Welcome
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
DevOps
Tools for incorporating ASoC in your software development lifecycle.
REST API
The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
Export scan data
This section describes how to export scan results as CSV, JSON, or SARIF.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
- Working with applications
  An application is a collection of scans related to the same project. It can be a web site, a desktop app, a mobile app, a web service, or any component of an app. Applications enable you to asses risk, identify trends, and make sure that your project is compliant with industry and organization policies.
- DevOps
  Tools for incorporating ASoC in your software development lifecycle.
  - REST API
    The built-in REST API interface provides you with a way to visualize RESTful web services. The API documentation is built using Swagger, where you can test API operations and instantly view the results to help you scan your applications faster.
    - Technical overview of REST API upgrade to v4
      Version 4.0 of the REST API brings a host of enhancements, optimizations, and improvements over the previous version (v2). API v4 maintains compatibility by using the same access token as v2, facilitating a gradual migration of your code to v4 while continuing to use the existing token. Notably, the path prefix for API v4 has changed from "/api/v2" to "/api/v4/". While many functions retain their names and models, ensuring a straightforward transition from "v2" to "v4," some functions have undergone modifications. This topic serves as a technical guide, outlining the primary changes introduced in API v4.
    - Generating API Keys
      Use a Key ID and Key Secret to access the AppScan on Cloud REST APIs and to log in from some of the ASoC client tools (for example, from the Jenkins plug-in and from the Static Analyzer Command Line Utility and IDE plug-ins).
    - OData
      This section provides information and tips for using Open Data Protocol (OData) through the ASoC API.
    - Export scan data
      This section describes how to export scan results as CSV, JSON, or SARIF.
    - Export data to SARIF
      You can export data to SARIF (Static Analysis Results Interchange Format) from the product UI and via the Reports API.
    - DAST scan priority
      Use the API to assign priorities to DAST scans, manage the DAST scan queue order, and control scan scheduling.
  - Webhooks
    Use webhooks to receive notifications about events that occur in AppScan on Cloud.
  - Integrations
- Email notifications
  Use email notifications to be informed about scan progress, results, proactive alerts for new CVEs added and other AppScan events. This topic describes how to configure notification settings, select asset groups, applications and triggers, and manage delivery options.
- Personal scans
  A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
- Scan status
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan on Cloud AI assistant
The AI assistant is an integrated intelligence layer that works within the AppScan on Cloud environment. It provides security insights, automates issue triage, and offers remediation guidance.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Export data to CSV, JSON, or SARIF

This section describes how to export scan results as CSV, JSON, or SARIF.

The ASoC API returns data in JSON by default, which is useful for programmatic consumption. To explicitly request JSON, send the header:

Accept: application/json

If you need data in CSV (for spreadsheets), request CSV by sending:

Accept: text/csv

Note: the ASoC API supports OData V4 ($filter, $select) for filtering and selecting the fields returned; this applies to both JSON and CSV responses.

For SARIF: the UI provides an Export dialog that can produce SARIF for SAST issues (see the Export dialog in the product). If you need to generate SARIF programmatically via the API, SARIF output is produced by the Reports API (a different endpoint than the OData/export endpoints). See Export data to SARIF for API examples and parameters.

Using the API

To use the API, you must have a valid access token, and to get an access token, you need an API Key that is associated with your account. See Generating API Keys for details.

Swagger

To get the data in CSV format, simply change the default "Response Content Type" from "application/json" to "text/csv" before you click the "Execute" button.

For more details, refer to the Swagger documentation.

curl

The following is an example of a curl command that will return all the properties of all the applications you can access from your account (replace

<access
                    token>

with a valid access token):

curl -X GET --header 'Accept: text/csv' --header 'Authorization: Bearer <access token>'
                    'https://cloud.appscan.com/api/v4/Apps'

Since the API supports OData, you can leverage the $filter and $select request parameters to get partial data. In the following example, only applications with High RiskRating are retrieved and each application contains 3 properties – Id, Name and RiskRating:

curl -X GET --header 'Accept: text/csv' --header 'Authorization: Bearer <access token>'
                    'https://cloud.appscan.com/api/v4/Apps?
                    $filter=RiskRating%20eq%20'\''High'\''&$select=Id%2CName%2CRiskRating'

See also: