Test Policy view

Test Policy view of the Configuration dialog box shows details of the current test policy.

The number of possible AppScan tests for a site can reach the thousands. Rather than manually filter the large number of tests and test variants, you can set a general policy for the type of test you do, or do not, want to be run on your application.

Use Test Policy view to view, edit and manage test policies, that define which tests are included in scans, and to define the policy for the current scan.

Tests are grouped and listed in the upper of the two panes. The Advisory and Fix Recommendation for the selected test appear in the lower pane.

In Test Policy view you can:

  • View details of the current policy
  • Edit the current policy to create a User-Defined Test Policy of your own
  • Import a predefined policy, or a previously saved user-defined policy
Tip: If you apply Test Optimization to the scan configuration, some of the vulnerabilities in your selected policy may not be tested for. Therefore, if you selected the "Complete" Test Policy, and want all its tests to be sent, you should set Test Optimization to No optimization.



Test Policy

Shows the name of the current Test Policy. Tests are grouped and listed in the upper of the two panes. The How to Fix information for the selected test appears in the lower pane.

Grouping method

Use the drop-down list to select a grouping method for the tests in the upper pane.


Typing text into the Search field will display only tests that contain the search string. The Magnifying glass drop-down list lets you define whether to look for the string in all test fields, or only specific ones (such as Test Name or CVE ID.


Click to save the current Test Policy so you can load it on another occasion.


Click to load a predefined or user-defined Test Policy (see Importing a Test Policy).

Policy description

The upper-right pane shows the description of the current policy. For user-defined policies this field can be edited.

Test pane

The upper main pane lists all AppScan® tests that meet the filter/search criteria. For each test the following information is listed: Name, Variant ID, CVE ID, CWE ID, Severity assigned to the issue (and whether the severity is CVSS or user-assigned), XFID (X-Force ID), Type, Invasiveness, and WASC threat classification. You can Sort tests by some of these fields, by clicking on the column header.

Tests whose check box is selected are included in the current policy. You can edit the policy by selecting/deselecting tests (see Editing a Test Policy.

Update Settings link

This link opens a dialog box that lets you define which types of test can be added to this policy when new tests are added to the database.

For details see Test Policy Update Settings

How to Fix tab

The lower main pane shows details of how to fix the issue, including code-specific information where available.

Policy files

Load an existing Test Policy by clicking one of the Recent Policies, or Predefined Policies, or by clicking Browse... and browsing to the required policy.