Configuring a scan using AppScan Go!

AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.

Before you begin

The first time you use AppScan Go!, it downloads any required updates:
  1. In AppScan 360°, click Create Scan to open the wizard, then click SAST.
  2. Choose the platform (Windows, Mac, or Linux) for which to download the utility and click Download.
  3. Choose the platform (Windows, Mac, or Linux) for which to download the Command Line Utility (CLI) and click Download.
  4. Extract the SAClientUtil package. From the parent SAClientUtil folder, copy the child SAClientUtil to your .appscan folder. Create the folder if necessary.
    • Windows: <user_home>\.appscan\
    • Linux: <user_home>/.appscan/
  5. Extract the AppScan Go! files and install the utility to your local system.
  6. Disable auto-update setting in AppScan Go! settings.
Note: If you experience an error during AppScan Go! launch, see Automatic update of AppScan Go! fails.
Note: If you're updating an existing AppScan Go! installation on Linux to a newer version, run the install with the -U option.
Note: Configure AppScan Go! to use a system proxy if necessary.

About this task

Using AppScan Go! allows you to configure scans locally prior to running analysis in the service.

Procedure

  1. From your local system, launch AppScan Go!
    You do not have to be logged in to the AppScan 360° service to begin setting up a scan. You do need to be logged in to complete a scan.
  2. Choose a scan method:
    • Run a complete scan.
    • Create an IRX file and run a scan later.
    • Create a configuration file for automating scans.
  3. Specify the location of files to scan, and scan mode and type, then click Next.
    1. Browse to the folder that contains the files to scan and click Select Folder. AppScan Go! allows you to choose folders only.
    2. Indicate one or more scan types: static analysis, Software Composition Analysis (open source), or secrets scanning.
      Note: SCA (open source) scans require an appropriate license. SCA currently is not available in AppScan 360°.
    3. Specify whether to scan compiled code (bytecode) or uncompiled source code.
      AppScan Go! recommends the best scan mode for the file set automatically.
  4. AppScan Go! retrieves appropriate files from the selected folder and lists them for review. Review, select, or deselect files, then click Next.
  5. If you opted to run a complete scan, or prepare an IRX file, configure scan settings, then click Next.
    Note: You must be logged in to AppScan 360° to see the list of available applications.
    SettingDescription
    Scan name Specify a name for the scan or accept the default name created by AppScan 360°.
    Associated application When running a complete scan, choose the application to associate with the scan.
    Scan speed options (SAST only) Choose Normal, Fast, Faster, or Fastest scan based on need and time demands. Note that scan speed is not an configurable option for SCA/open source scans.
    • A normal scan performs a comprehensive analysis to identify the most detailed list of vulnerabilities and will take the longest time to complete.
    • A fast scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete.
    • A faster scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Fastest' scan.
    • The fastest scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.
      Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, the normal analysis may rule out false positives that might be reported in a fastest scan and therefore report fewer vulnerabilities.
    Scan preferences When running a complete scan, specify scan preferences:
    • Run as a personal scan: Indicate whether the scan will be kept private and not included in umbrella project data.
    • Update me by email when findings are ready: Indicate whether to email when the scan is complete. This is particularly helpful for Normal scans.
  6. If you opted to run a complete scan, AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the <user_home>/.appscan/temp directory. AppScan Go! then uploads the resulting IRX file to the AppScan 360° service. When the scan upload is complete, click Finish.
    Note: You must be logged into an AppScan service to complete a scan. See Account information.
  7. If you opted to create an IRX file, AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the <user_home>/.appscan/temp directory. When file generation is complete, click Finish.
  8. If you opted to create a configuration file for automating scans, AppScan 360° saves the scan configuration file (appscan-config.xml) to the folder with your files to scan. Click Finish to exit AppScan Go!
    You can exit the utility at this point and pick up again later, login to the AppScan 360° service and configure and run the scan now, or use the configuration file to automate scanning using one of the listed plugins.
    Note: For additional information on using configuration files, see Configuring IRX file generation with the CLI.
  9. Open AppScan 360° to review the status or results of the scan, or to start a scan with the IRX file generated by AppScan Go!