Home
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Issues
The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Issue severity
Issues can be classified as they appear in the Issues grid of an application.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
- Sample Security Reports
- Application reports
- Scan data
- Issues
  The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
  - Issue information
    The Issue information pane shows all content available for the issue.
  - Issue status
    Issues can be classified as Open, In Progress, Noise, Reopened, Passed, and Fixed.
  - Issue severity
    Issues can be classified as they appear in the Issues grid of an application.
  - Triaging issues
    All issues are classified as new by default. You can see an issue classification by viewing the issue status.
  - Importing issues from third-party scanners
    Whether you use third-party scanners or conduct manual penetration tests to discover issues, you can import the issues from a CSV file into ASoC for triaging.
- Correlation
  AppScan analyzes issues found by IAST, DAST and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
- Fix groups
  Fix groups currently apply only to issues found in static analysis scans.
- Reports
  Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
- Remediation
  After risks are determined and vulnerabilities are prioritized, your security team can start the remediation process.
- Rescanning
  Following your first scan, as you fix issues you can scan the same application again multiple times and overwrite the previous results; the dashboard always displays the current results. When you scan again (rather than starting a new scan), the rescan overwrites the previous one.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Issue severity

Issues can be classified as they appear in the Issues grid of an application.

Issue severity values

Issues are assigned a severity level automatically, and this is used in calculating the Risk rating for an application. Levels are:

Critical
High
Medium
Low
Informational

Administrators, Managers, users with the permission "Update issue severity" can reassign any value to any issue.

Edit issue severity

Select one or more issues in a list to edit their severity together.

Select all the issues you want to change, and click Edit severity.
Add a comment to be included with all the edited issues. Optional.
Note: Changes to issue severity do not affect the value shown in the scan record, which always retains the severity values at the time the scan was run.