Home
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Organization
Organization is your go-to hub for managing policies, domains, settings, subscriptions, and audit trails – it's where you control and organize it all.
Domains
Domains view lists the domains for which you have permission to run dynamic (DAST) scans, and lets you verify additional domains for scanning. Verification is not needed for private sites, where an AppScan Presence is used.
Verifying a domain
Before you can scan a domain on the Internet, ASoC must verify that you have permission to scan it. Verification is not needed for domains that are not available on the Internet (private sites).

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
- All applications
  The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. From the Applications page, you can create new applications and open individual application pages.
- Scans and sessions
  This view lists all scans and sessions in all your applications.
- Open source libraries
  Search for, review, and take action on open source libraries associated with applications.
- Dashboard
  The main dashboard is the third item on the main menu bar. It gives you a detailed overview of the current state and history of all your applications.
- Organization
  Organization is your go-to hub for managing policies, domains, settings, subscriptions, and audit trails – it's where you control and organize it all.
  - Domains
    Domains view lists the domains for which you have permission to run dynamic (DAST) scans, and lets you verify additional domains for scanning. Verification is not needed for private sites, where an AppScan Presence is used.
    - Verifying a domain
      Before you can scan a domain on the Internet, ASoC must verify that you have permission to scan it. Verification is not needed for domains that are not available on the Internet (private sites).
  - Settings
    Setttings helps you navigate and configure the settings within your organization and data center effectively.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Verifying a domain

Before you can scan a domain on the Internet, ASoC must verify that you have permission to scan it. Verification is not needed for domains that are not available on the Internet (private sites).

About this task

You can verify a domain either by adding a small file to its root folder, or confirming your permission by clicking an email link.

Procedure

In Organization > Domains, click Verify a new domain.
Type in the domain to verify, then click Next.

Do not include the protocol. Specify a subdomain only if you want to verify just that subdomain.

For example, to verify a domain and all subdomains, enter my-domain.com.
Select your preferred verification method, then click Next:
- File in domain root folder
- Email domain administrator
If you chose to verify by file:
1. Enter domain protocol and the root folder location.
  You can test the URL to confirm you entered the correct information.
2. Click Download.
3. Place the file in the root folder location for the domain.
  
  If you do not have permissions to access that location, work within your organization to complete this step.
If you chose to verify by email:
1. Enter the email address for the domain owner, then click Send email.
2. Contact the domain owner directly to ask that they respond to the email
Click Done.
The site is added to the list of domains, with status "Pending." The first time you run a scan, ASoC verifies the file you added, and changes the status to "Verified." Domains unverified after 30 days are removed from the list.

Example

If your application includes links to URLs outside the domain of the starting URL, they must be verified separately to be included in the scan (unless they are private sites and you are using an AppScan Presence). Consider these examples:

Subdomains:

The starting URL is: http://a.com/home/.

The site has links to http://b.a.com, which is a subdomain of a.com.

The sub domain is automatically included in the verification and scanning.

Parallel or parent domains:

The Starting URL: http://b.a.com/home/.

The site has links to a parallel domain http://c.a.com, or to parent domain http://a.com, and you want those links included in the scan.

To ensure full coverage:

Verify a.com, OR
Verify b.a.com and c.a.com, and when creating the scan in Create scan > Dynamic (DAST), clear the Include only links in and below this directory check box.