Help Center › Troubleshooting & FAQ
Find your symptom below. For exact error messages, see the Error reference. For “how do I do X,” see the recipe index.
App won’t load · Scan won’t run / not authorized · No live data / deferred feeds · A real finding got suppressed · My list looks empty · Evidence signature · Scheduling · Cloud sign-in · Lost my edits · AI guidance · Full FAQ
| Likely cause | Fix |
|---|---|
| You opened the file with file:// | The app fetches seed JSON, which browsers block over file://. Serve over HTTP: from the repo root run python3 -m http.server 8080 and open http://localhost:8080/app/index.html. |
| “Failed to load Perimeter: load …json → 404” | The seed data isn’t where the app expects. Make sure you’re serving the repo root so assets/data/*.json resolves from app/. |
| Console error mentioning a JS module | Your browser must support ES modules (any modern browser). Disable aggressive script blockers for the local origin. |
The cloud module failing to load is normal when offline/not-deployed — you’ll see an info log “Perimeter cloud tier not loaded (local-first OK)”. The app stays fully usable.
This is expected behaviour, not a bug — Perimeter refuses to scan targets you haven’t proven you own. Diagnose by the message:
| Symptom | Meaning | Fix |
|---|---|---|
| Scope shows unverified · scan blocked | You haven’t proven ownership of that scope. | Verify it (DNS-TXT or file challenge). See proving ownership. Deferred / hosted the live challenge is server-side. |
| Ingest summary: “N blocked (unverified scope — ownership not proven)” | Results arrived for an asset under an unverified scope; the guard dropped them. | Verify the scope, then re-run. Until then the block is correct. |
| Ingest summary: “N dropped (asset not in inventory — out of scope)” | Results referenced an asset you haven’t discovered/added. | Add/discover the asset under a verified scope first. The demo’s Trivy payload triggers this on purpose. |
| Error “scan blocked: target is outside any authorized scope” | The target maps to no scope at all. | Add a scope that covers it, then verify. |
Why so strict? Scanning something you don’t own is hostile traffic and can be unlawful — see why scanning needs proof.
The console runs on seeded sample data, and the live engines + live feed pulls are part of the hosted tier — this is by design, and the docs flag it with Deferred / hosted.
| You expected | What’s actually happening |
|---|---|
| Real CVE results for your own domains | The MVP ships seeded findings for the demo tenant. Live Nuclei/Trivy/OpenVAS scanning runs on the hosted ASM runner + Lookout agent. Details. |
| Today’s EPSS / KEV values | The seed uses point-in-time snapshots. The daily live pull runs server-side; the local tier makes zero network calls. Details. |
| An error like “fetchLiveFeeds is the deferred live-feed seam” | Correct — the network pull refuses to run without an explicit fetcher + opt-in, rather than faking data. Use the snapshot/ingest flow instead. |
To see the end-to-end pipeline without a live scanner, use the Ingest scan tab.
Reassurance: a finding that is in CISA KEV or confirmed by ≥2 engines is never auto-suppressed — only a human “Mark false positive” can suppress those, and that’s audit-logged.
| Cause | Fix |
|---|---|
| Filters are stacked | Filters combine (AND). Reset: Status = All, Severity = All, Engine = All, Exposure = All, uncheck KEV-only and Hide-noise. |
| “No findings match this filter” | Your current filter excludes everything — loosen it. |
| Status = Open hides fixed/accepted | Switch Status to Closed/accepted or All to see resolved findings. |
| Symptom | Cause / fix |
|---|---|
| Verification fails on a record | The record was edited after signing (tamper-evident by design), or you verified with the wrong key. Re-export a fresh record. Don’t pretty-print/reformat the JSON before verifying — any byte change breaks the HMAC. |
| “Is the local signature legally meaningful?” | The local key is a clearly-labeled non-secret demo key — it proves the record wasn’t altered, but not its origin. For provenance you need the cloud tier’s per-tenant key. Details. Deferred / hosted |
| Signature scheme mismatch | Records use HMAC-SHA256; a verifier expecting another scheme will reject. Use the documented scheme. |
| Symptom | Meaning / fix |
|---|---|
| “Continuous hosted scanning is a Pro feature” | You need the hosted_scan entitlement. See entitlements. |
| “Daily EPSS/KEV refresh is already scheduled” | Not an error — the job is idempotent and already registered for your tenant. Nothing to do. |
| You’re not signed in | Scheduling lives in the cloud tier. Sign in first on the Sign in / Cloud tab. |
| Symptom | Fix |
|---|---|
| Cloud tab says module is “loading or unavailable” | The best-effort cloud module didn’t load (offline, blocked, or not deployed). The app stays local-first; retry online, or unblock the origin. |
| Pro cards stay “checking…” | The entitlement check is pending or failed; it defaults to Locked on failure. Confirm you’re signed in and online. |
| “Cloud sync is a Pro feature” | Sync requires hosted_scan. See entitlements. |
| Wrong tenant | Your tenant is derived server-side from your session — sign in with the correct DosanjhLabs account. |
Workflow edits persist in this browser’s localStorage. They’ll be gone if you cleared site data, switched browsers/devices, or used a private/incognito window (which discards storage on close). To carry state across devices, sign in and sync remediation state up Deferred / hosted (Pro).
| Symptom | Fix |
|---|---|
| “Add a BYO AI key on the AI / Settings tab first.” | AI is off until you set a provider + key. Go to AI / Settings, add a base URL, model, and key, Save. |
| Request errors from the provider | The call goes browser → your provider directly. Check your key, model name, and base URL; the error is passed straight through. |
| Privacy worry | Only redacted metadata is sent — never evidence, hostnames, ports, or secrets. Details. |
Do I need an account to use Perimeter? No. The console is fully usable offline with no sign-up. An account only adds the optional cloud tier.
Is any of my data sent anywhere by default? No — zero network calls beyond loading the app’s own static seed JSON, unless you sign in or set an AI key. See Security & privacy.
Why are the findings about “acme-clinic.com”? That’s the seeded demo tenant — realistic sample data so you can learn the workflow. No real scan has run.
Can I scan my own domain right now? Live scanning runs on the hosted runner/agent (deferred). Today you can model your scopes/assets and run the full pipeline against sample payloads via the Ingest tab.
Why is a “critical” ranked below a “high”? Because the high is in CISA KEV or has high EPSS (actively exploited), and the critical isn’t. Perimeter ranks by real-world exploitation, not raw CVSS. See tiers.
What’s the difference between “Mark false positive” and “Accept risk”? FP means “not actually a vuln” (suppresses it); Accept risk means “real, but I’m not fixing it yet” (stays visible with reason + expiry). See the comparison.
Which engines does Perimeter use? Nuclei (external), plus OpenVAS/Greenbone, Trivy, and internal Nuclei via the Lookout agent. All open-source and inspectable.
What frameworks does it map to? NIST CSF 2.0, SOC 2, PCI DSS 4.0, ISO 27001, CMMC L2 / NIST 800-171, plus Bastion 800-171 practices. See Compliance evidence.
Can I export findings? Yes — CSV, self-describing JSON, per-finding signed evidence records, and printable compliance report packs, all from the Reports / export tab (and the evidence button on each finding).
How does multi-engine “confirmed” work? When two independent engines flag the same vuln on the same asset, it’s marked confirmed and never auto-suppressed. See corroboration.
Where is the risk formula? 0.40·CVSS + 0.30·EPSS + 0.20·KEV + 0.10·criticality, normalized 0–100, in app/js/score.js — transparent and tunable.
Is my AI key safe? It’s stored only in your browser and used to call your provider directly; Perimeter never proxies or sees it server-side.
Who can see the audit log? It’s the read-only Auditor view; locally it’s in your browser, and the cloud tier mirrors it to a server-side immutable log.
Didn’t find it? Check the Error reference for exact messages, or the “How do I…?” recipe index.