Skip to main content

Discovery pages

The five discovery screens: sources (scan configuration and run-now), source detail with scan history, the inventory of discovered certificates and endpoints with PQC badges, security findings with acknowledge/suppress, and the manage wizard that turns a discovered certificate into a managed one. Concepts and scanner behaviour live in the Discovery section — this page is the screen tour.

Open it from the top menu: Discovery. All discovery pages are project-scoped.

Sources

The landing page lists your discovery sources. The header has a search box, Inventory and Findings shortcuts, Refresh, and Add Source. When open findings exist, a clickable summary banner shows the critical/high/medium/low counts and jumps to the Findings page.

ColumnContent
NameSource name. Sortable.
TypeHOSTNAME · CIDR · CT Log.
RecordsNumber of scan records (or monitored domains for CT Log).
ScheduleScan interval, e.g. 24h.
Last RunRelative time, coloured by outcome (green completed, red failed). Never-run sources show Never.
Statusactive or paused.
ActionsPause/Resume, Scan Now (active sources only), Delete (removes the source and its endpoints and run history).

Clicking a row opens the source detail.

Adding a source

Add Source opens a modal:

  1. Name, optional Description.
  2. TypeHostname (FQDN), CIDR / IP, or CT Log Monitor.
  3. Type-specific fields:
    • Hostname / CIDR — a list of records, each a value (example.com or 10.0.0.0/24) plus comma-separated ports (default 443); Max Targets caps how many IPs a CIDR expands to (default 512). CIDR shows an authorization warning, and public IP ranges are skipped unless you enable Allow Public IP Scan.
    • CT Log — domains to monitor (one per line, max 50), Include subdomains, provider (fixed to crt.sh), and optional Allowed Issuers to filter observations. See CT monitoring.
  4. Schedule (hours) — automatic scan/poll interval, minimum 24.

Scanner behaviour, SSRF protection, and scheduling: Sources.

Source detail

Header: source name, status tag, Back to the source list. A summary card shows the full configuration — type, schedule, concurrency, timeout, max targets, SNI mode, public-scan flag, records (or monitored domains and allowed issuers for CT Log), next scan time, and a red Consecutive Errors counter if recent runs failed — plus a Scan Now button. Triggering a scan navigates straight to the resulting job.

Two tabs:

  • Certificates — certificates discovered by this source (subject, issuer, expiry, key, Managed/Unmanaged status, endpoint count); rows open the inventory detail. CT Log sources show a CT Certificates tab instead: common name, issuer, matched domain, log entry time, expiry, and how it matched (cn/san).
  • Scan History — one row per run: started (relative), status (completed / running / failed / skipped), total/success/failed target counts, New Certs, Changed, Disappeared, duration, and who triggered it. Rows with a linked job open the job detail.

Inventory

Discovery → Inventory aggregates everything discovered across sources. Six summary tiles sit on top: Certificates, Endpoints, Managed, Unmanaged, Expiring (30d), Expired. Below them, a Quantum Readiness panel breaks certificates into Vulnerable (weak keys — upgrade first), Transition (standard crypto — migrate later), Ready (quantum-safe), and Unknown (rescan to classify) — see PQC readiness.

Two tabs:

Certificates tab

Search (subject, issuer, SANs) and an Expiring within filter (7/30/90 days) sit above the table.

ColumnContent
SubjectCertificate subject.
IssuerIssuer string.
SANsSAN count.
ExpiryRelative tag — red expired, orange expiring within 30 days.
KeyAlgorithm + size, e.g. RSA 2048.
PQCPost-quantum readiness badge (hover for the explanation).
EndpointsHow many endpoints serve this certificate.
StatusManaged (green, links to the managed certificate) or Unmanaged.
ActionsManage — opens the manage wizard for unmanaged certificates.

Rows open the fingerprint detail.

Endpoints tab

One row per scanned endpoint: host, port, SNI, certificate fingerprint (truncated, hover for full), negotiated TLS version, Legacy TLS flags (whether the server still accepts TLS 1.0/1.1 — red/orange when it does), cipher suite, status (managed / unmanaged / failed), and last-seen time. Rows open the detail page of the certificate the endpoint serves.

Discovered certificate detail

Each inventory row opens /discovery/inventory/<fingerprint>:

  • Header: subject, plus either View Managed Certificate or Manage with CertAutoPilot.
  • Tag strip: risk level and score, Managed/Unmanaged, and Self-Signed / Wildcard flags where applicable.
  • Descriptions table: subject, issuer (and issuer org), validity window (expired dates in red), key algorithm and size, signature algorithm, serial, full SHA-256 fingerprint, chain length, endpoint count.
  • Info panels (shown when populated): Risk Factors (weighted), Signals, Quantum Readiness (with a migration recommendation for vulnerable keys), Subject Alternative Names, Certificate Chain (issuer hierarchy), and Open Findings for this certificate.
  • TLS & Endpoint Details — per-endpoint negotiated TLS version, legacy TLS 1.0/1.1 acceptance, cipher suite, and a PFS (perfect forward secrecy) verdict.
  • Certificate Replacement History — replacements detected on endpoints that served this fingerprint, with change tags (key rotated, issuer changed, …) and old → new fingerprints. See drift detection.

Findings

Discovery → Findings lists security findings raised by scans. Clickable severity tiles (critical / high / medium / low / info) filter the table; two dropdowns filter by status (default shows open + acknowledged; options All, Open, Acknowledged, Suppressed, Resolved) and severity.

ColumnContent
SeverityCRITICAL / HIGH / MEDIUM / LOW / INFO tag.
TitleFinding title. Suppressed findings that are still being detected carry a still detected tag.
Statusopen · acknowledged · suppressed · resolved auto.
AffectedNumber of affected endpoints.
First / Last SeenRelative times, hover for exact.
ActionsAck (open findings) and Suppress.
  • Ack — marks the finding acknowledged; an optional note is stored.
  • Suppress — hides the finding from the default view; a reason is required. The finding keeps its still detected tag while scans keep seeing it.
  • resolved auto is set by the scanner itself once the underlying condition disappears — there is no manual resolve button.

Clicking a row jumps to the affected certificate's detail page when the finding is certificate-linked. Finding types, severities, and remediation hints: Findings.

Manage wizard

Manage (from the inventory, the findings shortcut, or the cert detail) starts the adoption flow at /discovery/manage/<fingerprint> — a five-step wizard: Review → Configure → Zone & Domains → Options → Confirm.

  1. Review — the discovered certificate: subject, issuer, expiry, key, its SANs, the endpoints it's deployed on, and the suggested domains derived from them.
  2. Configure — certificate name (pre-derived from the primary domain), description, owner, ACME account (the wizard issues via ACME; the account list respects policy restrictions), organization for OV/EV accounts, and the DNS validation method (automatic or manual).
  3. Zone & Domains — zone (for automatic validation) and the domain list, pre-filled from the suggested domains. Policy SAN violations are shown as blocking errors.
  4. Options — key type (pre-mapped from the discovered certificate's key), auto-renew (locked off for manual DNS, locked on when policy requires it), renewal threshold, key rotation policy.
  5. Confirm — summary, then Issue Certificate. Issuance may detour to the approval workflow; otherwise you land on the new certificate's detail page, and the discovered fingerprint is linked so the inventory row flips to Managed once the replacement is picked up.

What adoption changes, prerequisites, and troubleshooting: Manage wizard.

See also