Home
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Issues
The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Importing issues from third-party scanners
Whether you use third-party scanners or conduct manual penetration tests to discover issues, you can import the issues from a CSV file into ASoC for triaging.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
- Sample Security Reports
- Application reports
- Scan data
- Issues
  The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
  - Issue information
    The Issue information pane shows all content available for the issue.
  - Issue status
    Issues can be classified as Open, In Progress, Noise, Reopened, Passed, and Fixed.
  - Issue severity
    Issues can be classified as they appear in the Issues grid of an application.
  - Triaging issues
    All issues are classified as new by default. You can see an issue classification by viewing the issue status.
  - Importing issues from third-party scanners
    Whether you use third-party scanners or conduct manual penetration tests to discover issues, you can import the issues from a CSV file into ASoC for triaging.
    - Issue attributes in CSV
      This page lists the issue attributes that can be used in a CVS file, when importing issues to ASoC.
- Correlation
  AppScan analyzes issues found by IAST, DAST and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
- Fix groups
  Fix groups currently apply only to issues found in static analysis scans.
- Reports
  Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
- Remediation
  After risks are determined and vulnerabilities are prioritized, your security team can start the remediation process.
- Rescanning
  Following your first scan, as you fix issues you can scan the same application again multiple times and overwrite the previous results; the dashboard always displays the current results. When you scan again (rather than starting a new scan), the rescan overwrites the previous one.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Importing issues from third-party scanners

Whether you use third-party scanners or conduct manual penetration tests to discover issues, you can import the issues from a CSV file into ASoC for triaging.

Procedure

Download the Sample CSV file (also available from the Import Issues dialog box) to see which issue attributes can be imported to ASoC.

Tip: Modify the sample CSV file and use it as a template for all of your third-party scanners.
Scan your environment for vulnerabilities and export a comma-separated value (CSV) file of the issues.
Note:
- Use the English column headers shown in the sample file, not translated versions.
- Make sure that the CSV uses UTF-8 encoding.
- The file size limit is 200 MB.
- If the field or cell contains a comma, the field or cell must be enclosed by double quotation marks (").
Import the issues:
1. On an Application tab, go to the Issues view and click Import Issues.
2. Locate the file, give it a scan or test name, and click Import. Check the import log for errors. Otherwise, close the dialog.