Home
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Issues
The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
Triaging issues
All issues are classified as new by default. You can see an issue classification by viewing the issue status.
Triaging issues from IDE plug-ins
The HCL AppScan on Cloud IDE plugins for Eclipse and Visual Studio can change the status of issues in the service.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
- Sample Security Reports
- Application reports
- Scan data
- Issues
  The Issues page for an application, by default displays non-compliant issues only. You can apply a variety of filters to see the issues you need, and click on any issue to open the detailed issue information pane.
  - Issue information
    The Issue information pane shows all content available for the issue.
  - Issue status
    Issues can be classified as Open, In Progress, Noise, Reopened, Passed, and Fixed.
  - Issue severity
    Issues can be classified as they appear in the Issues grid of an application.
  - Triaging issues
    All issues are classified as new by default. You can see an issue classification by viewing the issue status.
    - Triaging issues from IDE plug-ins
      The HCL AppScan on Cloud IDE plugins for Eclipse and Visual Studio can change the status of issues in the service.
  - Importing issues from third-party scanners
    Whether you use third-party scanners or conduct manual penetration tests to discover issues, you can import the issues from a CSV file into ASoC for triaging.
- Correlation
  AppScan analyzes issues found by IAST, DAST and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort.
- Fix groups
  Fix groups currently apply only to issues found in static analysis scans.
- Reports
  Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.
- Remediation
  After risks are determined and vulnerabilities are prioritized, your security team can start the remediation process.
- Rescanning
  Following your first scan, as you fix issues you can scan the same application again multiple times and overwrite the previous results; the dashboard always displays the current results. When you scan again (rather than starting a new scan), the rescan overwrites the previous one.
- IAST scan results
  An interactive (IAST) scan entry shows results since the last time the scan was started.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Triaging issues from IDE plug-ins

The HCL AppScan on Cloud IDE plugins for Eclipse and Visual Studio can change the status of issues in the service.

When reviewing issues, each fix group notes, among other details, vulnerability type and status. Possible statuses are New, Open, In Progress, Noise, Fixed, Passed, and Mixed Status.

The status of a fix group is based on the statuses of the individual issues that make up the fix group. If the individual issues have the same status, AppScan on Cloud uses that status for the fix group status. If the individual issues have different statues, AppScan on Cloud uses Mixed Status for the fix group.

In the following example, the fix group status is New. All component issues of the fix group have the status New.

You can change the status of a fix group or of individual issues. Changing the status of a fix group or issue is reflected in the IDE and the ASoC service.

To change the status for a fix group:

Click Change status at the fix group.
Choose an available status from the resulting menu.
Click OK at the confirmation dialog box.
ASoC updates status for the fix group and the statuses for all component issues.

To change the status of an issue:

Open the fix group.
Identify the issue for which to change the status.
Hover over the issue status and choose a new status.
Click OK at the confirmation dialog box.
ASoC updates the status for the issue and fix group accordingly. If the status for all the component issues in the fix group match, the fix group status is updated to match. If the component issues have multiple statuses, the fix group status is updated to Mixed Status.