This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Governance is your go-to hub for managing policies, domains, and audit trails.
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
The Home page shows your associated asset groups and applications, as well as recent applications and scans in your organization that are within the asset groups to which you are assigned. From the Home page, you can select one of your latest applications or scans, or view all applications and all scans on the Applications page and the Scans and sessions page, respectively. The What's New section lists recent updates to ASoC.
The main dashboard is the fourth item on the main menu bar. It gives you a detailed overview of active issues, MTTR issues, applications, and scans along with graphs and charts that display the overall state of your applications.
The Applications page lists all applications in your organization that are within the asset groups to which you are assigned. From the Applications page, you can create new applications and open individual application pages.
This view lists all scans and sessions in all your applications.
Search for, review, and take action on open source libraries associated with applications.
The DAST templates feature streamlines the management and use of Dynamic Application Security Testing (DAST) scan templates. You can upload AppScan Standard scan files (.scant) or DAST templates directly to ASoC. This centralizes templates and makes them available to all ASoC users for reuse, rather than storing them on individual desktops.
The test policies is a list of web application security scan settings. You can select one of the predefined test policies available when running scans from the ASoC user interface, but other policies can be applied with imported scans or scans run from the API. You can also upload custom test policies that you created in AppScan Standard and AppScan Enterprise.
Domains view lists the domains for which you have permission to run dynamic (DAST) scans. Based on your subscription, you are presented with either the Domain management page or the Domain verification page.
You can apply the predefined compliance policies, as well as your own custom compliance policies, to show only data for the issues that are relevant for you.
The audit trail (Governance > Audit trail) logs user activity.
Use options in the Administration menu to manage users, roles, and access to data.
Define users, roles, groups, applications, policies, and configure DevOps integrations.
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.
