Introduction

Delta scanning lets you focus security scans only on newly discovered or recently changed endpoints, rather than rescanning your entire application every time. This saves significant time while keeping your most critical updates covered. This guide walks you through setting up and running incremental scans for web targets.

Prerequisites

Before you begin, ensure you have:

• An active web target already configured in Astra OrbitX

• Workspace Full Member access or higher

• Docker and Docker Compose installed if using CI/CD integration

How Delta Scanning Works

Delta scanning in Astra OrbitX relies on two capabilities working together.

The first is Automated Crawling, which explores your web application to discover new or modified endpoints. It does not perform any security checks — it only updates your endpoint inventory.

The second is a Full Scan with Delta Inventory Coverage, which runs security tests only on endpoints flagged as changed or newly discovered since the last crawl.

Step 1: Keep Your Endpoint Inventory Updated

Before running a delta scan, your endpoint inventory needs to be current. You have two options.

Option A: Trigger a manual crawl by navigating to the Targets page, selecting Automated Crawling (Web) as the scan type, choosing your target, and triggering the scan.

Option B: Schedule crawls automatically by going to the Automations tab and setting a daily or weekly crawl schedule. This is the recommended approach for applications that are updated frequently.

Step 2: Flag Known Changes (Optional)

If you know specific endpoints have changed but the crawler may not catch them automatically, you can mark them manually.

Go to API and Web Endpoints in the dashboard, find the relevant endpoint, click the three-dot menu, and select Mark as Changed. This ensures those endpoints are included in the upcoming delta scan.

Step 3: Run the Delta Scan

Once your inventory is updated, go to the Targets page, select Automated Scan (Full) as the scan type, and under Inventory Coverage choose Delta. Only endpoints marked as changed or newly discovered will be tested.

Step 4: Review Results

After the scan completes, review findings in the Continuous Scans page. All vulnerabilities found on changed endpoints will appear there, and you can manage them from the Vulnerabilities page.

Recommended Scheduling Strategy

Because web crawling can take up to an hour, separate the crawl and scan into two scheduled tasks to avoid gaps in coverage.

A practical example schedule is to run the Automated Crawl at 2:00 AM and follow it with the Delta Scan at 4:00 AM. This ensures the scan always uses the most up-to-date inventory.

Using Delta Scans in CI/CD

Delta scans are significantly faster than full scans, but the web crawling step itself is not suitable for running inline in a CI/CD pipeline due to its duration.

If you still want to trigger a crawl from your pipeline, run it asynchronously by setting the following environment variable so your pipeline does not wait for the crawl to finish.

ASTRA_JOB_EXIT_STRATEGY=always_pass

Once the crawl completes in the background and changes are detected, you can then trigger a delta scan either manually or via a separate scheduled pipeline step.

What Counts as a Change

Astra considers the following as significant changes that trigger delta scan inclusion:

New endpoints that did not exist in the previous crawl. New input parameters added to existing endpoints, such as query strings, JSON body fields, or headers. Data type changes to existing parameters that may bypass validation or introduce injection points.

Troubleshooting

Endpoints not appearing in delta scan: Confirm the crawl completed successfully before triggering the scan. Check the Automations tab for crawl status. If the crawl failed midway due to connectivity issues, trigger a manual crawl before retrying.

Delta scan returns no results: This means no endpoints were flagged as changed since the last crawl. Either the crawl did not detect differences or the application has not changed. Use the Mark as Changed option to manually include specific endpoints if needed.

Inventory not updating after crawl: Verify the target URL and scope are correctly configured. Check that your firewall or WAF is not blocking Astra scanner IPs. Refer to Astra IP Ranges to whitelist the correct addresses.

CI/CD pipeline hanging on crawl: Set ASTRA_JOB_EXIT_STRATEGY=always_pass so the pipeline does not wait for the crawl to complete.

Next Steps

Once you are comfortable with delta scanning, explore these related articles:

• How to Schedule Vulnerability Scans

• How Astra OrbitX Detects Application Changes

• Integrate your CI/CD with Astra's OrbitX

• How to run a Vulnerability Scan or Pentest on a private staging environment