What's new in AppScan on Cloud

• Automatic login improvements: AppScan now crawls Angular applications more reliably, fixes rare login recording failures, and adds a delay between actions on the second attempt after a playback failure, improving overall success rates.
• Masking improvements: Enhanced masking across AppScan for more consistent protection of sensitive information.
• Improved support for Single Page Applications (SPA) scans that use AngularJS framework.
• New and updated security rules.

• AppScan's new SCA engine now includes integrated malware detection capabilities. This enhancement automatically scans open-source and third-party components for known malicious or compromised packages, helping teams identify and mitigate potential supply-chain risks early in the development process.

• Template management: Manage DAST templates in ASoC to control and expedite DAST configurations. Templates can be customized and assigned to asset groups as needed.
• Create scan from an uploaded template: After you upload a template to ASoC, you can review and edit its configuration before running the scan.

• New compliance reports:
  • OWASP Top 10 for LLM Applications 2025
  • [Canada] IT security risk management: A lifecycle approach (ITSG-33)
• Updated compliance reports:
  • International Standard - ISO 27001:2022
  • International Standard - ISO 27002:2022
  • The Payment Card Industry Data Security Standard (PCI DSS) - V4.0.1
  • NIST Special Publication 800-53 - 5.2.0
  • [EU] General Data Protection Regulation (GDPR)
  • [US] Health Insurance Portability and Accountability Act (HIPAA)

• Custom application fields are now available in a CSV exported file along with application details and are displayed in generated security reports.

• New plugins and integrations are now available and can be accessed from the integration page:
  • Slack: Receive AppScan on Cloud security alerts and scan notifications in your Slack channels.
  • Splunk: Connect AppScan on Cloud with Splunk to gain centralised visibility into scan data through analytics and dashboards.
  • Cursor AI: Integrate with AppScan CodeSweep to identify and remediate vulnerabilities during AI-assisted coding.

• Static analysis client updated to 8.0.1663.
• When generating a report, users can now specify whether to include the "Table of Contents" and "Summary" sections in the report.
• Static analysis can now process .mjs files as part of JavaScript support.
• Updates to rules.

• SAST: You can now search in the GitHub repository and branch dropdown.
• Faster page load times.
• Improved breadcrumb navigation accuracy.
• Updated colors and graphics to support accessibility.

• New IAST Java agent (1.21.1)
  • Updated dependencies for better compatibility and security.
• New IAST .NET agent (1.15.2)
  • Dependency refresh, improved result accuracy.
• New IAST PHP agent (1.2.1)
  • Performance optimizations and bug fixes.

• Static analysis client updated to 8.0.1655.
• Updates to rules.

• Resume scan: In some scenarios, you can now resume failed or partially completed scans. This feature enhances the scanning process by allowing you to continue from where the scan stopped once previous limitations are resolved, thereby saving time and resources.

• The Audit Trail tab for open source libraries provides clarity into all actions and changes related to each library, helping teams track history, maintain compliance, and improve accountability.
• EPSS (Exploit Prediction Scoring System) is available in the new SCA engine for new scans, enabling smarter prioritization of vulnerabilities based on real-world exploit likelihood. EPSS score and percentile are listed on the Details pane for SCA issues. For more information, see EPSS.

• The Fix group interface is redesigned for better usability. The new interface makes it easier to understand grouped issues, navigate resolutions, and manage fixes efficiently.

• Static analysis client updated to 8.0.1653.
• Fixed an issue where Git information may be incorrectly collected if an Azure DevOps repository is in a detached head state.
• Updates to rules.

• New IAST Java agent (1.20.2)
  • Improved support for customers using org.springframework.core.io.UrlResource.
• New IAST .NET agent (1.14.3)
  • Support for IAST analyzer for microservices.
  • Log file name and path for IAST can now be configured via the secagent.log environment variable.
  • Improved support for customers using System.Net.WebClient.
• New IAST PHP agent (1.1.4)
  • Performance improvements and bug fixes for Magento framework users.
• IAST for Kubernetes (1.0.8)
  • Security updates

• Static analysis client updated to 8.0.1651.
• Foundation for upcoming Yarn package manager support by Software Composition Analysis (SCA). Full support to be announced.

• Static analysis client updated to 8.0.1650.
• Fixed an issue where Maven/Gradle failures cause AppScan Go! to fail “Path 2”.
• Clarified Failed in IAssemblyInfo call messages printed in console output.
• Fixed an issue where Git relative path fails for files at root of repository on Linux.

• AppScan Go! updated to version 2.3.0.
• New installation procedure allows for smarter service detection.
• AppScan Go! now automatically detects and fills in the correct service URL at login.
• Users can now allow intervention from our scan enablement team within AppScan Go!.
• Software Composition Analysis (SCA) files specified for scanning no longer show absolute paths.
• User interface improvements.

Over the next several weeks, the AppScan team will be migrating accounts to use the new and improved SCA engine.

• Software Composition Analysis (SCA) engine updated to version 3.
• Cleaner and more reliable scanning results.

  The new engine enhances our already strong detection capabilities, further improving accuracy by minimizing noise and refining result precision.

• Expanded vulnerability database.

  Faster and more precise identification of known risks.

• Dependency graph view now available.

  When dependency data is available in a scan, you’ll see a visual graph view—making it easier to understand package relationships and impact.

• Extended config file scanning support.

  C/C++, PHP, and Java configuration files. Static analysis client version 8.0.1646 required.

• Static analysis client updated to 8.0.1646.
• Fixes an issue in the Java parallel processing cache for locally generated .irx files.

• Static analysis client updated to 8.0.1645.
• Updates to rules.
• Improved IRGen performance during Git discovery.
• Secrets scanning now properly enabled using the Organization setting.

• AppScan For Dev - DAST Issue Verifier: Added the option to download a python script and run it in the IDE.
• Download scan file for failed scans: You can now download the scan file even if the scan fails for further troubleshooting in AppScan Standard. The file can be downloaded only if the scan actually started running.

• Added “Removed” status to library view: By default, the library view does not display information about libraries that have been removed from the application. You can now apply a filter to view libraries that have been removed, and these libraries are clearly noted with the status "Removed."

• Report customization updates
  • Set a custom title for your reports using the report layout.
  • The report type is displayed in the generated reports.

• Subscription page redesign: The subscription page has been revamped to enhance user experience.
• Tables:
  • Column selection: Column selection is organized by category to improve usability.
  • Copy from grid: Right-click any table cell to easily copy its content.

• Updates to C/C++ scanning.

• SCA scan details include library status: SCA now indicates whether a library is still present in the latest scan, helping track remediation progress.

• JavaScript scanner: New hybrid scanning for improved accuracy when scanning JavaScript source-code, including taint-flow analysis.
• ICA 2.0 for Java: Major enhancements to Intelligent Code Analytics (ICA) for Java, our AI/ML auto-security descriptor, include more precise findings and reduced false negatives.

• IAST analyzer for Microservices (Node.js)
  • Full Service Graph View: Provides a comprehensive visualization of how your microservices interact, offering better insight into their relationships.
  • Reduced False Positives: Improves the accuracy of vulnerability detection by leveraging the service graph, leading to fewer irrelevant alerts and more focused security efforts.

• Updated compliance reports:
  • [US] DISA's Application Security and Development STIG. V6R3
  • CWE Top 25 Most Dangerous Software Weaknesses 2024

• Static analysis client updated to 8.0.1640.
• Updates to rules.

• AppScan For Dev - DAST Issue Verifier: This approach allows developers to simulate DAST vulnerabilities that AppScan reports directly within the IDE or browser. Developers can run an AppScan-generated script to replicate the issue, debug it, and validate the fix—all without needing a rescan and before checking in the code.

• Multiple domains on a traffic file: When uploading a traffic file with multiple domains, ASoC automatically adds these domains to the 'Domains to test' list, and mark those verified to be included in the scan.

• IAST for Microservices now offers enhanced support for Kubernetes Node.js environments, providing a non-intrusive solution for deploying the IAST agent automatically within Kubernetes pods. AppScan automates the integration of agents using a deployment script. This new feature facilitates the management of numerous containers and enables testing and production environments to use the original application image without alteration. This allows for a full visibility graph view for your microservice and helps to identify and address security issues early in the development lifecycle.

• A new Centraleyezer plugin lets you seamlessly import and manage HCL AppScan on Cloud vulnerability data, including both DAST and SAST scans, within the Centraleyezer Vulnerability Management platform, allowing you to identify, prioritize, track, and remediate security vulnerabilities.
• Integration with CMD+CTRL Security providing hands-on, immersive secure code training.

• Engine bug fixes

• Fixed a bug affecting customers using the .NET Framework.

• Added support for customers using Red Hat 8 with PHP 8.2.
• Fixed installation issues on Windows.
• Improved performance and made various optimizations.
• General bug fixes.

• The security report lists the associated repository URL for issues.

• ThreadFix plugin was removed.

• Test Policies tab is now added under Organization. Here, you can manage your test policies and upload a custom policy that you created in AppScan Standard or AppScan Enterprise.
• Policies tab under Organization is now renamed as Compliance policies.

• Dependencies update
• Fix container privileges
• Fix Windows installation
• Install script can get registry name as a parameter, for customers using private registry.

• Azure OpenAI configuration enhances accuracy by reducing false positives to improve test results.

• SBOM (Software Bill of Materials) reports, which have been available in our platform’s UI, are now accessible via the Swagger API.

• Report customization: Personalize your reports with your brand identity by easily adding your company logo and creating custom headers and footers.
• Custom policies: Issues can now be filtered based on technology, along with the other filtering options that were already available.

• Performance improvements.
• Reduced frequency of heartbeat communication to AppScan on Cloud when the agent is disabled.
• Enhanced algorithm for merging similar issues.