Home
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Configure a scan in AppScan on Cloud
Configure a static analysis scan.
Scan a GitHub repository
Static analysis scans can be configured and scheduled to pull source code directly from a public GitHub repository. When triaging SAST findings, users can view the relevant source code directly on GitHub.com. Findings can be filtered by filename or path.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About static analysis (SAST)
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
  - Configure a scan in AppScan on Cloud
    Configure a static analysis scan.
    - Scan a GitHub repository
      Static analysis scans can be configured and scheduled to pull source code directly from a public GitHub repository. When triaging SAST findings, users can view the relevant source code directly on GitHub.com. Findings can be filtered by filename or path.
      - Scanning private GitHub repositories
        While AppScan on Cloud allows you to perform comprehensive security scans on your public GitHub repositories using our advanced cloud service without additional setup, scanning private repositories requires the installation of the HCL AppScan on Cloud GitHub application.
    - Scan an archive file
      Scan or generate an IRX file for your application, or identify source code files to scan.
    - About IRX files
      About IRX files.
    - Scan mode
      Scan mode describes whether AppScan on Cloud scans build outputs (.dll, .jar, and so on) or source code files in projects for specific languages.
    - Static analysis scan status
    - Personal scans
      A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Configuring a scan using an archive file
  - About Software Composition Analysis
    Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.
  - Static analysis integrations
  - Submitting HCL AppScan Source assessments to the Cloud for analysis
    If you have a subscription to HCL AppScan on Cloud, you can submit AppScan Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported. The number of scans you can submit depends on your ASoC subscription.
  - Best practices for Java scanning
  - Static analysis scan results
    Features available in static analysis scan results.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Scan a GitHub repository

Static analysis scans can be configured and scheduled to pull source code directly from a public GitHub repository. When triaging SAST findings, users can view the relevant source code directly on GitHub.com. Findings can be filtered by filename or path.

Use the Create scan wizard to configure your scan. Select Applications > <Application> > Create scan > SAST Static Analysis: Create scan > Scan a GitHub repository.
At the GitHub repository tab, click Connect with GitHub to login to GitHub.
Once authorized, available repositories are listed below. Authorization is required only once.
Specify the repository and branch to scan either from a list of available repositories, or provide the repository URL:
When choosing repositories from the list of available repositories, choose the parent first, then the branch.
Note: If a repository is not visible in the list, it may be private. See Scanning private GitHub repositories.
When specifing repositories by URL, include the full path. For example, https://github.com/HCL-TECH-SOFTWARE/AltoroJ.
From the Schedule tab, specify that the scan should run immediately, save the scan configuration to use later, or schedule recurrent scanning:
- Scan now
  The scan runs as soon as you click the Scan button. If the maximum number of concurrent scans are running at this time, the scan will be added to a queue, and will start when it reaches the head of the queue.
- Save for later
  The configuration for your scan is ready to run and added to the Scans page with the status "Configuration saved." Saved configurations cannot be edited.
- Schedule
  - Indicate start date and time for the scan.
  - If you want the scan to repeat on a schedule, specify frequency (daily, weekly, monthly) and further details.
  - Indicate when rescans should stop.
Indicate additional scan preferences on the Scan options tab:
- Opt to run your scan as a personal scan whose security issues will not be added to the issues for the application as a whole.
- You can also select the default option that sends you an email when the scan completes.
- Allow intervention by our scan enablement team.
At the Summary tab, edit the default name that was given to the scan, if desired, and review scan choices.
Click Scan when ready to scan.