Built-in scan configurations

AppScan® Source provides built-in scan configurations. These cannot be modified or removed. Selecting them in the list allows you to duplicate them or view their settings. Built-in configurations can be accessed in server mode or local mode.

Scan configurations

Scan configurations allow you to adapt the analysis and output of scans to meet specific needs for different kinds of applications, scan environments, and security processes. These might be to focus on particular resources the application interacts with, particular timing requirements of a DevSecOps process, or particular vulnerabiities the security team has identified.

Scan adaptations are done by setting various parameters that control the analysis process. Parameters are grouped into scan rules and advanced settings. AppScan® Source built-in scan configurations are based on specific cases that our customers have identified.

AppScan® Source includes the following built-in scan configurations:
  • Android
  • Follow all virtual call targets
  • Large application
  • Maximize findings
  • Maximize traces
  • Medium-to-large application
  • Normal
  • Quick
  • Service code
  • User input vulnerabilities
  • Web balanced
  • Web deep
  • Web preview
  • Web quick
  • Web

Scan configuration groupings

The built-in scan configurations provide a range of common scan details, speed, and size. In general, the scans can be categorized as:
  • Normal
  • Generic
  • Web
  • Others
It may seem that larger scans are better scans because they provide more data. This is not always the case.

Depending on the type of data being scanned, and other scan configuration details, larger scans may actually perform shallower analyses to decrease time and/or space resource requirements. Thus it is important to understand what you are scanning for, and the type of findings expected by any scan, whether it is built-in scan configuration or a custom configuration.

Normal scan

This is the default scan configuration and uses the default values for the parameters. This configuration is useful for all types of applications and provides a balance of time used, depth of analysis and number of findings. Note that default values can be changed in the ozsettings files (ipva.ozsettings, ounce.ozsettings, scan.ozsettings, or others).

Generic scans

This group of configurations are suitable for any type of application and range from quickest to longest duration with increasing numbers of findings in this order:
  • Large application scan
  • Quick scan
  • Medium-to-large application scan
  • Follow all virtual call targets scan
  • Maximize traces
  • Maximize findings

Web scans

This group of configurations is most suitable for web applications. These range from quickest to longest duration with increasing numbers of findings in this order:
  • Web quick scan
  • Web preview scan
  • Web scan
  • Web balanced scan
  • Web deep scan


  • Service code scan is suitable for web services, libraries, and REST applications
  • Android scan is suitable for mobile apps in the Android environment.
  • User input vulnerabilities scan focuses on inputs provided by external users of web applications or internal users of desktop applications.

Scan rules

Scan rules are parameters that control the selection of potentially threatening inputs to your application. These may be configured to focus on inputs of particular interest to the developers or security team. Reducing the number of inputs examined can reduce the scan time.
Note: For additional information about each of the scan rules, see Scan Configuration view.
Scan rules
Everything User input Web applications Error handling and logging Environment External systems Data store Unusual things File system Sensitive data
Scan configuration Normal (Default) X
Android X
Follow all virtual call targets X
Large application X X X
Maximize findings X
Maximize traces X
Medium-to-large X
Quick X X X X X X X
Service code X
User input vulnerabilities X
Web balanced X X X X X X
Web deep X X X X X X
Web preview X X X X X X
Web quick X X X X X X
Web X X X X X

Advanced settings

Advanced settings are parameters that generally control how much time is spent by the analysis and how deeply the application is analyzed. Generally, setting parameters to lower time limits or to limit the depth of analysis can reduce the duration of the scan and also reduce the number of findings.
Note: If a value it not specified, or listed in the user interface as "<Inherited>", it is the same as the default value associated with a "Normal" scan as set in the ozsettings files (ipva.ozsettings, scan.ozsettings, or others). The values listed here for the "Normal" scan are system original values.
Advanced settings
Automatic callback markup Automatic propagator markup Display skipping message Filter custom rules Initial pruning heuristic IPVA per root time limit No inline validation Prototypical traces Replace Set/Get attribute calls Show informational findings Single virtual call Suppress processing restricted messages Virtual call autocallback threshold Virtual call count WAFL Global tracking
Scan configuration Normal (Default) False False False True 7 50 False 0 (all) False False True True 0 0 (all) True
Android 7 50 True True 0 True
Follow all virtual call targets False 0
Large application 100 2 1 True False
Maximize findings True True 0 50 True False 0 True
Maximize traces True True 0 50 False 0 True
Medium-to-large False 100 4 True 1 True False 5 True
Quick 100 2 1 False True
Service code True False 100 4 True 1 True False 5 True
User input vulnerabilities False 100 4 True 1 False 5
Web balanced
Web deep True True 9 50 True False 0 True
Web preview 100 2 1 True False
Web quick 100 2 1 True False
Web 7 50 0 True True 0 True