Welcome
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
System requirements for static analysis
Supported operating systems and the types of files, locations, and projects that can be scanned by AppScan 360° when you perform static analysis.
Static analysis language support
The types of files that can be scanned by AppScan 360° when you perform static analysis.
Static analysis secrets scanning

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by AppScan 360° when you perform static analysis.
  - Static analysis language support
    The types of files that can be scanned by AppScan 360° when you perform static analysis.
    - Static analysis secrets scanning
    - Rule updates
  - Static analysis client support
    This topics describes the supported operating systems and the types projects that can be scanned by AppScan 360° when you perform static analysis.
  - Rule updates
  - United States government regulation compliance
    Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL is working to make their products the most secure in the industry. The Static Analyzer Command Line Utility supports the standards and guidelines that are outlined in this topic. To learn how to configure the utility for compliance, contact your HCL Support Representative.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Static analysis secrets scanning

AppScan 360° supports scanning of secrets for the following platforms and providers:


Provider/Platform	Secret
Alibaba Cloud	`alibaba_cloud_access_key_id`
Alibaba Cloud	`alibaba_cloud_access_key_secret`
AWS	`aws_access_key_id`
AWS	`aws_secret_access_key`
AWS	`aws_session_token`
Atlassian	`atlassian_api_token`
Atlassian	`atlassian_jwt`
Azure	`azure_cosmosdb_key_identifiable`
Azure	Azure CosmosDB connection string
Azure	`azure_devops_personal_access_token`
Azure	`azure_sas_token`
Azure	`azure_search_admin/query_key`
Azure	`azure_sql_connection_string`
Azure	`azure_storage_account_key`
Azure	Azure storage account connection string
DataBricks	`databricks_access_token`
GitHub	`github_oauth_access_toke`n
GitHub	`github_personal_access_token`
GitHub	`github_refresh_token`
Google Cloud	`google_api_key`
Google Cloud	`google_cloud_private_key_id`
Hashicorp	Hard-coded `HashiCorpVault` tokens
Hasicorp	AppRole authentication (`RoleID` and `SecretID`) formats
Open AI	`openai_api_key`
Stripe	`stripe_live_restricted_key`
Stripe	`stripe_live_secret_key`
Stripe	`stripe_test_restricted_key`
Stripe	`stripe_test_secret_key`
mongodb	API authentication
mongodb	Connection URL
Jenkins	Jenkins password/passphrase
credit card numbers	Credit card numbers
Social Security Numbers (SSN)	Social Security Numbers