I am having an issue with the Security Scanner, I have it pointed to a site (upgraded to the latest 2.2 release) and the report is giving me what I believe to be false positives. The reason for this (I think) is because the site in question has a login restriction (my own custom module) which is restricting access to certain pages on the site without a customer login being active.
So my question is, is there a way for me to know which IP the scanner will run from?
I built in the ability to whitelist IP's from the functionality for situations like this, and I could no doubt find out by looking at the server logs, but will the IP remain consistent for future scans and am I going about this the right way?
I understand what you're saying. I have, maybe another false possitive (I'm not completely sure yet).
Buy maybe you can try to contact the security team at the security-at-magento.com email address.