Roles and workflows

AppScan 360° SAST roles

Not all actions related to AppScan 360° SAST are performed by the same person, though they can be. AppScan 360° SAST has two user roles that may or may not overlap, depending on company policy.
  • Administrator role

    The administrator role downloads AppScan 360° SAST and deploys containers for scanning by users. The number and functionality of containers is an organizational decision. The administrator may also be responsible for installing the AppScan Central Platform and granting user permissions.

    Most of the content in this portion of the documentation applies to AppScan 360° SAST administrators.

  • User role

    The user role is the person running scans in AppScan 360° (or using AppScan Go!, Static Analyzer Command Line Utility, or a DevOps plugin), monitoring scan status, and working with scan results.

    For the most part, the AppScan 360° SAST backend will be invisible to the user role. The user will scan, and work with the results of scans, as needed.

Anatomy of a scan

A scan consists of two major steps:

  • The preparer step processes source content (source code, build artifacts, and so on) and generates an internal representation (IRX file).
  • The analyzer step evaluates the internal representation file to generate an assessment which includes the findings from the analysis.

A request to the AppScan 360° Static Analysis agent may involve both steps performed in sequence, or either step performed alone. The AppScan 360° Static Analysis agent recognizes the type of content provided to determine the steps required to complete a scan:

  • If an archive containing the source code and/or build artifacts is provided to the AppScan 360° SAST containter, preparer and analyzer steps are invoked to complete the scan.
  • If an IRX is imported to AppScan 360° and thus provided to the AppScan 360° SAST container, only the analysis step is invoked to complete the scan.
  • The SAClientUtil (CLI) can be used to prepare (generate) the IRX locally. The file is then imported into AppScan 360° for analysis. The SAClientUtil can be downloaded from the AppScan 360°.

Scan requests to AppScan 360° SAST from AppScan 360° are processed asynchronously. AppScan 360° displays scan status and indicates completion. After completion, the user can:

  • Fetch results: obtain the results for a successfully completed scan. These results can be viewed and managed automatically in AppScan 360°.
  • Fetch logs: obtain the logs associated with a scan. This request can be used for troubleshooting.

Administrator workflows

The standard administrator workflow for AppScan 360° Static Analysis is:
  • Download AppScan 360° Static Analysis
  • Deploy AppScan 360° SAST containers
  • Troubleshoot issues
  • Upgrade AppScan 360° SAST

User workflows

Common user workflows for AppScan 360° Static Analysis in conjunction with AppScan 360° include:
  • Scan source code and build artifacts.
  • Generate IRX locally and scan it.

Scan source code and build artifacts

  1. Create archive containing source code and build artifacts where applicable.
  2. Import the archive to AppScan 360°.
  3. Start the scan in AppScan 360°.
  4. Check status of scan in process. The status response contains metrics on findings (number of high, medium, and low issues) when scan has completed to facilitate build management in a DevOps build pipeline.
  5. After scan completes, open the results file in AppScan 360°.
  6. Repeat these steps to run scans concurrently in resource availability.
Generate IRX locally and Scan IRX
  1. Run SAClientUtil to generate the IRX.
  2. Import the IRX to AppScan 360°.
  3. Start the scan in AppScan 360°.
  4. Check status of scan in process. The status response contains metrics on findings (number of high, medium, and low issues) when scan has completed to facilitate build management in a DevOps build pipeline.
  5. After scan completes, open the results file in AppScan 360°.
  6. Repeat these steps to run scans concurrently in resource availability.