Welcome
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Configure an open source scan in AppScan on Cloud
Proactive monitoring
Software Composition Analysis (SCA) scans can be monitored continuously for the presence newly published CVEs. Proactive scanning can be applied to new scans and to existing scans. When proactive monitoring is enabled, AppScan on Cloud checks for new vulnerabilities every 24 hours.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
  - Configure an open source scan in AppScan on Cloud
    - Scan status
    - Proactive monitoring
      Software Composition Analysis (SCA) scans can be monitored continuously for the presence newly published CVEs. Proactive scanning can be applied to new scans and to existing scans. When proactive monitoring is enabled, AppScan on Cloud checks for new vulnerabilities every 24 hours.
    - Personal scans
      A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. Run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Runtime Software Composition Analysis
    Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Proactive monitoring

Software Composition Analysis (SCA) scans can be monitored continuously for the presence newly published CVEs. Proactive scanning can be applied to new scans and to existing scans. When proactive monitoring is enabled, AppScan on Cloud checks for new vulnerabilities every 24 hours.

SCA sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers. SCA is updated daily. These regular updates can be applied to existing scans as well as to new scans. Monitoring existing scans for vulnerabilities listed in SCA database updates does not count against your subscription.

Proactive monitoring is enabled by default when you configure an SCA scan using the scan wizard.

If you do not want proactive monitoring applied to a new scan, toggle the option under Scan options.

To enable or disable proactive monitoring for existing scans:

Either:
1. From Scans and sessions, right-click the ellipsis ( ) icon for a scan entry and select Proactive monitoring.
2. From the Single scan view for a scan, select Manage scan > Proactive monitoring.
At the Proactive monitoring dialog, enable or disable monitoring using the toggle.
Click Apply.

The Proactive montoring tile on the Single scan view tells you the last time monitoring created or updated an issue for your scan.