scanReportUrl": "/api/installhub/imports/imp-f9a2c1e8/scan-report",
"message": "Import completed successfully. 1 security warning was detected — review the scan report before deploying this package in production."
}How FAIL Is Reported
// Import blocked by FAIL:
{
"status": "Failed",
"stage": "SecurityScan",
"scanResult": "FAIL",
"error": "SecurityScanFailed",
"message": "Import blocked — security scan returned FAIL. The package was not installed. Review the scan report for details.",
"rolledBack": true,
"scanReportUrl": "/api/installhub/imports/imp-f9a2c1e8/scan-report"
}Scan Result Persistence
Scan reports are stored permanently as part of the import or submission record. They cannot be deleted or modified after generation. The scan report is available for auditors and security teams through the API and in the InstallHub admin console.
Scan Timeout
The scanner has a maximum execution time of 120 seconds per package. If the scan does not complete within this limit (rare — typically only occurs with very large packages or database connectivity issues), the import is put in a ScanTimeout state and retried automatically up to 3 times before failing with a ScanError result.
{
"status": "Failed",
"stage": "SecurityScan",
"error": "ScanError",
"message": "Security scan failed after 3 attempts due to scanner service timeout. Contact support if this persists.",
"supportTicketUrl": "https://support.bizfirstai.com/new"
}