Jump to main content
HCL Logo Product Documentation
  • Customer Support
HCL AppScan on Cloud Help
  • Welcome
  • Getting started
  • Menu bar
  • Users
  • Applications
  • AppScan Presence
  • AppScan Traffic Recorder
  • Scanning and monitoring
  • Policies
  • Results
  • DevOps
  • Troubleshooting
  • FAQ & Reference
  1. Home
  2. Scanning and monitoring

    Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.

  3. Static (SAST) scanning

    Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.

  4. Scanning for security vulnerabilities

    To scan source code for security vulnerabilities, follow the steps in these topics.

  5. Generating an IRX file using the command-line interface (CLI)

    To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. If you want to use the CLI, follow these instructions for creating that file.

  6. CLI command reference (Linux and macOS)

    Perform static analysis using a small client command line interface (CLI) that you download and extract to your local disk.

  • Scanning and monitoring

    Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.

    • Sample apps and scripts

      Use these sample applications to practice scanning with ASoC.

    • Dynamic (DAST) scanning

      ASoC can perform dynamic analysis of an application that runs in a browser. Use the configuration options available in ASoC, or upload an AppScan Standard configuration.

    • Static (SAST) scanning

      Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.

      • Setting up the Static Analyzer Command Line Utility

        For static analysis, you download a small Command Line Utility. When you extract the utility to your local disk, you can use its command line interface (CLI) to perform security analysis.

      • System requirements for static analysis

        This section describes the supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.

      • United States government regulation compliance

        Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL is working to make their products the most secure in the industry. The Static Analyzer Command Line Utility supports the standards and guidelines that are outlined in this topic. To learn how to configure the utility for compliance, contact your HCL Support Representative.

      • Scanning for security vulnerabilities

        To scan source code for security vulnerabilities, follow the steps in these topics.

        • Generating an IRX file using the command-line interface (CLI)

          To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. If you want to use the CLI, follow these instructions for creating that file.

          • Configuring IRX file generation with the CLI

            You can use a configuration file for IRX file generation, wherein you can specify individual targets - or include or exclude targets. In addition, you can use the configuration file to specify additional information that would help to generate a complete IRX file.

          • CLI command reference (Windows)

            Perform static analysis using a small client command line interface (CLI) that you download and extract to your local disk.

          • CLI command reference (Linux and macOS)

            Perform static analysis using a small client command line interface (CLI) that you download and extract to your local disk.

            • Command help

              Use the command help for retrieving a list of available commands or for retrieving information about an individual command.

            • Global commands

              Use global commands to display CLI help and Static Analyzer Command Line Utility version information.

            • Authentication commands

              Use authentication commands to log in to the ASoC service.

            • Configuration commands

              Use configuration commands to prepare your files for scanning.

            • Analysis commands

              Analysis commands are used for submitting scan requests to the cloud - or for working with scan requests that are already submitted to the cloud. Using the commands, you can also receive information about scans. This information can be useful for automation scripts.

            • Results commands

              Use results commands to retrieve scan results from the analysis service.

            • Report commands

              Use reportreportsreports commands to generate scan reports.

        • Configuring a scan using AppScan Go!

          Use AppScan Go!! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.

        • Scan mode

          Scan mode descibes whether AppScan on Cloud will scan build outputs (.dll, .jar, and so on) or source code files in projects for specific languages.

        • Generating an IRX file for a Gradle project

          To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. The HCL AppScan on Cloud Gradle plugin is used to automate the scanning of Java and Java web projects in Gradle. It generates an IRX file for Gradle projects that have the "java" plugin and/or "war" plugins applied. It can also submit the generated IRX file to the ASoC service for analysis automatically. for creating that file. For information on applying the plugin and to determine the latest plugin version, see Gradle plugins.

        • Generating an IRX file for a Maven project

          To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. The HCL AppScan on Cloud Maven plugin is used to automate the scanning of jar, war, and ear projects in Maven. It generates an IRX file for Maven projects that have the "jar," "war," and "ear" packaging types. It can also submit the generated IRX file to the ASoC service for analysis automatically. If you want to scan a Maven project, follow these instructions for creating that file.

        • Generating an IRX for a .NET Core project

          Scanning of .NET Core projects is supported through the Command Line Interface (CLI) and through the Visual Studio 2017 and Visual Studio 2019 plugins on Windows only.

        • Static analysis scan results

          This topic describes the features available in static analysis scan results.

        • Submitting HCL® AppScan® Source assessments to the Cloud for analysis

          If you have a subscription to HCL AppScan on Cloud, you can submit AppScan® Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription.

    • Open source testing

      Open source testing locates and analyzes open source packages in your code. Our Software Composition Analysis (SCA) aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.

    • Interactive (IAST) monitoring

      ASoC can monitor normal application runtime behavior, to detect vulnerabilities.

    • Scan status
    • Personal scans

      A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data, or compliance.

    • Private sites

      An AppScan Presence on your server enables you to scan sites not accessible from the Internet.

CLI command reference (Linux and macOS)

Perform static analysis using a small client command line interface (CLI) that you download and extract to your local disk.

  • Command help
  • Analysis commands
  • Global commands
  • Configuration commands
  • Authentication commands
  • Results commands
  • Report commands
Note: All commands must be entered in lower-case.
  • Share: Email
  • Twitter
  • Disclaimer
  • Privacy
  • Terms of use