Configuration Scan Inventory
This report helps security analysts evaluate the encryption protocols, cipher suites, and quantum-readiness of services running within the network. It is commonly used to verify compliance with cryptographic standards, detect weak configurations, and ensure readiness for Post-Quantum Cryptography.
Starting v2026.2.0.0, the configuration scan inventory has been enhanced to be a unified multi-source inventory for PQC readiness. This means that, instead of removing and re-adding all records for an endpoint on every scan,each configuration record is upserted—updated if already present, inserted if new. The previous data (the one being replaced) is retained in the PQC audit logs.
- A source's refresh removes only the configurations that were not detected in the current scan, rather than clearing the entire endpoint's data before re-adding it. This ensures that configurations present in a partial or incremental scan are not inadvertently removed.
- When two sources detect the same cryptographic configuration on the same endpoint, a single inventory record is maintained — the last source to report it is reflected as the discovery source. This eliminates duplicate records across sources for the same configuration.
- A last discovered timestamp is added to every record, updated on each scan, to provide visibility into how recently each configuration was last seen.
- The scope of network discovery agentless scans is currently limited to certificates and protocols; library discovery is not supported.
- For agentless scans under the existing certificate network scan, only IP range and subnet–based scans are supported; URL-based scans are not applicable.
- Data retrieved from an agentless scan is displayed in the configuration scan inventory even if the AppViewX Config Scan Agent is not installed, since it does not require agent intervention.
- If an agent-based scan is performed after an agentless scan, data from the agent-based scan will replace the data from the agentless scan.
- If an agentless scan is performed after an agent-based
scan:
- Data for the newly discovered ciphers and protocols, from the scannedIP/port, will be added to the inventory.
- Existing service binding and library app information will not be modified.
Viewing the Configuration Scan Inventory
Verify that your user role has the required ACF permission to view configuration scan inventory. To enable the ACF permission, click here.
To view the configuration scan inventory:Common Inventory Functions
| Feature | Description |
|---|---|
| Filters | To filter the inventory for viewing specific
data:
|
| Search | Enter free text or keywords to search
for specific entries in the
inventory. Important: Currently, values
from the following fields cannot be used as search keywords,
as they are not supported by the search functionality and
will be treated as invalid input:
|
| Export | To export the inventory data:
The inventory data is downloaded to your local system as a zipped file. |
| Pagination | Use the pagination control dropdown to select
the number of records that will be displayed per page of the
inventory. You can select to display 25, 50, 75, or 100 records per page of the inventory. |
| Pagination Navigation | Use the pagination navigation buttons to move between the pages in the inventory. |
| Refresh | Use the Refresh button to reload the inventory to display the up-to-date records. |
Configuration Scan Inventory Fields
| Column Name | Description |
|---|---|
| IP Address | Displays the IP address of the scanned host. Each row represents one detected service on a unique IP. |
| FQDN | Shows the domain name associated with the IP address. Useful for identifying hostnames in DNS-based scans. |
| Discovery Source |
Indicates how the cryptographic asset or configuration was identified, via an agent-based scan (executed using the AppViewX Config Scan Agent or the AppViewX Code Scan Agent) or an agentless scan (executed using the existing network discovery scan flow from the CLM module) Note:
|
| Service | Identifies the detected service running on the host (for example, exim, nginx, or apache) |
| Port | Specifies the network port used by the application. This indicates where the service is accessible |
| Service Binding / Hostname | Displays the:
|
| Crypto Category | Defines the type of cryptographic setting being reported (for example, Protocol, Cipher, Certificate, or Algorithm). |
| Crypto Value | Shows the protocol version or cryptographic mechanism in use (for example, TLS 1.3, SSL 3.0, etc.). |
| Cipher Suite | Lists the exact cipher suite negotiated for the TLS/SSL connection (for example, TLS_AKE_WITH_...). |
| Key Exchange Algorithm | Indicates cryptographic algorithm used to securely negotiate encryption keys between parties during the initial phase of a secure communication session (e.g., TLS handshake). |
| Authentication | Specifies the authentication algorithm (for example, ECDSA, Dilithium, etc.) used for validating the identity of the communicating entities. |
| Last Discovered | Date and time of the most recent scan that detected the configuration |
| Severity | Displays the security impact level associated with the detected configuration. Levels may include Low, Medium, High, or Critical. |
| CMDB Operational Status | Indicates the current state of the configuration
item (CI) using the following values:
|
| CMDB Match Status | Indicates if the configuration asset listed in
the inventory can be linked to a configuration item (CI) in the
CMDB and if the CI’s data can be used for populating the
business context in the configuration scan inventory (in the
Business Application, Owner, and Business
Criticality fields) For a detailed understanding of how the CMDB status is populated, see Understanding CMDB Status Values (Configuration Scan). |
| Business Application | Application or service that the scanned configuration asset is associated with |
| Owner | Individual/team that is responsible for the business application and the configuration asset |
| Business Crticiality | Impact of the application and the configuration asset on the business operations |
| Quantum Readiness | Indicates whether the cryptographic configuration is resistant to quantum-based attacks. |
| Recommended Action | Provides guidance or next steps for remediation or optimization. If no action is required, it may display N/A. |
Understanding the CMDB Match Status Values (Configuration Scan)
| Scenario | Condition | CMDB Status | Business Criticality / Owner / Business Application Columns |
|---|---|---|---|
| Unique CI found and active | operational_status in
(Operational, In
Service, Running) |
Matched – Fully Enriched | Populate values as in CMDB |
| CI inactive / retired / decommissioned | operational_status in
(Retired, Inactive,
Decommissioned,
Removed) |
Matched-Fully Enriched | Populate as in CMDB |
| CI found, but lifecycle fields missing | operational_status or
install_status missing |
Matched – Fully Enriched | Populate available values |
| CI found, but enrichment fields blank | Fields like Business App, Owner, Criticality missing | Matched – Partially Enriched | Populate available data only |
| Multiple matching CIs found | Multiple CIs found | Matched – Fully Enriched | Enrich fields according to the latest data update. |
| No CI found | No CI found | Unmatched | Leave enrichment fields empty |
| CMDB query failed (connectivity/auth/system error) | Failure to connect to CMDB | CMDB Connection Failed | Leave enrichment fields empty |
