eComscan secures over 7,000 online stores
  • 30-day money back guarantee
  • Easy 5 minute install
  • Cancel any time
Get started in 5 minutes!
Secure your store today.
CLICK HERE

How to install eComscan on Magento Cloud

  • 19th May 2023

    Support / About eComscan

See the general instructions for running ecomscan for the first time.

Magento Cloud has read-only storage, which is good practice from a security perspective. However, since eComscan uses auto-update to always have the latest detection capabilities, eComscan needs to be installed on a writable partition of your server.

For Magento Cloud, there is a writable section under /mnt/shared/. You can use this to install eComscan:

mkdir -p /mnt/shared/$LOGNAME/sansec
curl https://sansec.io/downloads/linux-$(uname -m)/ecomscan -o /mnt/shared/$LOGNAME/sansec/ecomscan
chmod 755 /mnt/shared/$LOGNAME/sansec/ecomscan

To set up continuous monitoring, you should request special CRON access with Magento here: https://cloud.magento.com/project/<id>/setup/project_details

Once that is enabled, you can install a cron in your repository, as described here:

https://devdocs.magento.com/guides/v2.3/cloud/configure/setup-cron-jobs.html

Magento Cloud monitoring recommendations

We recommend to:

  • Install ecomscan on the first node of your production environment.
  • Run a daily scan for all files (path: /app/$LOGNAME). For a large store, this scan may take up to an hour.
  • Run an hourly scan for your database assets (path: /app/$LOGNAME/app/etc/env.php). Because only selected tables are scanned, this scan is completely unobtrusive.

Summing up, adding eComscan to your .magento.app.yaml file may look like this:

crons:
    ecomscanhourly:
        spec: "10 * * * *"
        cmd: "/mnt/shared/$LOGNAME/sansec/ecomscan -k YOURKEY ​--monitor [email protected] /app/$LOGNAME/app/etc/env.php"
    ecomscandaily:
        spec: "40 1 * * *"
        cmd: "/mnt/shared/$LOGNAME/sansec/ecomscan -k YOURKEY ​--monitor [email protected] /app/$LOGNAME"

Safely storing eComscan key

While exposure of your license key would not expose your data (it would merely give access to our signature feed), we do recommend to treat it as any other secret and keep it separate from your source repo.

You can store the secret key outside of your repo root, for example in /mnt/shared/$LOGNAME/sansec/license.txt and access it like this:

/mnt/shared/$LOGNAME/sansec/ecomscan -k $(cat /mnt/shared/$LOGNAME/sansec/license.txt) ​/app/$LOGNAME

This page was last updated at Mar 16th, 2023

Need expert advice?

We are here to help!

Get in touch