Skip to main content
VulnProScanby Dynamgenix IT Corp

Troubleshooting

Step-by-step guidance for the most common issues security and engineering teams hit when running VulnProScan — covering IaC scanning, SAST, cloud audit, multi-user teams, DAST, and reporting.

Account & access

Login problems

  1. Confirm you are using the email address provisioned for your workspace.
  2. Use “Forgot password” on the login page to rotate credentials.
  3. Clear site data for vulnscan hostnames if SSO or cookies were updated recently.
  4. If your organization enforces IP allowlists, verify your network is permitted.

IaC Scanning

IaC scan returns no findings

  1. Confirm the uploaded ZIP contains supported files: .tf, .json (CloudFormation), .yaml/.yml (K8s or CloudFormation), or .bicep/.arm.
  2. Starter plan is limited to Terraform and CloudFormation — upgrade to Pro for full framework support including K8s YAML and ARM templates.
  3. Ensure the ZIP is not password-protected and does not exceed the 50 MB upload limit.
  4. Check the dashboard for a “docker_unavailable” error — this means the Checkov container could not start; retry in a few minutes.

IaC scan shows “Docker unavailable” or times out

  1. The IaC scanner runs Checkov inside Docker. If the worker environment is cold-starting, the first scan may take 60–90 seconds.
  2. Retry the scan — the system will attempt up to 3 times automatically before returning a 503 error.
  3. If the issue persists, contact support with the scan ID from the URL bar so we can check worker health.

IaC findings reference resources I do not recognise

  1. Checkov analyses all .tf and template files in the ZIP, including modules and sub-directories.
  2. Use the file path and line number in each finding to locate the exact resource in your codebase.
  3. Suppress false positives by adding a checkov:skip comment inline, or contact support to adjust rule sensitivity.

SAST

SAST scan produces no results

  1. SAST is available on Pro and above — Starter plan does not include Semgrep analysis.
  2. Confirm the ZIP contains source files in a supported language: JavaScript, TypeScript, Python, or Go.
  3. Avoid uploading compiled artifacts (dist/, build/, node_modules/) — Semgrep analyses source code only.
  4. Check that the ZIP is not nested inside a second archive and that source files are not encrypted.

SAST findings seem like false positives

  1. Each finding includes the matched pattern and the OWASP/CWE rule that triggered it — review the evidence before dismissing.
  2. Context-sensitive patterns (e.g. SQL injection in an ORM wrapper) may need manual triage; use the “mark as accepted risk” option in the dashboard.
  3. If a finding category is systematically wrong for your codebase, contact support with examples so we can refine the Semgrep ruleset.

Cloud Audit

Cloud audit shows “credentials invalid” or “access denied”

  1. Verify the AWS access key, secret, and region are entered correctly in the scan form — no trailing spaces.
  2. The IAM user or role requires read-only permissions: SecurityAudit and ViewOnlyAccess AWS managed policies are sufficient for most checks.
  3. For Azure and GCP, ensure the service principal or service account has Reader role at the subscription or project level.
  4. Confirm credentials have not expired or been rotated since the scan was configured.

Cloud audit returns fewer findings than expected

  1. Prowler scopes its checks to the region and account provided — multi-region environments require separate scans per region.
  2. Some checks require additional permissions beyond the base read-only policy; review the Prowler documentation for service-specific requirements.
  3. Business+ plans include IaC drift detection — ensure both an IaC scan and a cloud audit have been run against the same environment to see drift findings.

Cloud audit scan times out or takes very long

  1. Large AWS accounts with many resources and regions can take 5–15 minutes for a full Prowler audit.
  2. If the scan appears stuck beyond 20 minutes, check the dashboard for a timeout error and retry.
  3. Narrow the scan to a specific region to reduce runtime when debugging credential issues.

Multi-User Teams

Team invite email not received

  1. Ask the invitee to check their spam and junk folders — magic-link emails may be filtered.
  2. The invite link expires after 48 hours; the team Owner or Admin can resend from the Team management page.
  3. Confirm the email address entered exactly matches the invitee's registered address, including capitalisation.

Team member cannot see shared scans

  1. Shared scans are only visible when the team member has selected the correct team workspace from the Team Selector in the dashboard.
  2. Confirm the scan was run with “Share with team” enabled — scans run in personal mode are not shared by default.
  3. Admin and Member roles both have read access to shared scans; check that the member's invite was accepted and their role is set correctly.

”Team capacity full” when inviting members

  1. Business plan supports up to 10 members per team workspace. To add more, upgrade to Enterprise.
  2. Remove inactive members from the Team management page before adding new ones if you want to stay on Business.
  3. Contact sales if you need to exceed 10 users and need an interim arrangement before upgrading.

DAST / Web scanning

Scan does not start

  1. Retry after a minute in case a previous scan is still draining worker capacity.
  2. Open the browser network tab and confirm /api/pentest returns JSON, not HTML or 404.
  3. Review server logs for rate limiting or upstream proxy errors.

Invalid URL errors

  1. Include http:// or https:// at the beginning of the target.
  2. Remove trailing spaces or hidden characters copied from documents.
  3. Avoid file:// or internal-only hosts unless the scanner has network path to them.

Slow scan performance

  1. Large single-page apps may require longer crawl phases — narrow scope to a specific path if needed.
  2. Throttle other synthetic traffic hitting the same environment during the scan window.
  3. Check target latency; high round-trip times extend both spider and active phases.

Empty or incomplete results

  1. Some applications block automated clients — review WAF or bot management rules.
  2. If authentication is required, ensure a reachable test account or static token path exists.
  3. Partial output can appear when scans time out; rerun with a smaller URL subtree.

Reports

Report generation issues

  1. Copy the raw findings panel as a temporary workaround while export services catch up.
  2. Verify your browser is not stripping downloads via pop-up blockers.
  3. For Enterprise PDF bundles, confirm billing status and storage quotas with support.

Contact support

Include your workspace name, approximate scan time (UTC), target URL, and any request IDs from the browser network panel—this accelerates root cause analysis.

Email VulnProScan support

Back to FAQ