Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn how to install the AppScan Central Platform and AppScan 360° Static Analysis.
Administration
Define users, applications, policies, and configure DevOps integrations.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by AppScan 360° when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
  - Configure a scan in AppScan 360°
  - Configuring a scan using AppScan Go!
    Use AppScan Go! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.
  - Using the Static Analyzer Command Line Utility
    The Static Analyzer Command Line Utility (SAClientUtil) is used to generate an IRX that can be scanned in AppScan on Cloud or AppScan 360°. The appscan prepare command is supported for use with AppScan 360° Static Analysis.
  - Configuring a scan using an archive file
  - Language-specific features
    - Generating an IRX for a .NET Core project
      Scanning of .NET Core projects is supported through the Command Line Interface (CLI) and through the Visual Studio 2017 and Visual Studio 2019 plugins on Windows only.
    - Supported .NET source code attributes
      When using static analysis to scan .NET, [ValidatorMethod], [CallbackMethod], and [SuppressSecurityTrace] method-level attributes are supported. When these attributes are used, [ValidatorMethod()], [CallbackMethod()], and [SuppressSecurityTrace()] are also accepted.
    - Parallel processing for Java applications
    - Supported Java source code annotations
      When using static analysis to scan Java™, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are supported.
    - Managing third-party Java and .NET exclusions
      By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.
  - Static analysis scan results
    Features available in static analysis scan results.
- Sample applications and scripts
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Language-specific features