Configuring a scan using AppScan Go!

AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.

Before you begin

To use AppScan Go!, download it and install it to your local system:
  1. In AppScan on Cloud, click Create Scan to open the wizard, then click SAST.
  2. Choose the platform (Windows, Mac, or Linux) for which to download the utility and click Download.
    Important: AppScan 360° users must use the versions of the Static Analyzer Command Line Utility (SAClientUtil) and AppScan Go! included with the AppScan 360° installation. AppScan on Cloud users must use the versions downloaded from the AppScan on Cloud service. They are not interchangeable.
  3. Extract the files and install the utility to your local system.
Note: If you're updating an existing AppScan Go! installation on Linux to a newer version, run the install with the -U option.
Note: Configure AppScan Go! to use a system proxy if necessary.

About this task

Using AppScan Go! allows you to configure scans locally prior to running analysis in the service.

Procedure

  1. From your local system, launch AppScan Go!
    You do not have to be logged in to the AppScan on Cloud service to begin setting up a scan. You do need to be logged in to complete a scan.
  2. Choose a scan method:
    • Run a complete scan.
    • Create an IRX file and run a scan later.
    • Create a configuration file for automating scans.
  3. Specify the location of files to scan, and scan mode and type, then click Next.
    1. Specify the location of the project files to scan: a local directory or software configuration management (SCM) repository.
      • If you are scanning a local directory, browse to the folder that contains the files to scan and click Select Folder. AppScan Go! allows you to choose folders only.
      • If you are scanning a repository, enter the SCM repository URL, login to the SCM, and select the correct branch.
        Note: Ensure that you have Git version 2.40.1 or newer installed, and that you are using a personal access token for authentication.

        AppScan Go! supports connections to GitHub, GitLab, and BitBucket.

    2. Indicate one or more scan types: static analysis, Software Composition Analysis (open source), or secrets scanning.
    3. Specify whether to scan compiled code (bytecode) or uncompiled source code.
      AppScan Go! recommends the best scan mode for the file set automatically.
  4. AppScan Go! retrieves appropriate files from the selected folder and lists them for review. Review, select, or deselect files, then click Next.
  5. If you opted to run a complete scan, or prepare an IRX file, configure scan settings, then click Next.
    Note: You must be logged in to AppScan on Cloud to see the list of available applications.
    SettingDescription
    Scan name Specify a name for the scan or accept the default name created by AppScan on Cloud.
    Associated application When running a complete scan, choose the application to associate with the scan.
    Scan speed options (SAST only) Choose Normal, Fast, Faster, or Fastest scan based on need and time demands. Note that scan speed is not an configurable option for SCA/open source scans.
    • A normal scan performs a comprehensive analysis to identify the most detailed list of vulnerabilities and will take the longest time to complete.
    • A fast scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete.
    • A faster scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Fastest' scan.
    • The fastest scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.
      Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, the normal analysis may rule out false positives that might be reported in a fastest scan and therefore report fewer vulnerabilities.
    Scan preferences When running a complete scan, specify scan preferences:
    • Run as a personal scan: Indicate whether the scan will be kept private and not included in umbrella project data.
    • Update me by email when findings are ready: Indicate whether to email when the scan is complete. This is particularly helpful for Normal scans.
  6. If you opted to run a complete scan, AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the <user_home>/.appscan/temp directory. AppScan Go! then uploads the resulting IRX file to the AppScan on Cloud service. When the scan upload is complete, click Finish.
    Note: You must be logged into an AppScan service to complete a scan. See Account information.
  7. If you opted to create an IRX file, AppScan Go! gathers information for any supported files in the directory and all of its subdirectories, then creates an IRX file in the <user_home>/.appscan/temp directory. When file generation is complete, click Finish.
  8. If you opted to create a configuration file for automating scans, AppScan on Cloud saves the scan configuration file (appscan-config.xml) to the folder with your files to scan. Click Finish to exit AppScan Go!
    You can exit the utility at this point and pick up again later, login to the AppScan on Cloud service and configure and run the scan now, or use the configuration file to automate scanning using one of the listed plugins.
    Note: For additional information on using configuration files, see Configuring IRX file generation with the CLI.
  9. Open AppScan on Cloud to review the status or results of the scan, or to start a scan with the IRX file generated by AppScan Go!