Welcome
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Static analysis integrations
ASoC and GitLab
Use AppScan on Cloud with GitLab to run static analysis security testing (SAST) against the files in your repository on every merge request, thus preventing vulnerabilities from reaching the main branch. Results are stored in AppScan on Cloud.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes navigating AppScan on Cloud, including items on the side main menu and top navigation bars, with links to more detailed information.
Management
Define users, roles, groups, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About static analysis (SAST)
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
  - Configure a scan in AppScan on Cloud
    Configure a static analysis scan.
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. Run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Technical preview: Simplified configuration process for .NET data flow analysis
    AppScan on Cloud offers a new way to generate an .irx file for scanning .NET applications, using dataflow analysis for .NET source code (C# and VB.NET),
  - About Software Composition Analysis
    Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
  - Static analysis integrations
    - CodeSweep Github Action
      The HCL AppScan CodeSweep for GitHub action enables you to check your code on every pull request. The action identifies vulnerabilities in changed code with every update. But more than just identifying issues, the HCL AppScan CodeSweep for GitHub extension tells you what you need to know to mitigate issues — before they make it to the main branch.
    - ASoC and GitLab
      Use AppScan on Cloud with GitLab to run static analysis security testing (SAST) against the files in your repository on every merge request, thus preventing vulnerabilities from reaching the main branch. Results are stored in AppScan on Cloud.
    - SAST GitHub Action
      The AppScan SAST Github Action enables you to run static analysis security testing (SAST) against the files in your repository. The SAST scan identifies security vulnerabilities in your code and stores the results in AppScan on Cloud.
  - Submitting HCL AppScan Source assessments to the Cloud for analysis
    If you have a subscription to HCL AppScan on Cloud, you can submit AppScan Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported. The number of scans you can submit depends on your ASoC subscription.
  - Best practices for Java scanning
  - Static analysis scan results
    The SAST scanning engine uses AI and complementary technologies to improve detection accuracy and streamline result analysis.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
AppScan on Cloud AI assistant
The AI assistant is an integrated intelligence layer that works within the AppScan on Cloud environment. It provides security insights, automates issue triage, and offers remediation guidance.
AppScan Model Context Protocol (MCP) server
The AppScan MCP server integrates HCL AppScan on Cloud directly with AI-powered development environments and agents. By implementing the Model Context Protocol (MCP), this server allows LLMs (such as Claude or models running in VS Code) to securely access your security data—including SAST, DAST, SCA, and IAST results—to help you triage issues, analyze findings, and automate workflows using natural language.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

ASoC and GitLab

Use AppScan on Cloud with GitLab to run static analysis security testing (SAST) against the files in your repository on every merge request, thus preventing vulnerabilities from reaching the main branch. Results are stored in AppScan on Cloud.

Register

If you don't have an account, register on HCL AppScan on Cloud (ASoC) to generate your API key and API secret.

Setup

Generate your ASoC API key and API secret on the API page.
The API key and API secret map to the ASOC_KEY and ASOC_SECRET parameters for this action. Make note of the key and secret.
Create the application in ASoC.
Applications act as a container to store all scans that are related to the same project.
Copy the application name.

The application name in ASoC maps to APP_NAME for this integration.

Create variables in GitLab. Select Settings > CI/CD > Variables, and set the variables as follows:

Table 1. Required inputs (SAST or DAST
Variable	Value
`APPSCAN_KEY`	Your API key from the API page.
`APPSCAN_SECRET`	Your API secret from the API page
`APP_NAME`	The name of the application in AppScan.
`APPSCAN_ASSET`	The ID of the asset group in AppScan.

Copy .gitlab-ci.yaml and Dockerfile into your GitLab repository root.
Set the CI/CD configuration file. Select Settings > CI/CD > General pipelines > CI/CD Configuration file.
Build your own runner. Select Settings > CI/CD > Runners and follow the steps under Specific Runners.
On the system on which you are setting up the GitLab runner, log in and clone your GitLab repository if one does not already exist. Ensure that a Docker engine is installed on that machine.
Build a new Docker image called saclient from the Dockerfile. Change directory to the root of the repository and run the following command to build the Docker image:
```
 docker build -t saclient . 
```
Important:
The period at the end indicates the current directory.
In GitLab, to prevent merges if the scan fails, enable Pipelines must succeed at Settings > Merge requests > Merge checks.
Verify a new scan job is initiated when new merge requests are created at Settings > CI/CD > Pipelines.

Examples

Scan job

Scan artifacts ready for download

Scan job passed based on maxIssuesAllowed

Additional Information

The current yaml script contains a sample of a security policy check that fails the scan if the number of allowed security issues exceeds a certain threshold. The sample has maxIssuesAllowed set to 100.