Configuring a scan using AppScan Go!
Use AppScan Go! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.
Before you begin
The first time you use AppScan Go!, it
downloads any required updates:
- In AppScan 360°, click Create Scan to open the wizard, then click Static Scan.
- Choose the platform (Windows, Mac, or Linux) for which to download the utility and click Download.
- Extract the files and install the utility to your local system.
Note: If you're updating an existing AppScan Go! installation on Linux to
a newer version, run the install with the
-U
option.About this task
Procedure
-
From your local system, launch AppScan Go!
On Windows click.You do not have to be logged in to the AppScan 360° service to begin setting up a scan.
-
Specify the location of files to scan. Browse to the folder that contains the
files to scan and click Select Folder.
AppScan Go! allows you to choose folders only.
-
Choose the types of issues you want to find and the types of files to scan,
then click Continue.
You can choose to scan for all security issues from all file types, or vary the scan based on open source scanning and/or source code only scanning.Note that SCA (open source) scans require the appropriate license.
-
AppScan Go! retrieves appropriate
files from the selected folder and lists them for review. Review, select, or
deselect files, then click Continue.
AppScan 360° saves the scan configuration file (appscan-config.xml) to the folder with your files to scan. You can exit the utility at this point and pick up again later, or login to the AppScan 360° service and configure and run the scan now.Note: For additional information on using configuration files, see Configuring IRX file generation with the CLI.
-
Click Create a new scan to login to HCL AppScan 360° and
specify additional parameters, or automate the project using a supported
plugin.
Note: If you are unable to connect to login to AppScan 360°, verify you are using the most up-to-date version of AppScan Go!, version 0.1.7 or later. See Troubleshooting for additional information.
-
Specify the following scan parameters, then click Initiate Scan to
upload the files:
Parameter Description Scan name Specify a name for the scan or accept the default name created by AppScan 360°. Application to associate the scan with Choose the application to associate with the scan. Scan speed options Choose Simple, Balanced, Deep, or Thorough scan based on need and time demands. Note that scan speed is not an configurable option for SCA/open source scans. - A
simple
scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete. - A
balanced
scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Simple' scan. - A
deep
scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete. - A
thorough
scan performs a comprehensive analysis to identify the most comprehensive list of vulnerabilities and will take the longest time to complete.Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example,thorough
analysis may rule out false positives that might be reported in asimple
scan and therefore report fewer vulnerabilities.
Run as a personal scan Specify whether the scan will be kept private and not included in umbrella project data. Update me by email when scan findings are ready Specify whether to email when the scan is complete. This is particularly helpful for Deep scans. AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the directory. AppScan Go! then uploads the resulting IRX file to the AppScan 360° service. - A
- When the scan upload is complete, click Finish.
- Open AppScan 360° to review the status or results of the scan.