What's new in HCL AppScan 360°

Single VM installer: New Express and Custom modes simplify deployments.

Distributed installation: New prerequisite validation ensures your environment is ready before a full-fledged deployment.

• Unified namespace support: Deploy all components into a single, user-defined namespace (via -n) for simpler role-based access control, monitoring, and cleanup.
• Version pinning with tags: Install specific tagged versions for controlled, reproducible deployments and easier rollbacks.
• Manual archive path: A Git-free install option for restricted/air-gapped environments.

Single Sign-On (SSO): HCL AppScan 360° now supports OIDC-based authentication, verified with Okta and Keycloak.

Domino LDAP: New support for Domino LDAP servers enables additional enterprise authentication options.

• Updated compliance reports:
  • [US] DISA's Application Security and Development STIG. V6R3
  • CWE Top 25 Most Dangerous Software Weaknesses 2024

• Column selection: Column selection is organized by category to improve usability.
• Copy from grid: Right-click any table cell to easily copy its content.

AppScan 360° can now send scan results directly to Centraleyezer, providing unified management of security findings across tools.

AppScan 360° plugins now support SCA scans.

My HCLSoftware (MHS) portal has replaced the FlexNet Operations (FNO) portal for licensing management. FNO is no longer supported as of June 30, 2025.

• AppScan 360° versions 1.6.0 and earlier will no longer be available after June 30, 2025.
• Non-FIPS version 1.6.1 of AppScan 360° is available for download fromMy HCLSoftware (MHS) portal only.
• FIPS enabled version 1.6.1 of AppScan 360° is available on Four, Inc.

• HCL AppScan 360° can be installed using the offline Single VM installation kit. Only the installation mode changed, the contents of the installer kit remains same as the 1.5.0 version.

• Simple installation with a single Helm command.
• Lightweight setup using Docker images from HCL Harbor container registry.
• Optimized for Kubernetes-enabled infrastructures.

• Static analysis client updated to 8.0.1604.
• Support for HTML.
• Additional support for Python Django scanning.
• Updates to secrets scanning.
• Added new CLI command to retrieve logs.
• Updates to scan rules.
• AppScan Go! updated to version 2.2.0.
  • Scan names allow special characters.
  • The prefix static_ is no longer included in scan name automatically.
  • Secrets scanning per scan enabled by default.
  • User interface improvements.
  • General bug fixes.

You can choose to install AppScan 360° in a distributed Kubernetes environment (standard install), or on a single virtual machine. Single VM installation offers a self-contained deployment of AppScan 360°, including configuring Kubernetes, for smaller environments when high concurrency is not required, or as part of planning for subsequent distributed installations.

• New or updated compliance and industry-standard reports and policies:
  • Network and Information Security Directive (NIS2)
  • OWASP Cloud-Native Application Security Top 10
  • OWASP API Security Top 10 2023
  • CWE Top 25 Most Dangerous Software Weaknesses 2023
  • [US] DISA's Application Security and Development STIG, Version 5 Release 3
  • The Payment Card Industry Data Security Standard (PCI DSS) - Version 4
• Automated comment propagation: Automatically propagates the latest comments along with issue status from the same issue in another application to the current app. This ensures that both the status and comments are consistently updated, providing a complete and synchronized issue record across all applications.
• Repository link in issue Details tab: The "Location" field in the issue Details tab includes a link to the specified file and line in the source code repository, when applicable. This enables direct access to the relevant code without switching tabs.

• Static analysis client updated to 8.0.1577.
• AppScan Go! updated to version 2.1.1.
  • Added the ability to scan SCM repositories inAppScan Go! with a URL.
  • AppScan Go! now auto-recommends scan mode, either bytecode/compiled or source code.
• SAST scans can now be configured and scheduled to pull source code directly from a public GitHub repository. See Scan a GitHub repository.
• While triaging SAST findings, users can view the relevant source code directly on GitHub.com.
• Findings can now be filtered by filename or path, making triaging more efficient by focusing on specific areas of the codebase.
• CLI command queue_analysis displays scan IDs for static analysis (SAST).
• IFA 2.0 enabled for .NET trace findings.
• Improvements to secrets scanner and Java source code scanner.
• Secrets scanner scans PowerShell (.ps1) files.
• Updates to rules.
• Support for Makefile/GNUMakefile, eSQL, and Java 21.

  In addition, Java 21 is included in the Static Analyzer Command Line Utility (SAClientUtil) package.

• Live logs for DAST scans: View real-time log updates during active scans.
• Extended Support Mode: Enable Extended Support Mode (ESM) for DAST scans to generate detailed logs for support purposes.
• DAST engine is updated to 10.7.0.40885

• JetBrains IDE plugin
• Jira, Azure DevOps, and RTC DTS integrations
• ServiceNow vulnerability management integration
• AppScan-SDK build-your-own integration

See Integrations for additional information.

Our market-leading DAST technology enables organizations to scan running applications and APIs for vulnerabilities before they are deployed to the web. Incremental scanning and test optimization allow companies to balance the speed and depth of scans based on the needs of the development lifecycle.

• A date filter has been added to the Fix groups page. View fix groups according to a date range and/or according to time-related properties associated with component issues.
• A share option has been added to the Issue details pane. Copy a link or issue ID to share issue details quickly and efficiently via text or email.

• The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.

• Azure: DAST, SAST
• Jenkins: DAST, SAST
• Visual Studio 2022: SAST

User experience (UX) improvements:

• Asset groups: The new delete asset group flow simplifies the process of deleting an asset group. Users with the delete asset group permission (default roles like Administrator and Manager, as well as custom roles) can delete an asset group along with its associated applications, including scans and findings, facilitating the removal of unnecessary applications. Users can also opt to move the applications to another asset group, either with or without their members.
• Fix groups: Comments field added to security report for fix groups, allowing for better inclusion and tracking of notes and comments.

• Major enhancements to Intelligent Findings Analytics (IFA) for Java, our AI/ML auto-triage technology, include more precise findings and reduced false positives. Users may notice additional findings in previously scanned code due to improved analysis and prioritization.
• Automatic discovery of Git repositories. File paths for new issues are relative to the repository root.
• Increased coverage for RPG language.
• AppScan Go! updated to version 2.0.0

  AppScan Go! steps you through configuring and running a static or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.

• Static analysis support for .NET 8.
• Improved accuracy for Java, JavaScript and Python languages.

• Deploy in any Kubernetes environment.
• Accepts the AppScan Central Platform server’s hostname (FQDN) part of ‘--server’ option.
• Storage class name (--storage-class) must be provided during the deployment.
• The default AppScan 360° Static Analysis ingress hostname for the option ‘--ingress-host’ is changed from ‘sast.appscan.com’ to ‘sast.example.com’.