Home
Administration
Define users, applications, policies, and configure DevOps integrations.
DevOps
Tools for incorporating ASoC in your software development lifecycle.
REST API
The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
OData
This section provides information and tips for using Open Data Protocol (OData) through the ASoC API.
Examples and references

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
- Users
  User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
- Applications
  An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
- Policies
  You can apply the predefined policies, as well as your own custom policies, to show only data for the issues that are relevant for you.
- DevOps
  Tools for incorporating ASoC in your software development lifecycle.
  - REST API
    The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
    - Technical overview of REST API upgrade to v4
      Version 4.0 of the REST API brings a host of enhancements, optimizations, and improvements over the previous version (v2). API v4 maintains compatibility by using the same access token as v2, facilitating a gradual migration of your code to v4 while continuing to use the existing token. Notably, the path prefix for API v4 has changed from "/api/v2" to "/api/v4/". While many functions retain their names and models, ensuring a straightforward transition from "v2" to "v4," some functions have undergone modifications. This topic serves as a technical guide, outlining the primary changes introduced in API v4.
    - Generating API Keys
      Use a Key ID and Key Secret to access the AppScan on Cloud REST APIs and to log in from some of the ASoC client tools (for example, from the Jenkins plug-in and from the Static Analyzer Command Line Utility and IDE plug-ins).
    - OData
      This section provides information and tips for using Open Data Protocol (OData) through the ASoC API.
      - Common OData Query Parameters
      - The $filter parameter
        The $filter is the most powerful OData parameter. It has many operators.
      - Examples and references
    - Export to CSV
      This section describes how to save response data as in CSV format.
  - Webhooks
    Webhooks can be used to receive notifications about events that occur in AppScan on Cloud.
  - Plugins and integrations
- Personal scans
  A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
- Scan status
- Audit trail
  The audit trail (Organization > Audit trail) logs user activity.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Examples and references

Application examples

Provide the names of applications with at least one failed policy: https://cloud.appscan.com/api/v4/Apps?$filter=ComplianceStatuses/any(d:d/Compliant+eq+false)&$select=Name
List the applications with any new issues of High severity: https://cloud.appscan.com/api/v4/Apps?$filter=RiskRating+eq+'Critical'+and+NewIssues+gt+0
Provide the names, IDs, and creation dates of applications created since January 1, 2024: https://cloud.appscan.com/api/v4/Apps?$filter=DateCreated+gt+'2024-01-01z'+&$select=Name,Id,DateCreated

Scan examples

Provide personal scans that have completed with a status of "Ready" and are not categorized as personal: https://cloud.appscan.com/api/v4/Scans?$filter=LatestExecution/Status+eq+'Ready'+and+IsPersonal+eq+true
Retrieve all scans with the term "Jenkins" in the scan name: https://cloud.appscan.com/api/v4/Scans?$filter=contains(Name,'jenkins') Note that string searches are always case-insensitive.

References