Configuring a scan using AppScan Go!

Use AppScan Go! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.

Before you begin

The first time you use AppScan Go!, it downloads any required updates:
  1. In AppScan 360°, click Create Scan to open the wizard, then click Static Scan.
  2. Choose the platform (Windows, Mac, or Linux) for which to download the utility and click Download.
  3. Choose the platform (Windows, Mac, or Linux) for which to download the Command Line Utility (CLI) and click Download.
  4. Extract the SAClientUtil package. From the parent SAClientUtil folder, copy the child SAClientUtil to your .appscan folder. Create the folder if necessary.
    • Windows: <user_home>\.appscan\
    • Linux: <user_home>/.appscan/
  5. Extract the AppScan Go! files and install the utility to your local system.
  6. Disable auto-update setting in AppScan Go! settings.
Note: If you experience an error during AppScan Go! launch, see Automatic update of AppScan Go! fails.
Note: If you're updating an existing AppScan Go! installation on Linux to a newer version, run the install with the -U option.
Note: Configure AppScan Go! to use a system proxy if necessary.

About this task

Using AppScan Go! allows you to configure scans locally prior to running analysis in the service.

Procedure

  1. From your local system, launch AppScan Go!
    On Windows click Start > .
    You do not have to be logged in to the AppScan 360° service to begin setting up a scan.
  2. Specify the location of files to scan. Browse to the folder that contains the files to scan and click Select Folder.
    AppScan Go! allows you to choose folders only.
  3. Choose the types of issues you want to find and the types of files to scan, then click Continue.
    You can choose to scan for all security issues from all file types, or vary the scan based on open source scanning and/or source code only scanning.
    Note: SCA (open source) scans require an appropriate license. SCA currently is not available in AppScan 360°.
  4. AppScan Go! retrieves appropriate files from the selected folder and lists them for review. Review, select, or deselect files, then click Continue.
    AppScan 360° saves the scan configuration file (appscan-config.xml) to the folder with your files to scan. You can exit the utility at this point and pick up again later, or login to the AppScan 360° service and configure and run the scan now.
    Note: For additional information on using configuration files, see Configuring IRX file generation with the CLI.
  5. Click Create a new scan to login to HCL AppScan 360° and specify additional parameters, or automate the project using a supported plugin.
    Note: If you are unable to connect to login to AppScan 360°, verify you are using the most up-to-date version of AppScan Go!, version 0.1.7 or later. See Troubleshooting for additional information.
  6. Specify the following scan parameters, then click Initiate Scan to upload the files:
    ParameterDescription
    Scan name Specify a name for the scan or accept the default name created by AppScan 360°.
    Application to associate the scan with Choose the application to associate with the scan.
    Scan speed options (SAST only) Choose Simple, Balanced, Deep, or Thorough scan based on need and time demands. Note that scan speed is not an configurable option for SCA/open source scans.
    • A simple scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.
    • A balanced scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Simple' scan.
    • A deep scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete.
    • A thorough scan performs a comprehensive analysis to identify the most comprehensive list of vulnerabilities and will take the longest time to complete.
      Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, thorough analysis may rule out false positives that might be reported in a simple scan and therefore report fewer vulnerabilities.
    Run as a personal scan Specify whether the scan will be kept private and not included in umbrella project data.
    Update me by email when scan findings are ready Specify whether to email when the scan is complete. This is particularly helpful for Deep scans.
    AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the directory. AppScan Go! then uploads the resulting IRX file to the AppScan 360° service.
  7. When the scan upload is complete, click Finish.
  8. Open AppScan 360° to review the status or results of the scan.