WebRiskOps

Data collected and excluded

Understand which scan evidence WebRiskOps stores, which sensitive data stays excluded and where to check redaction before sharing reports.

Customers setting scope and technical reviewers

Feature availability

Product, package, provider and deployment boundaries for this page.

Available from
Current documentation
Deployment modes
cloud

Product screenshots

Current customer-safe screenshots are generated from the application so examples do not drift from the product.

Generated customer-safe screenshot of the scan detail worker readiness and artifact availability state.

Before reviewing collected data

Use this page after a live audit has produced scan evidence and before sharing a report, ticket export or screenshot with another person. The goal is to confirm that evidence comes from public in-scope pages and that sensitive or unsupported data is excluded. WebRiskOps stores enough evidence to explain a finding, reproduce the page state and route the next automated action. It should not become a store for customer secrets, payment details, private account pages or unrelated domains.

Confirm collected and excluded evidence

Follow the path `Scans → Scan detail → Worker readiness → Artifacts → View issues → Privacy redaction`.

  1. Open /scans/{scanRun} from a completed scan. Result: the scan detail page shows Status, Worker readiness, artifact availability and scan coverage notes for the exact run.
  2. Check Worker readiness → Artifacts. Result: Screenshot, HTML snapshot and issue evidence availability are visible before anyone shares the report.
  3. Open View issues or a page evidence entry. Result: collected data is limited to URL, status, title, screenshot or HTML path, console and network counts and normalized issue evidence.
  4. Compare the URL and coverage notes with Accepted scan scope. Result: admin, checkout, account, logout, private, out-of-domain and excluded paths stay out of evidence.
  5. Confirm redaction notes before sharing reports. Result: secrets, tokens, credentials, payment details and personal form values are removed or excluded before publication.
  6. If a data request is unsupported, continue to Privacy redaction or Failure and skipped-page meanings. Result: the flow explains why WebRiskOps will not collect the requested data.

What WebRiskOps collects

Collected evidence should be tied to one accepted scan scope and one scan run.

  • Public in-scope URL, final URL, status code and page title.
  • Screenshot and HTML snapshot paths when those artifacts are available.
  • Console error counts, network error counts and normalized issue evidence.
  • Scan coverage notes, skipped-page reasons and blocked artifact reasons.
  • Report and ticket fields needed to explain the finding and the automated next action.

What WebRiskOps excludes

Excluded data is data the scan should not capture, publish, export or use as a reason to expand scope.

  • Passwords, tokens, credentials, secret keys and session identifiers.
  • Payment card numbers, provider secrets and payment authorization details.
  • Private account areas, admin dashboards, logout paths and pages outside accepted scope.
  • Form values that are not needed to explain the public page finding.
  • Customer data from another account, domain, project or client workspace.

Continue to screenshots and privacy checks

When artifact availability is clear, continue to [Screenshots and HTML snapshots](/docs/projects/screenshots-and-html-snapshots). If evidence includes redaction, unsupported private areas or a sharing concern, continue to [Privacy redaction](/docs/projects/privacy-redaction) before publishing or exporting the report.

Related documentation

Browser renderingScreenshots and HTML snapshotsConsole and network evidencePrivacy redactionFailure and skipped-page meanings

Was this page helpful?

Feedback goes into the product documentation review queue.