Home
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Publishing assessments
AppScan® Source offers two publishing options. You can publish assessments to the AppScan Source Database, for the purpose of storing and sharing assessments. Or, if your AppScan Enterprise Server has been installed with the Enterprise Console option, you can publish assessments to it. The AppScan Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.
Publishing assessments to AppScan® Enterprise
Depending on your installation, you can publish assessments to AppScan® Enterprise and/or the Enterprise Console for access in the Published Assessments view. AppScan Enterprise and the Enterprise Console offer a variety of tools for working with your assessments, such as reporting features, issue management, trend analysis, and dashboards.
Including GitHub respository information

Welcome
Welcome to the documentation for HCL® AppScan® Source.
What's New
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
Installing
Learn how to install, upgrade, and activate HCL® AppScan® Source.
Configuring
Learn how to configure applications, folders, and projects, and set attributes and properties in HCL® AppScan® Source.
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
- Scanning workspaces, projects, and files
  You can scan an Eclipse workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.
- Managing My Assessments
  The My Assessments view contains a list of assessments (the currently-opened assessment, along with any assessments that you have saved). In this view, you can open, delete, save, rename, or compare assessments. When a scan completes or you open a saved assessment, the assessment appears in the My Assessments view. My Assessments displays a table of open or saved assessments, and identifies a published or modified assessment. Removing an assessment from this view (without saving or publishing it) permanently deletes that assessment.
- Submitting AppScan® Source assessments to the Cloud for analysis
  If you have a subscription to HCL AppScan on Cloud at HCL Cloud Marketplace, you can submit AppScan® Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription.
- Publishing assessments
  AppScan® Source offers two publishing options. You can publish assessments to the AppScan Source Database, for the purpose of storing and sharing assessments. Or, if your AppScan Enterprise Server has been installed with the Enterprise Console option, you can publish assessments to it. The AppScan Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.
  - Registering applications and projects for publishing to AppScan® Source
    Before an assessment can be published to the AppScan® Source Database, the applications or projects that were scanned in order to create it must be registered. By default, if you attempt to publish an assessment of unregistered applications or projects, you will be prompted to register the applications or projects at that time. AppScan Source for Analysis auto-registers for you if your General preference, Automatically register applications on initial publish, is Always register.
  - Publishing assessments to AppScan® Source
    You can publish assessments to the AppScan® Source Database for the purpose of storing and sharing assessments.
  - Publishing assessments to AppScan® Enterprise
    Depending on your installation, you can publish assessments to AppScan® Enterprise and/or the Enterprise Console for access in the Published Assessments view. AppScan Enterprise and the Enterprise Console offer a variety of tools for working with your assessments, such as reporting features, issue management, trend analysis, and dashboards.
    - Including GitHub respository information
    - AppScan® Enterprise Console preferences
      If your AppScan® Enterprise Server has been installed with the AppScan Enterprise Console option, you can publish assessments to it. The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.
- Opening and saving assessments
  AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.
- Removing assessments from My Assessments
  When assessments are removed from the My Assessments view, they are not removed from your local file system. If an assessment is removed from the view, it can be added back with the Open Assessment action.
- Defining variables
  When saving assessments or bundles, or publishing assessments, AppScan® Source for Analysis may suggest that you create a variable to replace absolute paths (without variables, AppScan Source for Analysis writes absolute paths to the assessment file to reference items such as source files). When you configure variables for absolute paths, you facilitate the sharing of assessments on multiple computers. It is recommended that you use variables when sharing assessments.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Reporting
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Extending product function
Learn how to extend the product to meet specific development requirements.
Reference
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Including GitHub repository information in an assessment file

By default, GitHub respository information is not included in published assessments. You can choose to include GitHub repository information in assessments published to AppScan® Enterprise by editing the include_scm_details property in the scan.ozsettings file. When included, GitHub repository information included in the assessment file will be:

branchName
commitId
repository name
scanType
GitHub URL

To include git repository information in the assessments file:

Open the <source-data-directory>/config/scan.ozsettings file for editing.
By default, the scan.ozsettings file is located in the default data directory of the AppScan® Source installation.
Locate the include_scm_details property and change the value to true.
include_scm_details is set to false by default.
Save the file.