Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Learn about AppScan 360° architecture and how to install the product.
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Define users, applications, policies, and configure DevOps integrations.
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
The types of files that can be scanned by AppScan 360° when you perform open source testing.
A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
AppScan Go! steps you through configuring and running a static scan. Run the scan in the service or use a plugin to automate scanning.
To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
Use the REST API to create an IRX file from a Software Bill of Materials (SBOM) report in SPDX 2.3 format.
Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.
Features available in SCA scan results.
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
The AppScan MCP server integrates HCL AppScan 360° directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).
This feature is not available in AppScan 360° version 2.1.0.
