Home
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments.
Dynamic scanning (DAST)
AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.
Test automation
Incorporate dynamic scanning in your functional testing.

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Administration
Define users, applications, policies, and configure DevOps integrations.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments.
- About dynamic analysis (DAST)
  An AppScan 360° dynamic (DAST) scan consists of two stages: Explore and Test. Even though most of the scan process is seamless to the user, and no input is required until the scan is complete, understanding how dynamic scanning works can help you to better understand the role of scanning in your development process.
- Dynamic scanning (DAST)
  AppScan 360° can perform dynamic analysis of an application that runs in a browser or a web API. Use the configuration options available in AppScan 360°, or upload an AppScan Standard configuration (template file) or a full scan file.
  - Create scan
    Provide the starting URL and user credentials for the scan, select the type of site, and (if not previously done) verify your permission to scan the site.
  - Create scan from template
    You can upload your own AppScan Standard template (SCANT) file to run an AppScan 360° scan.
  - Create scan from scan file
    You can upload your own AppScan Standard scan (SCAN) file to run an AppScan 360° scan.
  - Creating an Incremental scan
  - Test policy
    The AppScan Standard Default Test Policy is used when running scans from the AppScan 360° user interface, but other policies can be applied with imported scans, or scans run from the API.
  - Test optimization
    Test optimization uses intelligent test filtering to achieve faster scans with minimal loss of issue coverage. When speed is a consideration, choose between four optimization levels.
  - Test automation
    Incorporate dynamic scanning in your functional testing.
  - Client certificates
- Recording traffic
  You can record traffic as Explore data for DAST scans using the AppScan Activity Recorder browser extension (for Chrome or Edge), the HCL AppScan Traffic Recorder proxy server, or AppScan Standard.
- HCL AppScan Traffic Recorder
  The HCL AppScan Traffic Recorder (DAST proxy) enables you to record traffic to use as Explore data. Traffic Recorder instances can be created on demand to record traffic that will later be used for a DAST scan.
- AppScan Standard
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Automating DAST scans

Incorporate dynamic scanning in your functional testing.

In the world of DevOps it's increasingly important to be able to incorporate security scans in the functional testing process for your web applications. If you use an automation framework (such as Selenium), you can take advantage of the scripts that are already written to create tailor-made scans:

The requests from the automation framework to the web application are sent through the Proxy Server proxy.
The server records the traffic and saves it as a dast.config file.
Upload the file to be used byAppScan 360° as Explore data for a scan.
Send traffic through the automation server proxy manually, to create a dast.config file.

AppScan 360° Automation Workflow:

Running scans:
1. Start proxy listening on specified or randomly selected port, as configured (see Starting and stopping the HCL AppScan Traffic Recorder).
2. Run your Selenium script (or other functional test) through the selected proxy,
  OR
  Browse your web application manually using a web browser configured to work through the selected proxy.
3. Stop the proxy and save the traffic recording.
4. Publish to AppScan 360° using the AppScan 360° REST API, by creating a new scan under a particular application. See REST API.

You can download our demo script for this workflow using the REST API. Download demo script.

Note: To use the demo script with AppScan 360°:

In the Python script, replace the self.asoc_base_url variable with the URL of the AppScan 360° server.
The variable self.asoc_presence_id is not applicable for AppScan 360°.

See also:

REST API