Welcome
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Runtime Software Composition Analysis
Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
  - Configure an open source scan in AppScan on Cloud
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. Run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Generating an IRX file using a Software Bill of Materials (SBOM) report
    Use the REST API to create an IRX file from a Software Bill of Materials (SBOM) report in SPDX 2.3 format.
  - Runtime Software Composition Analysis
    Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Runtime Software Composition Analysis

Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.

Traditional SCA identifies third-party dependencies during the build process, which can lead to an overwhelming number of results. Runtime SCA refines this data by monitoring applications during execution to identify which libraries are actively loaded. By distinguishing between referenced code and used code, you can focus remediation on the components that pose a real-world risk.

Key benefits

Operational accuracy: Distinguish between inactive dependencies and active, high-risk libraries.
Risk prioritization: Gain deeper context into vulnerabilities to streamline your remediation backlog.
Production insights: Use IAST_SCA_PROD to monitor production environments with minimal overhead by disabling full security testing in favor of library detection.

Implementation workflow

To leverage Runtime SCA, you must deploy an agent and correlate its findings with a standard SCA scan.

Deploy the IAST agent.
Install the IAST agent onto your application server.

Configure environment variables.

Enable runtime detection by adding one of the following variables to your IAST configuration file:


Variable	Environment	Description
`IAST_RUNTIME_SCA`	Testing/Staging	Enables full IAST capabilities alongside runtime library detection.
`IAST_SCA_PROD`	Production	Disables standard IAST features, leaving only library detection active.

Exercise the application.
The agent must see the application in use to identify loaded libraries. You can trigger this by:
- Running automated functional or regression tests.
- Performing a dynamic (DAST) scan.
- Manually exploring the application.
Correlate and review results.
After the agent has monitored the application, run a standard SCA scan. ASoC automatically correlates the static scan findings with the agent's runtime data. Confirmed active libraries are then displayed in a correlation group for easy identification.