Will eComscan  report all missing patches?

eComscan currently only monitors for the lack of critical patches, eg patches for bugs that are actively exploited. There is no alerting for missing patches that only fix "theoretical flaws" (for which no actual abuse method is known to exist), as we do not want to overload our customers with alerts for minor, hypothetical issues. This behavior may change in the future though.

I have set up monitoring via cron but only got 1 mail?

It is the intended behaviour of --monitor to only send a mail when something has changed. If you want to always get an email report, change --monitor into --report. 

I have set up monitoring via cron but I get mail every time?

Change --report into --monitor and you will only be notified whenever an new issue is found, or an old issue has been fixed.

How do I scan multiple folders / storefronts?

Some providers, such as Nexcess, advice to set up different root folders per storefront using symlinks. The best way to scan them all, is to scan the parent folder (ie, your home directory).

I have patched a vulnerable extension, but it still flags red?

Our vulnerable module check uses version numbers, not code signatures. If you have manually patched a vulnerable module, you can add "-patch" to the version number (in Vendor/Module/etc/config.xml), so that eComscan will stop flagging it as vulnerable.


Can I use my eComscan license to scan staging/development servers?

Yes, you are allowed to use your license key on any store that shares the same primary domain name.

I always get this error: Could not download signature db. 

Something seems wrong with your network configuration. You are either behind a very restrictive firewall, or you have IPv6 lookups enabled for DNS but IPv6 routing fails. You should ask your network administrator / ISP.

I get: Query failed, perhaps this is a dev/test db server that I cannot reach

eComscan uses the password for the database from your store configuration. Sometimes, it finds store configuration that is used in local or development servers, and cannot connect to these servers. If you suspect something else is wrong, please re-run ecomscan with the --verbose option and share the results with us.

Shall I implement Content Security Policy (CSP) and Subresource Integrity (SRI) ?

There are two technical measures that you can implement to improve the security of your store: CSP and SRI. They are comparable to the airbag in your car: they will limit some damage but won't stop your car from crashing. In essence, they restrict the Javascript that can be run on your site. 


  • Good protection against Supply Chain Attacks. If one of your embedded suppliers get hacked, they won't be able to take control of your site.


  • It can be costly to maintain. If your supplier's Javascript changes, you would have to update the SRI checksum. If you add a new library, you would need to update the CSP configuration. Depending on how often this happens, this can be cumbersome.
  • If you don't use external Javascript, it has very little benefit. If attackers can break into your site, they can also modify the CSP/SRI headers.
  • There are several techniques that circumvent CSP, so it will only catch 99% of malware.

All in all, it is a trade off between maintenance costs and possible losses. We recommend to implement it if you have annual revenue over $20M.