Static (SAST) scanning

Use static analysis to scan applications for security vulnerabilities. To accomplish this, either use AppScan Go! or download a small client utility and use its command line interface (CLI) perform security analysis on on either source code or binary files for all supported languages. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio. Additional information on plugins and integrations is listed here.

Before you begin

AppScan on Cloud looks for and scans specific file types associated with supported languages. For applications written in languages such as Ruby, ASoC scans source code. For applications written in languages such as Java, ASoC scans binary files of built code. To learn about all of the languages that are supported for static analysis scans, see Static analysis language support.

Procedure

To scan your application:

Download and set up either:
- A supported plugin.
  Complete information about supported plugins is listed on the AppScan on Cloud Plugins & APIs page and the Plugins and integrations documentation page.
- AppScan Go!, the client utility graphical user interface.
- The Static Analyzer Command Line Utility, as described in Setting up the Static Analyzer Command Line Utility.
Scan or generate an IRX file for your application.
1. To generate an IRX file by using the CLI, follow the instructions in Generating an IRX file by using the command line interface (CLI). You can scan all supported languages from the CLI.
2. To generate an IRX file for a Maven project, follow the instructions in Running static analysis for a Maven project. Maven supports Java and Android projects only.
3. To scan in Eclipse, IntelliJ IDEA, or Visual Studio, follow the instructions in Scanning in integrated development environments. In Eclipse and IntelliJ IDEA, you can scan Java projects - and in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
4. To generate an IRX file using AppScan Go!, follow the instructions in Configuring a scan using AppScan Go!.
Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.
If you have not yet done so: Create an application for your scans.
In the Application, click Create Scan to open the wizard, then click Static Scan to start configuring your scan.
Upload File tab: Drag-and-drop your IRX file into the gray area (or Click to select the file), then click Next.
Preferences tab: You can opt to run your scan as a Personal Scan whose security issues will not be added to the issues for the application as a whole. You can also deselect the default option that sends you an email when the scan completes.
Click Review and Scan to proceed to the summary dialog.
You can optionally edit the default name that was given to the scan.
Click Scan Now.