To configure a scan for WCAG 2.2 AA, set the rule set to WCAG 2.2 at conformance level AA, define the scope of pages or URL patterns to evaluate, supply authentication for any pages behind a login, set a recurring schedule, and confirm the output format. The scan will then evaluate HTML, CSS, and ARIA against the success criteria the tool can programmatically check, which represents about 25% of WCAG requirements.
| Setting | What to Configure |
|---|---|
| Standard | Select WCAG 2.2 as the rule set and AA as the conformance level. |
| Scope | Define starting URLs, crawl depth, and any include or exclude patterns. |
| Authentication | Provide credentials or session capture for pages behind a login. |
| Schedule | Set recurring scans (daily, weekly, or monthly) for ongoing monitoring. |
| Coverage Limit | Scans flag approximately 25% of issues. The remainder requires manual evaluation. |
Select WCAG 2.2 AA as the Rule Set
Most scanners default to an older rule set or to WCAG 2.1. Open the scan configuration and choose WCAG 2.2 explicitly, then select conformance level AA. Some tools list this as a single combined option; others separate version and level into two fields.
WCAG 2.2 is backwards compatible with 2.1 and 2.0. A 2.2 AA scan covers everything a 2.1 AA scan covers, plus the success criteria introduced in 2.2.
Define Scope and Crawl Behavior
Scope determines which URLs the scan evaluates. Provide one or more starting URLs, then set crawl depth and any include or exclude rules.
For a small site, a full crawl from the homepage may be sufficient. For larger sites, define URL patterns to focus on representative templates: one product page, one category page, one article, one form. Excluding parameterized URLs and duplicate content prevents the scan from spending resources on the same template repeatedly.
Configure Authentication for Protected Pages
Pages behind a login are not reachable by a default crawler. To evaluate authenticated pages, configure one of the following methods supported by the scanner:
- Credential-based login: provide a username and password the scanner uses to sign in before crawling.
- Session capture: use a browser extension to capture an active session and conduct the scan within that session.
- Cookie or token injection: supply session cookies or API tokens directly to the scanner.
Without one of these, account dashboards, checkout flows, and member areas remain unscanned.
Set a Recurring Schedule
A one-time scan captures a snapshot. Recurring scans surface regressions as code changes ship. Common cadences are daily for high-traffic production sites, weekly for standard marketing sites, and monthly for low-change reference content.
Align the schedule with deployment frequency. If releases happen weekly, a weekly scan after deploy gives the cleanest signal.
Confirm Output and Reporting
Configure how results are delivered: dashboard view, exported report, email summary, or webhook to an issue tracker. Reports should list each issue with the affected URL, the WCAG 2.2 success criterion referenced, and the element or selector involved.
What a WCAG 2.2 AA Scan Cannot Detect
Scans evaluate code patterns. They cannot judge whether alternative text accurately describes an image, whether a heading structure reflects document meaning, whether focus order matches visual order in a way that makes sense, or whether an interactive component is operable with a screen reader. These determinations require a manual evaluation conducted by a human evaluator using assistive technology.
A configured WCAG 2.2 AA scan is one input into a broader evaluation program. Pair it with manual evaluation and recurring monitoring to cover the success criteria scans cannot reach.