Jump to main content
HCL Logo Product Documentation
Customer Support Community
Customer Support HCLSoftware U Community Forums Customer Idea Portal
HCL AppScan 360 Help
  1. Home icon
  2. Welcome
  3. Static analysis

    Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

  4. Scanning for security vulnerabilities

    To scan source code for security vulnerabilities, follow the steps in these topics.

  5. Language-specific features

Product logo

  • Getting started

    Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.

  • Installation

    Learn about AppScan 360° architecture and how to install the product.

  • Navigation

    This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.

  • Administration

    Define users, applications, policies, and configure DevOps integrations.

  • Dynamic analysis

    HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.

  • Interactive monitoring

    Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.

  • Software Composition Analysis

    Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

  • Static analysis

    Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

    • System requirements for static analysis

      Supported operating systems and the types of files, locations, and projects that can be scanned by AppScan 360° when you perform static analysis.

    • Scanning for security vulnerabilities

      To scan source code for security vulnerabilities, follow the steps in these topics.

      • Configure a scan in AppScan 360°

      • Configuring a scan using AppScan Go!

        AppScan Go! steps you through configuring and running a static scan. Run the scan in the service or use a plugin to automate scanning.

      • Using the Static Analyzer Command Line Utility

        The Static Analyzer Command Line Utility (SAClientUtil) is used to generate an IRX that can be scanned in AppScan on Cloud or AppScan 360°. The appscan prepare command is supported for use with AppScan 360° Static Analysis.

      • About scanning using an archive file
      • Language-specific features

        • Generating an IRX for a .NET Core project

          Scanning of .NET Core projects is supported through the Command Line Interface (CLI) and through the Visual Studio 2022 plugin on Windows only.

        • Supported .NET source code attributes

          When using static analysis to scan .NET, [ValidatorMethod], [CallbackMethod], and [SuppressSecurityTrace] method-level attributes are supported. When these attributes are used, [ValidatorMethod()], [CallbackMethod()], and [SuppressSecurityTrace()] are also accepted.

        • Supported Java source code annotations

          When using static analysis to scan Java™, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are supported.

        • Managing third-party Java and .NET exclusions

          By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.

      • Static analysis scan results

        The SAST scanning engine uses AI and complementary technologies to improve detection accuracy and streamline result analysis.

    • Static analysis troubleshooting

      If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.

  • Results

    The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.

  • Reference

    Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

 Feedback

Language-specific features

  • Generating an IRX for a .NET Core project
  • Supported .NET source code attributes
  • Supported Java source code annotations
  • Managing third-party Java and .NET exclusions
  • Share: Email
  • Twitter
  • Disclaimer
  • Privacy
  • Terms of use
  • Cookie Preferences