Create a new scan from a template file

You can upload your own AppScan Standard template (SCANT) file to run an ASoC scan.

Before you begin

Procedure

  1. On the Application page, click Create scan to open the wizard, then select DAST > Upload template file.
  2. Upload file: Drag and drop the template (SCANT) file into the dialog, or click to select the file.
    Important: Scans based on an uploaded configuration file will not be examined by our Scan Enablement Team in the event of a problem. If such a scan does not succeed, it simply fails.
    The file is opened and the starting URL from the configuration is filled in the URL field.
  3. If your file includes Explore data or if you submit a scan template that contains a Multi-step operation (sequence), you have the option to run either the Test stage only or a full scan (Explore and Test stages):
    • Run a full scan
    • Run Test stage only
  4. Explore:

    Setting

    Options

    Automatic form fill

    ASoC uses AppScan Standard's default form fill parameter values to fill and submit forms on the site.
    Important: If you are scanning a live production site, we recommended disable this function. For more details refer to What changes should I make when scanning a live production site?
    Note: If you turn off automatic form fill and scan in AppScan on Cloud, it will remove all the information filled in the forms except for the login management data. AppScan will not fill in the forms automatically during scanning. When you import this scan into AppScan Standard, automatic form fill is enabled, but the form filling data, except for login management, will be empty.

    Type

    Explore automatically
    AppScan crawls the web application automatically, from the starting URL, to discover the pages it will test. This option is not relevant for web APIs; use the next option.
    Explore with guidance
    Upload your own recorded Explore stage for AppScan to test. You can use this on its own or in addition to an automatic Explore stage.
    For details about the two Explore types, see About dynamic analysis (DAST)

    Explore with guidance

    This section is active only if you selected Explore with guidance.

    Upload recording

    Upload one or more DAST.CONFIG traffic files. For details of how to record these, see Recording traffic. For web APIs the best option is usually the HCL AppScan Traffic Recorder.

    File settings

    If the requests in your traffic file must be sent in the specific order you recorded them, activate Multistep. This method significantly increases the duration of the scan, so use only if needed. To understand the difference between Multistep and regular Explore with guidance, refer to Explore with guidance.

    To activate Multistep:
    • For each uploaded recording, click on the filename and toggle the Activate Multi-step option to On.
    How to use the recording
    Use the recorded Explore in addition to a full automatic Explore stage, and test it all
    ASoC runs its own automatic Explore stage to discover the application, and test it based on both these results and the traffic file you uploaded. This option is not relevant for web APIs; use the next option.
    Analyze and test the recorded Explore only
    ASoC treats the uploaded file as the Explore stage for the scan. It analyzes and creates tests for the recorded traffic only, and then tests it. There will be no automatic Explore stage.
  5. Network:

    Setting

    Options

    Type

    Public (default)
    Your site is available on the Internet.
    Private
    Your site is not available on the Internet. Select your presence from the list of connected presences.
    Note: If you have not yet created an an AppScan Presence you can do so now by clicking the AppScan Presences page link, and referring to Creating the AppScan Presence.
  6. Schedule:

    Setting

    Options

    Scan now

    Your scan runs as soon as set up and review are complete.

    Save for later

    Your configuration is saved when completed. You can run the scan later.

    Schedule
    Your configuration is saved, and one or more scans run as configured:
    1. Select a date and time. Enter these according to the time zone configured on your machine, but note that times will be converted to UTC when displayed in the user interface.
    2. To run the scan more than once, select the Repeat, and then choose:
      • Daily, and select a daily interval (1-30 days)
      • Weekly, and select which day, or
      • Monthly, select a monthly interval, and then select which numerical day of the month, or which weekday of the month (first, second, third, fourth, last).
      Note: If the maximum number of concurrent scans are running when the scheduled time arrives, the scan starts as soon as allowed by your subscription.
    3. Set the End date (the last date a scan will run), or click Remove end date to have the schedule run indefinitely.
  7. Click Review and scan.
    At review, you can edit the default name that was given to the scan. You can also elect to run the scan as a personal scan, and to receive email notification when the scan is complete.
  8. Click Scan Now.
  9. Click Scan.

Results

The new scan is added to the Scans view with its starting time, and a progress bar indicates that the scan is running. When the scan is complete the progress bar closes, the results are summarized in a graph, and (if selected) you receive an email notification. See Results.
Note: Free Plan scans are limited to four hours in length, so large or complex sites may not be completely covered by these.