What's new in HCL AppScan 360°

Explore new features that have been added to HCL AppScan 360°, and note any features and capabilities that have been deprecated in this release.

New in HCL AppScan 360° version 2.1.0

⚠️Action Required Before Upgrading: Please refer to the important additional Gateway-related steps required prior to upgrading to AppScan 360° 2.1.0.

Installation:

  • AppScan 360 Setup Assistant: A standalone script that validates AppScan 360 prerequisites, verifies system readiness, and supports post-installation debugging via a dedicated debug pod.
  • Single VM installation:
    • Single VM installation now supports installation on both RHEL and Ubuntu
    • Optional DPR installation support in Production mode
  • Local registry support for Helm-based installations: Helm-based installations now support local registries for hosting images, eliminating the need for a constant internet connection.

Platform Improvements

AI Insights

  • AppScan Model Context Protocol (MCP) server is now available for use with your LLM to securely access your security data in AppScan 360°. By accessing it through your IDE, you can get insights about your data, connect it with other MCPs for integrations, and use LLM capabilities to suggest triage and code remediation using the context of the results from AppScan 360°.

User Interface & Navigation

  • Home Page & Scan Views: The new AppScan 360° home page gives you a quick overview of your recent applications and scans. The Scans and Sessions page has also been upgraded with a unified view for all scan technologies and a new table layout for easier filtering and sorting.
  • Fix Group Interface: Completely redesigned for better usability, making it much easier to understand grouped issues, navigate resolutions, and manage fixes efficiently.
  • General UX Upgrades: You'll notice faster page load times, improved breadcrumb navigation accuracy, and updated colors and graphics to better support accessibility.
  • SAST Enhancements: You can now search directly within the GitHub repository and branch dropdown menus.

Data Management, Reporting & Notifications

  • Email notifications: You can now configure email preferences centrally. Users can opt in to alerts for specific applications or entire Asset groups. Customize triggers for scan start, completion, and failure, so you receive only relevant updates. This feature replaces the previous per-scan configuration. The updated notifications deliver a concise HTML scan summary directly to users' inboxes, including severity counts and status details.
  • Scan Correlations: The correlation engine has been updated to successfully identify links between Interactive Analysis (IAST) findings and Static Analysis (SAST) source code findings.
  • Data Exports & Custom Fields: The "Export scan data" option is now available to everyone, not just administrators. Additionally, custom application fields are now included in CSV exports and displayed in generated security reports.
  • Compliance reports and policies :
  • New compliance reports:
    • OWASP Top 10 for LLM Applications 2025
    • [Canada] IT security risk management: A lifecycle approach (ITSG-33)
  • Updated compliance reports:
    • International Standard - ISO 27001:2022
    • International Standard - ISO 27002:2022
    • The Payment Card Industry Data Security Standard (PCI DSS) - V4.0.1
    • NIST Special Publication 800-53 - 5.2.0
    • [EU] General Data Protection Regulation (GDPR)
    • [US] Health Insurance Portability and Accountability Act (HIPAA)
  • Formatting Notice: Support for the SVG file format for report logos has been discontinued.

User Management & Identity

  • Ping Identity SSO: AppScan 360° now fully supports Ping Identity, providing seamless Single Sign-On (SSO) for an improved authentication experience.
  • Asset Groups: You can now edit asset groups on a per-user basis directly through the user management page.

API & Automation

  • Functional user: Added the ability to create a service account to facilitate automated tasks and system integrations. Available through API only.
  • API Key authentication: Direct API key authentication via a custom HTTP header eliminates the need for session tokens, making automation scripts and CI/CD integrations simpler and more efficient.
  • Create Scan API: The boolean parameter 'MultiStep' is deprecated and will be removed in a future release. Update your API calls now to use the "TrafficType" parameter instead, in preparation for the removal of "MultiStep". For more information, see the Swagger page <your-appscan-360-server>swagger/index.html#/Scans/Scans_CreateDastScan.

Plugins and Integrations

New plugins and integrations are now available and can be accessed from the integration page:
  • Slack: Receive AppScan 360° security alerts and scan notifications in your Slack channels.
  • Splunk: Connect AppScan 360° with Splunk to gain centralised visibility into scan data through analytics and dashboards.
  • Cursor AI: Integrate with AppScan CodeSweep to identify and remediate vulnerabilities during AI-assisted coding.

Dynamic Analysis (DAST)

AI & Advanced Scanning

  • DAST for LLM-augmented applications: Dynamically test and safeguard your business from Large Language Model (LLM) risks with AppScan DAST, specifically engineered to identify critical vulnerabilities like sensitive information disclosure, prompt injection, and more before attackers exploit them. For more information, see the blog.
  • AppScan Presence: Secure Scanning of Private apps.
    • Bridges the Gap: Enables scanning of internal, firewalled applications by creating a secure tunnel to your private network.
    • DevSecOps Integration: Seamlessly embeds security checks into your existing functional testing workflows for deeper coverage.

Scan Workflow & Execution Controls

  • DAST configuration editing: You can now edit the scan configuration for completed or failed DAST scans, allowing you to rescan with a modified configuration.
  • Exclude paths: When scanning APIs, you can configure AppScan to ignore certain paths in the application, just like when scanning web applications.
  • Resume scan: In some scenarios, you can now resume failed or partially completed scans. This feature enhances the scanning process by allowing you to continue from where the scan stopped once previous limitations are resolved, thereby saving time and resources.

Unified Template Management

  • Centralized Control:Manage DAST templates in AppScan 360° to control and expedite DAST configurations. Templates can be customized and assigned to asset groups as needed.
  • Download & Replace:Option to download the template and replace an existing template file with updated configuration.
  • Pre-Scan Review: After you upload a template to AppScan 360°, you can review and edit its configuration before running the scan.

Engine Upgrade (v10.10.0)

The underlying DAST engine has been updated, bringing several core improvements:
  • Smarter Auto-Login: AppScan now crawls Angular applications more reliably, fixes rare login recording failures, and introduces a smart delay on second attempts after playback failures to improve overall success rates.
  • Enhanced SPA Support: Improved crawling and scanning for Single Page Applications (SPA) utilizing the AngularJS framework.
  • Better Data Masking: Upgraded masking capabilities across the platform for more consistent protection of sensitive information.
  • Rule Updates: New and updated security rules

Static Analysis (SAST)

AI-Driven Remediation

  • HCL AppScan RapidFix: Now integrated into the AppScan 360° user interface, HCL AppScan RapidFix leverages agentic AI to analyze findings and associated source code from security scans, deliver intelligent triage and fix recommendations, and, when possible, generate automated fixes that integrate seamlessly into your Git-based source code management platform. RapidFix is available as an additional subscription. Learn more.

Expanded Language & Framework Support

  • Added Support for Java 25 and .NET 10
  • Static analysis can now process .mjs files as part of JavaScript support.
  • Support for Flutter framework as part of Dart support.

Reporting & Diagnostics

Client, Tooling & Core Updates

  • Updates to rules.
  • AppScan Go! updated to version 2.3.1:
    • New installation procedure allows for smarter service detection.
    • AppScan Go! now automatically detects and fills in the correct service URL at login.
    • Software Composition Analysis (SCA) files specified for scanning no longer show absolute paths.
    • User interface improvements.
  • Static analysis client updated to 8.0.1685.

Software Composition Analysis (SCA)

  • Integrated Malware Detection: AppScan's new SCA engine now features built-in malware scanning capabilities. It automatically analyzes your open-source and third-party components for known malicious or compromised packages. This allows your teams to identify and mitigate critical supply-chain risks much earlier in the development lifecycle. (Note: Any detected malicious libraries will also be flagged directly in your open-source license report.)
  • EPSS (Exploit Prediction Scoring System) is available for new scans, enabling smarter prioritization of vulnerabilities based on real-world exploit likelihood. EPSS score and percentile are listed on the Details pane for SCA issues. For more information, see EPSS.
  • The Audit Trail tab for open source libraries provides clarity into all actions and changes related to each library, helping teams track history, maintain compliance, and improve accountability.

Interactive Analysis (IAST)

Generative AI Testing

AppScan now introduces support for Generative AI testing. The IAST agent monitors Large Language Model (LLM) output and reports if the application relies on generative AI output without properly validating, constraining, or sanitizing it before use in security-sensitive contexts. Currently, OpenAI APIs are supported across Java, .NET, and Node.js.

  • Node.js Agent: Support generative AI monitoring:openai, LangChain
  • Java Agent: Support generative AI monitoring:openai-java
  • .NET Agent: Support generative AI monitoring:OpenAI

Kubernetes Deployments

The IAST deployment process for Kubernetes has been significantly upgraded for better control and resilience:

  • Helm Support: Introduced an alternative installation method using Helm charts.
  • Granular Filtering: Improved handling of namespace filtering, plus a new ability to skip individual pods from IAST installation simply by adding the label skip-iast-webhook="true".
  • Resource Controls: Added limits to IAST container CPU and memory allocation.
  • Resilience: Pods are no longer impacted when the IAST webhook-server is unavailable.
  • Automated Mutation Sync: The webhook server now automatically syncs MutatingWebhookConfiguration during rollouts and Helm upgrades with the updated namespace config.

Global / All Agents

  • IAST Key only: A new option is available to quickly create an IAST session without the need to download a new agent. This update simplifies the setup process, especially for users integrating with environments like the IAST .NET Core Site Extension for Azure App Services, or when utilizing an existing agent. This option is available across all IAST agents for various languages.

Node.js Agent

  • Air-Gapped Environments: A new option is now available to download the Node agent as a self-contained tarball directly from AppScan 360°, perfect for restricted environments without access to the public npm registry.
  • Streamlined Creation: Customers can now create the Node agent using one of two options:
    • Node.js (agent from npm): Retrieves the agent from the public npm registry, while the key is obtained from AppScan 360°. (This is the existing method, now renamed).
    • Node.js (download agent): Downloads the Node agent from AppScan 360° as a self-contained tarball, enabling installation without npm access.

.NET Agent

  • Proxy Support: Now supports communication with AppScan 360° through a proxy.
  • Microservices: Added support for the IAST analyzer for microservices.
  • Custom Logging: The log file name and path for IAST can now be configured via the secagent.log environment variable.

PHP Agent

  • Includes general performance improvements and bug fixes.

Deprecation notice

  • The OWASP Top 10 2017 report will be deprecated from 2.2 release.

New in HCL AppScan 360° version 2.0.1

December 2025

InstallationAuthentication

  • Entra ID (Azure AD) Support for SSO: HCL AppScan 360° now fully supports Microsoft Entra ID for seamless Single Sign-On (SSO) integration, enabling improved security and a smoother authentication experience.

Stability and Performance Improvements
  • This release includes several bug fixes and enhancements focused on improving overall system stability and reliability.

New in HCL AppScan 360° version 2.0.0

September 2025

Important: Please refer to important additional upgrade-related steps before upgrading to AppScan 360° 2.0.0.

Software Composition Analysis (SCA)

AppScan 360° now includes Software Composition Analysis (SCA) to scan open-source and third-party components used in your applications. SCA identifies known vulnerabilities, licences, maps out dependencies across code, and package managers, and generates Software Bills of Materials (SBOMs) to support compliance and supply chain security. Now delivered as part of AppScan 360°, it gives enterprises complete visibility and control over their software composition, enabling faster, safer, and more compliant software delivery.

Interactive monitoring (IAST)

By deploying a lightweight agent inside your application, IAST continuously monitors runtime behavior to uncover security vulnerabilities with high accuracy. Unlike traditional scanners, it passively observes real interactions (legitimate or malicious) to detect issues as they happen.

With deep visibility into application internals such as code execution, data flow, and call stacks, IAST delivers faster results, fewer false positives, and precise remediation guidance. It integrates seamlessly into QA, Dev, and CI/CD workflows, supporting continuous monitoring during application execution.

Now delivered as part of AppScan 360°, IAST enables enterprises to detect vulnerabilities earlier, validate fixes with confidence, and strengthen application security without slowing down development.

Installation enhancements

  • Single VM installer: New Express and Custom modes simplify deployments.

  • Distributed installation: New prerequisite validation ensures your environment is ready before a full-fledged deployment.

  • Helm-based installation:
    • Unified namespace support: Deploy all components into a single, user-defined namespace (via -n) for simpler role-based access control, monitoring, and cleanup.
    • Version pinning with tags: Install specific tagged versions for controlled, reproducible deployments and easier rollbacks.
    • Manual archive path: A Git-free install option for restricted/air-gapped environments.
Authentication updates

  • Single Sign-On (SSO): HCL AppScan 360° now supports OIDC-based authentication, verified with Okta and Keycloak.

  • Domino LDAP: New support for Domino LDAP servers enables additional enterprise authentication options.

  • User interface for authentication: A dedicated page for configuring and managing SSO and LDAP connections directly from the HCL AppScan 360° platform.
Platform updates
  • Correlation: AppScan 360° analyzes issues found by IAST, DAST, and SAST to identify common weak links in the code (correlations) where multiple vulnerabilities can be resolved with a single or consolidated remediation effort. This correlation-driven approach streamlines vulnerability management by focusing remediation efforts where they’ll have the greatest impact, saving both time and resources.
  • Report customization updates: Set a custom title for your reports using the report layout, and personalize your reports with your brand identity by adding your company logo and creating custom headers and footers.
  • Compliance Reports and Policies:
    • Updated compliance reports:
      • [US] DISA's Application Security and Development STIG. V6R3
      • CWE Top 25 Most Dangerous Software Weaknesses 2024
  • Custom application fields: Streamline application management in AppScan 360° with custom application fields. This new feature offers greater flexibility in how you categorize, filter, and analyze application data. Whether you manage risk, track security progress, or organize large inventories, custom fields provide a more granular and tailored view to support your workflows and decision-making. To learn more about how to configure and use custom fields, refer to Custom application fields.
  • Subscription page redesign: The subscription page has been revamped to enhance user experience.
  • Tables:
    • Column selection: Column selection is organized by category to improve usability.
    • Copy from grid: Right-click any table cell to easily copy its content.
Dynamic analysis (DAST) updates
  • AppScan For Dev - DAST Issue Verifier: Allow developers to simulate DAST vulnerabilities identified by AppScan directly within the IDE or browser. Developers can run an AppScan-generated script to replicate the issue, debug it, and validate the fix—all without needing a rescan and before checking in the code.
  • DAST IFA (Intelligent Findings Analytics): AI-powered enhancements deliver more accurate test results with reduced false positives by leveraging Azure OpenAI, improving scan reliability and developer confidence.
  • Automatic Login Enhancements: Improved accuracy in automatic logins increases successful authentications and reduce the need for manual login recordings, boosting scan efficiency and reducing setup time.
  • WebSocket support: Support for WebSocket protocol that uses JSON or XML messages for data exchange.
  • Multiple domains on a traffic file: When uploading a traffic file with multiple domains, HCL AppScan 360° automatically adds these domains to the 'Domains to test' list, and mark those verified to be included in the scan.
  • Download scan file for failed scans: You can now download the scan file even if the scan fails for further troubleshooting in AppScan Standard. The file can be downloaded only if the scan actually started running.
  • Engine update: DAST engine version updated to 10.9.1.
Static Analysis (SAST) updates
  • Static analysis client updated to 8.0.1646.
  • Updates to rules.
  • Improved IRGen performance during Git discovery.
  • Secrets scanning now properly enabled using the Organization setting.
  • AppScan Go! updated to version 2.3.0.
    Note: Users upgrading from previous versions of AppScan 360° must manually update AppScan Go! to version 2.3.0.
Plugin updates

  • AppScan 360° can now send scan results directly to Centraleyezer, providing unified management of security findings across tools.

  • AppScan 360° plugins now support SCA scans.

New in HCL AppScan 360° version 1.6.1

May 2025

Installation and licensing updates

  • My HCLSoftware (MHS) portal has replaced the FlexNet Operations (FNO) portal for licensing management. FNO is no longer supported as of June 30, 2025.

    • AppScan 360° versions 1.6.0 and earlier will no longer be available after June 30, 2025.
    • Non-FIPS version 1.6.1 of AppScan 360° is available for download fromMy HCLSoftware (MHS) portal only.
    • FIPS enabled version 1.6.1 of AppScan 360° is available on Four, Inc.
  • All entitlements have been migrated to MHS. Configure and download your license from MHS before upgrading to version 1.6.1 of AppScan 360°.
    • Earlier installations of AppScan 360° will continue to work as is until time of upgrade.
    • Only the licensing management platform is changed; there are no changes to the license metrics or any additional changes for your licenses migrated to MHS.
    For more information about licensing using MHS, see Managing deployments in My HCLSoftware.

New in HCL AppScan 360° version 1.6.0

April 2025

Federal compliance updates

  • AppScan 360° version 1.6.0 is FIPS 140-3 compliant.

  • Customers using the FIPS 140-3 compliant download of AppScan 360° version 1.6.0 must have an Ubuntu Pro license.
    Note: The FIPS 140-3 compliant download of AppScan 360° version 1.6.0 is available exclusively from Four.
  • Application Security and Development STIG updated to V6R1.

  • IPV6 support and IPV6 and IPV4 interoperability support.

    For additional compliance details, see United States government regulation compliance.

Installation and licensing updates

AppScan 360° platform updates

  • Dashboard: Filter the dashboard by application, making it easier to focus on specific areas of interest.

  • Dark mode: Toggle between light and dark themes for a more comfortable viewing experience.

  • Application creation: Automatically set default business impact to “Medium” in the quick application setup for faster onboarding.

  • In-issue management: Change the severity or status of an issue from the Details view.

  • Reporting: A new “Critical issues” column added to CSV-formatted security reports. Update automation scripts to recognize this new column.

  • Compliance reports and policies:
    • New EU Digital Operational Resilience Act (DORA) report.
    • New OWASP Application Security Verification Standard (ASVS) report.
    • Updated US DISA’s Application Security and Development STIG (V6R1) report.
DAST (Dynamic Analysis) updates

  • Predefined test policy: Choose a pre-defined policy to run only the most relevant tests, helping focus testing and reduce scan duration

  • Exclude/exception configuration: Target scans by excluding specific application paths to speed up scans, and adding exception rules (includes) for any paths that need to remain in scope.

  • Retest and continue tests: If you’re uploading a scan file, you can now retest or continue tests more easily, thanks to clearer upload options.

  • API testing

    • Native API scan workflows: Secure your APIs by scanning them early in the development process. Upload Postman collections or manually recorded traffic to detect vulnerabilities before release.

      OpenAPI specification support: AppScan 360° can now read an OpenAPI specification file automatically, improving configuration options and coverage for API security tests.

  • Vulnerable third-party component detection: DAST now employs client- and server side checks to identify commonly used technologies and flags known vulnerabilities, helping you quickly address critical issues.

  • File import enhancements:
    • Explore with guidance: Import EXD files generated by AppScan Standard or the AppScan Dynamic Analysis Client (ADAC) to streamline traffic recording setup.
    • Scan file import (API-only): Import existing scan files (including results) into AppScan 360° without running the scan.
SAST (Static Analysis) updates

  • SAST Agent container updated to 8.0.25004.

  • .NET 9 support.

New in HCL AppScan 360° version 1.5.1

February 2025
  • HCL AppScan 360° offline single VM installation
    • HCL AppScan 360° can be installed using the offline Single VM installation kit. Only the installation mode changed, the contents of the installer kit remains same as the 1.5.0 version.
  • Seamlessly deploy AppScan 360° on-premise on VMware Tanzu and Red Hat OpenShift.

New in HCL AppScan 360° version 1.5.0

January 2025

  • HCL AppScan 360° now can be installed using Helm.
    • Simple installation with a single Helm command.
    • Lightweight setup using Docker images from HCL Harbor container registry.
    • Optimized for Kubernetes-enabled infrastructures.
  • AppScan 360° SAST updates:
    • Static analysis client updated to 8.0.1604.
    • Support for HTML.
    • Additional support for Python Django scanning.
    • Updates to secrets scanning.
    • Added new CLI command to retrieve logs.
    • Updates to scan rules.
    • AppScan Go! updated to version 2.2.0.
      • Scan names allow special characters.
      • The prefix static_ is no longer included in scan name automatically.
      • Secrets scanning per scan enabled by default.
      • User interface improvements.
      • General bug fixes.

New in HCL AppScan 360° version 1.4.0

October 2024

  • HCL AppScan 360° single VM installation

    You can choose to install AppScan 360° in a distributed Kubernetes environment (standard install), or on a single virtual machine. Single VM installation offers a self-contained deployment of AppScan 360°, including configuring Kubernetes, for smaller environments when high concurrency is not required, or as part of planning for subsequent distributed installations.

  • Dashboard redesigned: Gain deeper insights into your applications and identified issues with the new dashboard. View real-time analytics using easy-to-understand charts and graphs to keep track of important metrics.
  • Domain management for DAST scanning: Manage domains authorized for scanning within your organization and asset groups.
  • Auto fix: Curated autofix recommendations are now provided with a GenAI-summarized explanation in the HCL AppScan 360° user interface.
  • GitHub Enterprise integration for SAST repository scanning: Run static analysis scans on GitHub Enterprise repositories.
  • Additional AppScan Central Platform updates:
    • New or updated compliance and industry-standard reports and policies:
      • Network and Information Security Directive (NIS2)
      • OWASP Cloud-Native Application Security Top 10
      • OWASP API Security Top 10 2023
      • CWE Top 25 Most Dangerous Software Weaknesses 2023
      • [US] DISA's Application Security and Development STIG, Version 5 Release 3
      • The Payment Card Industry Data Security Standard (PCI DSS) - Version 4
    • Automated comment propagation: Automatically propagates the latest comments along with issue status from the same issue in another application to the current app. This ensures that both the status and comments are consistently updated, providing a complete and synchronized issue record across all applications.
    • Repository link in issue Details tab: The "Location" field in the issue Details tab includes a link to the specified file and line in the source code repository, when applicable. This enables direct access to the relevant code without switching tabs.
  • AppScan 360° SAST updates:
    • Static analysis client updated to 8.0.1577.
    • AppScan Go! updated to version 2.1.1.
      • Added the ability to scan SCM repositories inAppScan Go! with a URL.
      • AppScan Go! now auto-recommends scan mode, either bytecode/compiled or source code.
    • SAST scans can now be configured and scheduled to pull source code directly from a public GitHub repository. See Scan a GitHub repository.
    • While triaging SAST findings, users can view the relevant source code directly on GitHub.com.
    • Findings can now be filtered by filename or path, making triaging more efficient by focusing on specific areas of the codebase.
    • CLI command queue_analysis displays scan IDs for static analysis (SAST).
    • IFA 2.0 enabled for .NET trace findings.
    • Improvements to secrets scanner and Java source code scanner.
    • Secrets scanner scans PowerShell (.ps1) files.
    • Updates to rules.
    • Support for Makefile/GNUMakefile, eSQL, and Java 21.

      In addition, Java 21 is included in the Static Analyzer Command Line Utility (SAClientUtil) package.

  • AppScan 360° DAST updates:
    • Live logs for DAST scans: View real-time log updates during active scans.
    • Extended Support Mode: Enable Extended Support Mode (ESM) for DAST scans to generate detailed logs for support purposes.
    • DAST engine is updated to 10.7.0.40885
  • New HCL AppScan 360° plugins:
    • JetBrains IDE plugin
    • Jira, Azure DevOps, and RTC DTS integrations
    • ServiceNow vulnerability management integration
    • AppScan-SDK build-your-own integration

    See Integrations for additional information.

New in HCL AppScan 360° version 1.3.0

June 2024

  • HCL AppScan 360° significantly increases security coverage with the addition of dynamic analysis (DAST) scanning. See Dynamic Analysis (DAST).

    Our market-leading DAST technology enables organizations to scan running applications and APIs for vulnerabilities before they are deployed to the web. Incremental scanning and test optimization allow companies to balance the speed and depth of scans based on the needs of the development lifecycle.

  • AppScan Central Platform updates:
    • A date filter has been added to the Fix groups page. View fix groups according to a date range and/or according to time-related properties associated with component issues.
    • A share option has been added to the Issue details pane. Copy a link or issue ID to share issue details quickly and efficiently via text or email.
  • User experience (UX) improvements:
    • The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.
  • The following AppScan plugins support AppScan 360° version 1.3:

New in HCL AppScan 360° version 1.2.0

April 2024

HCL AppScan 360° installation updates:
  • AppScan 360° has a new, simplified installation process. Installation of AppScan Central Platform includes installation of the static analysis agent in a single procedure. AppScan Remediation Advisories are installed separately so that you always have the most up-to-date cause, risk, and remediation content.
AppScan Central Platform updates:
  • Default issues view: By default, AppScan 360° displays non-compliant issues only at the application level.
  • Fix groups filtering: AppScan 360° supports filtering fix groups by vulnerability and policy, in addition to existing filters. With additional filtering capabilities, you can pinpoint issues and optimize fixes for faster remediation.
  • Issue properties tab: New Properties tab on the Issue details pane lists expanded issue details, including how and when the issue was found, type, status, severity, scanner, and location, and including issue ID.
  • Auto-close of issues: AppScan 360° auto-closes issues when they do not appear in rescans, thus reducing the manual effort of closing issues.
  • 2k scan limit: When auto-cleanup is not enabled at the organization level, AppScan 360° enforces the 2k scan limit.

  • User experience (UX) improvements:

    • Asset groups: The new delete asset group flow simplifies the process of deleting an asset group. Users with the delete asset group permission (default roles like Administrator and Manager, as well as custom roles) can delete an asset group along with its associated applications, including scans and findings, facilitating the removal of unnecessary applications. Users can also opt to move the applications to another asset group, either with or without their members.
    • Fix groups: Comments field added to security report for fix groups, allowing for better inclusion and tracking of notes and comments.
  • AppScan 360° Static Analysis scanning updates:
    • Major enhancements to Intelligent Findings Analytics (IFA) for Java, our AI/ML auto-triage technology, include more precise findings and reduced false positives. Users may notice additional findings in previously scanned code due to improved analysis and prioritization.
    • Automatic discovery of Git repositories. File paths for new issues are relative to the repository root.
    • Increased coverage for RPG language.
    • AppScan Go! updated to version 2.0.0

      AppScan Go! steps you through configuring and running a static or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.

    • Static analysis support for .NET 8.
    • Improved accuracy for Java, JavaScript and Python languages.

New in HCL AppScan 360° version 1.1.0

December 2023

AppScan Central Platform updates:
  • Single scan view now includes the option to display Active Issues, in addition to Total Issues, and New Issues. Active issues are issues whose status is "New", "Open", "In progress", or "Reopened". In addition, improvements were made to the "Issues by severity" graph.
AppScan 360° Static Analysis installation and administration updates:
  • Enhanced deployment script:
    • Deploy in any Kubernetes environment.
    • Accepts the AppScan Central Platform server’s hostname (FQDN) part of ‘--server’ option.
    • Storage class name (--storage-class) must be provided during the deployment.
    • The default AppScan 360° Static Analysis ingress hostname for the option ‘--ingress-host’ is changed from ‘sast.appscan.com’ to ‘sast.example.com’.
  • Introduced probes to monitor the health of AppScan 360° Static Analysis components.
  • Enhanced Management API to produce additional details of each microservice, version info, and its availability with readiness probes.
  • Updated out-of-the-box configuration based on typical resource usage.
  • Updated base images.
  • Various fixes to improve API integration with AppScan Central Platform, serviceability, and performance.
AppScan 360° Static Analysis scanning updates:
Resolved issues in HCL AppScan 360° version 1.1.0
  • PRB0123164 - Fix groups tab displays file name instead of library name for open source component.
  • PRB0123969 - SAST scan shows empty line number when "Line" column is added in Dashboard.
  • PRB0123727 - Several CSV issues reported by customers.