Home
Administration
Define users, applications, policies, and configure DevOps integrations.
Compliance policies
You can apply the predefined compliance policies, as well as your own custom compliance policies, to show only data for the issues that are relevant for you.
Associating a compliance policy with an application

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
- Users
  User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
- Applications
  An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
- Compliance policies
  You can apply the predefined compliance policies, as well as your own custom compliance policies, to show only data for the issues that are relevant for you.
  - Custom compliance policies
    If you have the required permissions, you can create and delete your own custom compliance policies.
  - Associating a compliance policy with an application
  - Enabling and disabling compliance policies
  - Application compliance status
- DevOps
  Tools for incorporating ASoC in your software development lifecycle.
- Personal scans
  A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
- Scan status
- Audit trail
  The audit trail (Organization > Audit trail) logs user activity.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Associating a compliance policy with an application

If you have the required permissions, you can associate one or more policies with an application, either through the user interface or the REST API. Associating a policy with an application allows you to evaluate an application's compliance with those policies and focus remediation on related vulnerabilities.

Associating compliance policies through the user interface

To associate a predefined policy with an application:

On the toolbar, select Organization > Compliance policies.
On the Compliance policies page, choose one of the existing compliance policies.
ASoC opens a pane on the right of the screen showing the applications currently associated with this policy.
Click Associate with applications.
Optionally use the Filter drop-down to filter the list of available applications based on asset group.
From the Select applications drop-down, select one or more applications to associate the policy.
Click Save.
Note: When you associate a compliance policy with an application, it is enabled by default. You can disable the compliance policy while maintaining the association, and re-enable it later.
Note: Applications that already have the maximum five compliance policies associated with them (apart from the baseline compliance policy) appear grayed out.

Associating compliance policies using the REST API

For each compliance policy that requires parameter values, and for which values are not provided in the compliance policy expression, you must provide the value for the Policy parameter.

Note: When entering the parameter name you must remove the $ sign.

When you submit the API call, any parameter values you entered are validated.

Note: When you associate a compliance policy with an application, it might take a few minutes before you see the updated application compliance status. This is because the update runs in the background to avoid performance problems.

The following APIs control the association of a compliance policy with an app. This is how they appear in Swagger: