This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Use options in the Administration menu to manage users, roles, and access to data.
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
The Home page shows your associated asset groups and applications, as well as recent applications and scans in your organization that are within the asset groups to which you are assigned. From the Home page, you can select one of your latest applications or scans, or view all applications and all scans on the Applications page and the Scans and sessions page, respectively. The What's New section lists recent updates to ASoC.
The main dashboard is the fourth item on the main menu bar. It gives you a detailed overview of active issues, MTTR issues, applications, and scans along with graphs and charts that display the overall state of your applications.
The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. From the Applications page, you can create new applications and open individual application pages.
This view lists all scans and sessions in all your applications.
Search for, review, and take action on open source libraries associated with applications.
Governance is your go-to hub for managing policies, domains, and audit trails.
Asset groups represent abstract components of your organization, like "Finance" or "Engineering." Administrators can restrict access to specific applications by assigning them to an asset group and limiting the users who belong in the group.
A user's permission is determined by their role. There are five pre-defined roles: Administrator, Manager, Application Manager, Tester, and Reporting Viewer that cannot be modified or deleted. An administrator assigns users to asset groups. Administrators have the ability to change the default user role to any role (except Administrator), including a custom role. Users who have the permission to manage and invite other users cannot assign them a role that is higher than their own role. For example, a Manager cannot invite a user and assign them an Administrator role. Additionally, a user cannot invite someone to a role that has privileges that the inviting user does not have.
User management allows you to control access to sensitive applications by assigning them to asset groups and then adding specific users to those groups.
Subscriptions view displays the status of all your organization's subscriptions. It includes details like the selected technologies, how many months have passed, the number of applications in use, or the number of concurrent scans that can be run per technology, as well as the start and end dates.
Settings helps you navigate and configure the settings within your organization and data center effectively.
Define users, roles, groups, applications, policies, and configure DevOps integrations.
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
