Configuring a scan using AppScan Go!

Use AppScan Go! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.

Before you begin

The first time you use AppScan Go!, AppScan on Cloud downloads any required updates:
  1. In AppScan on Cloud, click Create Scan to open the wizard, then click Static Scan.
  2. Choose the platform (Windows, Mac, or Linux) for which to download the utility and click Download.
  3. Extract the files and install the utility to your local system.
Note: If you're updating an existing AppScan Go! installation on Linux to a newer version, run the install with the -U option.

About this task

Using AppScan Go! allows you to configure scans locally prior to running analysis in the service.

Procedure

  1. From your local system, launch AppScan Go!
    On Windows click Start > AppScan Go!.
    You do not have to be logged in to the AppScan on Cloud service to begin setting up a scan.
  2. Choose the type of scan, Complete Security Scan or Open Source only, then click Browse.
    Note that Open Source scans require the appropriate license.
  3. Browse to the folder that contains the files to scan and click Select Folder.
    AppScan Go! allows you to choose folders only.
  4. AppScan Go! retrieves appropriate files from the selected folder and lists them for review. Review, select, or deselect files, then click Continue.
    AppScan on Cloud saves the scan configuration file (appscan-config.xml) to the folder with your files to scan. You can exit the utility at this point and pick up again later, or login to the AppScan on Cloud service and configure and run the scan now.
    Note: For additional information on using configuration files, see Configuring IRX file generation with the CLI.
  5. Click Create a new scan to login to HCL AppScan on Cloud and specify additional parameters, or automate the project using a supported plugin.
    Note: If you are unable to connect to login to AppScan on Cloud, verify you are using the most up-to-date version of AppScan Go!, version 0.1.7 or later. See Troubleshooting for additional information.
  6. Spcecify the following scan parameters, then click Initiate Scan to upload the files:
    ParameterDescription
    Scan name Specify a name for the scan or accept the default name created by AppScan on Cloud.
    Application to associate the scan with Choose the application to associate with the scan.
    Scan speed options Choose Simple, Balanced, Deep, or Thorough scan based on need and time demands. Note that scan speed is not an configurable option for Open Source scans.
    • A simple scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.
    • A balanced scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Simple' scan.
    • A deep scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete.
    • A thorough scan performs a comprehensive analysis to identify the most comprehensive list of vulnerabilities and will take the longest time to complete.
      Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, thorough analysis may rule out false positives that might be reported in a simple scan and therefore report fewer vulnerabilities.
    Run as a personal scan Specify whether the scan will be kept private and not included in umbrella project data.
    Update me by email when scan findings are ready Specify whether to email when the scan is complete. This is particularly helpful for Deep scans.
    AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the directory. AppScan Go! then uploads the resulting IRX file to the AppScan on Cloud service.
  7. When upload to AppScan on Cloud is complete, click the link review the status or results of the scan in the AppScan on Cloud service.