What's new in AppScan on Cloud

Discover upcoming and recently added features.

Updates:
AppScan on Cloud announcements, including advance notice of planned changes and scheduled maintenance that might affect your workflow, can be found on AppScan News. To be notified when there is an announcement, you can subscribe to AppScan News.
Translations:
If you are reading this page in translation, please be aware that it may not include the latest additions. To see the latest version of this page, switch to the English version, using the "Change Language" option at the top right of the menu bar.

New on June 03, 2026

  • Interactive analysis (IAST)
    • IAST for Kubernetes (1.0.14)
    • New IAST PHP agent (1.3.0)
      • Added support for PHP 8.4 on Ubuntu
      • Bug fixes and improved XSS detection
    • New IAST Node.js agent (1.15.0)
      • Updated dependencies
      • Bug fixes

New on May 24, 2026

  • AI assistant: Introducing the ASoC AI Assistant, an integrated intelligence layer enhancing your interaction with your security data. The AI Assistant acts as a sophisticated partner that leverages Security Intelligence to provide deep, actionable insights across your entire application portfolio. By analyzing your specific scan history and data context in real-time, the Assistant helps you expedite triage and remediation workflows and better understand your security posture.
    • Analyzes findings across your organization to provide high-level context, helping you understand the "why" behind your risks.
    • Reduces triage time with AI-driven recommendations. The Assistant helps rank findings based on their actual impact on your environment and can update issue statuses directly.
    • Provides code-level suggestions to help your team close security gaps faster.
    • Note: The AI assistant focuses on data retrieval, insight generation, and triage support. It does not automatically run scans at this time.
  • Dynamic analysis (DAST)
    • AI provider update (deployment ID): Standardized the Azure OpenAI format.
    • DAST retest only: When rescanning, you can now select retest only to reduce scan time when the explore data remains the same.
  • Software Composition Analysis (SCA)
    • Function-level reachability
      • Using IAST, you can now report when a vulnerable function is invoked during runtime. This helps teams prioritize SCA findings based on actual application usage.
      • Support for Python.
  • Interactive analysis (IAST)
    • New IAST Python agent
      • IAST now supports Python applications through a dedicated Python agent. The agent supports Python 3.9+ and Flask web servers. Validation shows 100% coverage of the Python OWASP Benchmark.
  • Platform updates
    • The Roles page has been redesigned.
      • Improved usability by grouping permissions and simplifying the customization workflow.
      • Issue status permission: Added a permission that allows only certain users to close issues, while others can update the issue status only to open or in-progress.
    • Scan and Sessions: Updated metrics for admins on the main scans and sessions page, based on each technology.
  • Plugins:
    • A new integration for Bitbucket CI/CD workflows is now available. This integration lets you incorporate static application security testing (SAST) and software composition analysis (SCA) directly into your pipelines.
    • A new integration for Eclipse is now available. This integration lets you connect seamlessly to HCL AppScan on Cloud and HCL AppScan 360°, enabling development teams to identify, prioritize, and remediate security vulnerabilities without leaving their development environment.

New on May 11, 2026

  • Static analysis (SAST):
    • Static analysis client updated to 8.0.1715.
    • Updates to rules.
    • We are migrating analysis for several key languages to our next-generation engine over the coming weeks. This update officially launches support for PHP and completes the migration for C, C++, HTML, JavaScript, and TypeScript. Customers using the legacy engine for these specific languages will be transitioned in batches. The new engine provides higher precision and more actionable security insights. Learn more.

New on April 19, 2026

  • User experience updates
  • Dynamic analysis (DAST)
  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
    • SCA policies

      Define custom policies for open-source libraries based on license and license attributes. Policies are evaluated on the latest scan execution, helping teams monitor and enforce open-source compliance requirements.

    • SCA download logs

      Download scan log files directly from the Manage scan menu. Logs include information from the IRX generation and data collection phase and are available for 60 days.

    • CycloneDX support for SBOM reports.

      Generate SBOM reports using the popular CycloneDX format, in XML or JSON.

New on April 16, 2026

  • Static analysis (SAST)
    • Static analysis client updated to 8.0.1709
    • Version 8.0.1708 contained a bug that caused uploads to fail in some circumstances; it is corrected in 8.0.1709.
    • Static analysis client updated to 8.0.1708.
    • Improved secrets scanning performance.

New on April 8, 2026

  • Static analysis (SAST)
    • Static analysis client updated to 8.0.1705.
    • Support for Delphi with Object Pascal.
    • Support for MuleSoft.
    • Updates to rules.

New on April 07, 2026

  • IAST for Kubernetes (1.0.13)
    • Explicitly state the readOnlyRootFilesystem and automountServiceAccountToken configuration.
    • Enable installation into a pre-existing Secagent namespace for restricted or managed Kubernetes environments.
  • New IAST Node.js agent (1.14.3)
    • Dependency version updates.

New on March 23, 2026

  • DAST engine update: Dynamic analysis engine updated to version 10.11.0. This update includes:
    • AppScan flags legacy encryption protocols that fail to meet post-quantum security standards.
    • Automatic login improvements, including support for the Vue JS framework.
    • An Informational alert will be raised upon the discovery of a Swagger/OpenAPI definition file to ensure API visibility.
    • New and updated security rules.

New on March 15, 2026

  • Custom issue fields:
    • Custom fields provide a more granular, tailored view to support your workflows and decision-making. This capability gives you more flexibility in how you categorize, filter, and tag issues. Add attributes to issues to streamline your workflows and improve communication between teams.
  • Custom application fields enhancements:
    • Added filtering options to help you find applications that include custom fields.
  • Platform updates:
    • New scan description field added. Use this field to add more context to your scans. It provides additional granularity and helps you find specific scans more easily.
  • Compliance reports and policies:
  • Plugins:
    • New integration for Azure DevOps Boards is now available. This integration lets you import security issues from AppScan on Cloud directly into Azure Boards.
  • Rapidfix improvements:
    • Remediate issues more easily. Fix guidance is now visible immediately without expanding a panel, and Markdown rendering makes complex instructions much easier to read.

New on March 12, 2026

  • Static analysis (SAST):
    • Static analysis client updated to 8.0.1689.
    • Support for F# .fsproj files for SCA analysis (bug fix).

New on February 24, 2026

New on February 10, 2026

New on February 08, 2026

  • Platform updates
    • Email notifications: You can now configure email preferences centrally. Users can opt in to alerts for specific applications or entire Asset groups. Customize triggers for scan start, completion, and failure so you receive only relevant updates. Proactive monitoring also notifies users automatically when new CVEs are found in previously scanned libraries. This feature replaces the previous per-scan configuration. The updated notifications deliver a concise HTML scan summary directly to users' inboxes, including severity counts and status details.
  • Correlation IAST-SAST source code scanners
    • The correlation feature has been updated to identify correlations between IAST findings and SAST findings from source code scans.
  • Interactive analysis
    • IAST Key only: A new option is available to quickly create an IAST session without the need to download a new agent. This update simplifies the setup process, especially for users integrating with environments like the IAST .NET Core Site Extension for Azure App Services, or when utilizing an existing agent. This option is available across all IAST agents for various languages.
  • Software Composition Analysis (SCA)
    • Malicious libraries now appear when generating an Open source license report.
  • Deprecation notice
    • The OWASP Top 10 2017 report will be deprecated at the end of March 2026.

New on February 5, 2026

  • AppScan Go!
    • AppScan Go! updated to version 2.3.1
    • Application and SCM repository branch drop-downs are searchable.
    • Improvements to error handling for ease-of-use.
    • Newer SAClientUtil version prompts for a user decision on an untrusted certificate at startup.

New on February 05, 2026

  • Interactive analysis
    • IAST for Kubernetes (1.0.11)
      • Automated mutation sync: The webhook server now automatically syncs MutatingWebhookConfiguration during rollouts and Helm upgrades with the updated namespace configuration.

New on February 04, 2026

  • Interactive analysis: The IAST agent detects insecure usage of LLM outputs when generative AI responses are used in security-sensitive contexts without proper validation or controls. Support is available for common OpenAI APIs in Java, .NET, and Node.js, with more languages and libraries planned in future releases.
    • New IAST .NET agent (1.16.0)
      • Support generative AI monitoring for applications using openai-dotnet library.
      • Support communication with ASoC through proxy.
      • Support RabbitMQ while monitoring Kubernetes issues with Analyzer.
    • New IAST Node.js agent (1.14.1)
      • Support generative AI monitoring for applications using openai library.
      • Dependency update.
    • New IAST Java agent (1.22.0)
      • Support generative AI monitoring for applications using openai-java library.

New on January 12, 2026

  • Software Composition Analysis (SCA)
    • SCA vulnerability issues now display links to the relevant GitHub repository instead of cve.org, providing a more actively maintained source of information.

New on January 11, 2026

  • AppScan Model Context Protocol (MCP) server is now available for use with your LLM to securely access your security data in ASoC. By accessing it through your IDE, you can get insights about your data, connect it with other MCPs for integrations, and use LLM capabilities to suggest triage and code remediation using the context of the results from ASoC.
  • Software Composition Analysis (SCA)
    • Proactive monitoring: SCA scans can now be continuously monitored for newly published CVEs affecting the open-source packages you’ve already scanned. Monitoring is enabled by default, this can be toggled per scan (including existing scans).
  • Interactive analysis
    • You can now download the Node.js agent as a self-contained tarball directly from ASoC for air-gapped or restricted environments without access to the public npm registry.
  • General updates
    • Scans and sessions page: UX improvements including a new table view for easier filtering and sorting, and a unified view for all scan technologies.
    • User management enhancement: You can now edit asset groups per user through the user management page.
    • Functional user: Added the ability to create a service account to facilitate automated tasks and system integrations. Available through API only.
  • API & Automation:
    • API Key authentication: Direct API key authentication via a custom HTTP header eliminates the need for session tokens, making automation scripts and CI/CD integrations simpler and more efficient.
    • Create Scan API: The boolean parameter "MultiStep" is deprecated and will be removed in a future release. Update your API calls now to use the "TrafficType" parameter instead, in preparation for the removal of "MultiStep". For more information, see the Swagger page.