Home
Scanning and monitoring
Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.
Static (SAST) scanning
Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.

Scanning and monitoring
Learn how to run scans and IAST monitoring sessions on your apps, and import issues from 3rd party scanners.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Dynamic (DAST) scanning
  ASoC can perform dynamic analysis of an application that runs in a browser. Use the configuration options available in ASoC, or upload an AppScan Standard configuration.
- Static (SAST) scanning
  Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.
  - Setting up the Static Analyzer Command Line Utility
    For static analysis, you download a small Command Line Utility. When you extract the utility to your local disk, you can use its command line interface (CLI) to perform security analysis.
  - System requirements for static analysis
    This section describes the supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
  - United States government regulation compliance
    Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL is working to make their products the most secure in the industry. The Static Analyzer Command Line Utility supports the standards and guidelines that are outlined in this topic. To learn how to configure the utility for compliance, contact your HCL Support Representative.
  - Scanning for security vulnerabilities
    To scan source code for security vulnerabilities, follow the steps in these topics.
    - Generating an IRX file using the command-line interface (CLI)
      To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. If you want to use the CLI, follow these instructions for creating that file.
    - Configuring a scan using AppScan Go!
      Use AppScan Go!! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.
    - Scan mode
      Scan mode descibes whether AppScan on Cloud will scan build outputs (.dll, .jar, and so on) or source code files in projects for specific languages.
    - Generating an IRX file for a Gradle project
      To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. The HCL AppScan on Cloud Gradle plugin is used to automate the scanning of Java and Java web projects in Gradle. It generates an IRX file for Gradle projects that have the "java" plugin and/or "war" plugins applied. It can also submit the generated IRX file to the ASoC service for analysis automatically. for creating that file. For information on applying the plugin and to determine the latest plugin version, see Gradle plugins.
    - Generating an IRX file for a Maven project
      To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. The HCL AppScan on Cloud Maven plugin is used to automate the scanning of jar, war, and ear projects in Maven. It generates an IRX file for Maven projects that have the "jar," "war," and "ear" packaging types. It can also submit the generated IRX file to the ASoC service for analysis automatically. If you want to scan a Maven project, follow these instructions for creating that file.
    - Generating an IRX for a .NET Core project
      Scanning of .NET Core projects is supported through the Command Line Interface (CLI) and through the Visual Studio 2017 and Visual Studio 2019 plugins on Windows only.
    - Static analysis scan results
      This topic describes the features available in static analysis scan results.
    - Submitting HCL® AppScan® Source assessments to the Cloud for analysis
      If you have a subscription to HCL AppScan on Cloud, you can submit AppScan® Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription.
- Open source testing
  Open source testing locates and analyzes open source packages in your code. Our Software Composition Analysis (SCA) aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.
- Interactive (IAST) monitoring
  ASoC can monitor normal application runtime behavior, to detect vulnerabilities.
- Scan status
- Personal scans
  A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data, or compliance.
- Private sites
  An AppScan Presence on your server enables you to scan sites not accessible from the Internet.

Scanning for security vulnerabilities

To scan source code for security vulnerabilities, follow the steps in these topics.