Home
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
About static analysis (SAST)

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About static analysis (SAST)
  - SAST workflow
    Overview of steps for static analysis scanning.
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

About static analysis (SAST)

Static analysis is the evaluation of applications for security vulnerabilities without executing the applications. HCL AppScan on Cloud performs security scans for web and desktop applications.

To perform static analysis, either use AppScan Go!, download a small client utility and use its command line interface (CLI), or configure a plugin to perform security analysis on either source code or binary files for all supported languages.

AppScan on Cloud looks for and scans specific file types associated with supported languages. For applications written in some languages, ASoC scans source code. For others, ASoC scans binary files of built code. To learn about all of the languages that are supported for static analysis scans, see Static analysis language support.

Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA). IFA dramatically reduces the manual effort of triaging security findings to focus only on positive, high-value issues. ICA helps reduce, or avoid entirely, the complex configuration required in other technologies, improving scan accuracy automatically.