Configuring a scan using AppScan Go!
AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.
Before you begin
The first time you use AppScan Go!, it downloads any required
updates:
- In AppScan 360°, click Create Scan to open the wizard, then click SAST.
- Choose the platform (Windows, Mac, or Linux) for which to download the utility and click Download.
- Choose the platform (Windows, Mac, or Linux) for which to download the Command Line Utility (CLI) and click Download.
- Extract the
SAClientUtil
package. From the parentSAClientUtil
folder, copy the childSAClientUtil
to your .appscan folder. Create the folder if necessary.- Windows: <user_home>\.appscan\
- Linux: <user_home>/.appscan/
- Extract the AppScan Go! files and install the utility to your local system.
- Disable auto-update setting in AppScan Go! settings.
Note: If you experience an error during AppScan Go! launch, see Automatic update of AppScan Go! fails.
Note: If you're updating
an existing AppScan Go! installation
on Linux to a newer version, run the install with the
-U
option.About this task
Procedure
-
From your local system, launch AppScan Go!
You do not have to be logged in to the AppScan 360° service to begin setting up a scan. You do need to be logged in to complete a scan.
-
Choose a scan method:
- Run a complete scan.
- Create an IRX file and run a scan later.
- Create a configuration file for automating scans.
-
Specify the location of files to scan, and scan mode and type, then click
Next.
-
AppScan Go! retrieves appropriate
files from the selected folder and lists them for review. Review, select, or
deselect files, then click Next.
-
If you opted to run a complete scan, or prepare an IRX file, configure scan
settings, then click Next.
Note: You must be logged in to AppScan 360° to see the list of available applications.
Setting Description Scan name Specify a name for the scan or accept the default name created by AppScan 360°. Associated application When running a complete scan, choose the application to associate with the scan. Scan speed options (SAST only) Choose Normal, Fast, Faster, or Fastest scan based on need and time demands. Note that scan speed is not an configurable option for SCA/open source scans. - A
normal
scan performs a comprehensive analysis to identify the most detailed list of vulnerabilities and will take the longest time to complete. - A
fast
scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete. - A
faster
scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Fastest' scan. - The
fastest
scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, thenormal
analysis may rule out false positives that might be reported in afastest
scan and therefore report fewer vulnerabilities.
Scan preferences When running a complete scan, specify scan preferences: - Run as a personal scan: Indicate whether the scan will be kept private and not included in umbrella project data.
- Update me by email when findings are ready: Indicate whether to email when the scan is complete. This is particularly helpful for Normal scans.
- A
-
If you opted to run a complete scan, AppScan Go! gathers information for
any supported files in the directory and all of its subdirectories, then creates
an IRX file in the
<user_home>/.appscan/temp
directory. AppScan Go! then uploads the resulting IRX file to the AppScan 360° service. When the scan upload is complete, click Finish. -
If you opted to create an IRX file, AppScan Go! gathers information for
any supported files in the directory and all of its subdirectories, then creates
an IRX file in the
<user_home>/.appscan/temp
directory. When file generation is complete, click Finish. -
If you opted to create a configuration file for automating scans, AppScan 360° saves the scan configuration file
(appscan-config.xml) to the folder with your files to
scan. Click Finish to exit AppScan Go!
You can exit the utility at this point and pick up again later, login to the AppScan 360° service and configure and run the scan now, or use the configuration file to automate scanning using one of the listed plugins.Note: For additional information on using configuration files, see Configuring IRX file generation with the CLI.
- Open AppScan 360° to review the status or results of the scan, or to start a scan with the IRX file generated by AppScan Go!