Welcome
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Scanning workspaces, projects, and files
You can scan an Eclipse workspace, project, or file. This includes scanning Java™ (including Android) and JavaServer Pages (JSP) projects.
Scanning integrations
HCL® AppScan® Source allows for integrations with containerization technology, and for scan automation using containers.
Creating containers using a Podman image
Scanning without manual intervention

Welcome
Welcome to the documentation for HCL® AppScan® Source.
What's New
Explore new features added to AppScan® Source and note any features and capabilities deprecated in this release.
Installing
Learn how to install, upgrade, and activate HCL® AppScan® Source.
Configuring
Learn how to configure applications, folders, and projects, and set attributes and properties in HCL® AppScan® Source.
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
- Scanning workspaces, projects, and files
  You can scan an Eclipse workspace, project, or file. This includes scanning Java™ (including Android) and JavaServer Pages (JSP) projects.
  - Scan considerations
    This topic describes restrictions and considerations that may affect your scans.
  - Scan configurations
    Scan configurations are used when launching scans and can often lead to better scan results. AppScan® Source includes built-in scan configurations, which can be accessed in server mode or local mode. In addition, custom scan configurations can be created in AppScan Source for Analysis and shared to the AppScan Enterprise Server, and accessed from AppScan Source for Development in server mode.
  - Scanning integrations
    HCL® AppScan® Source allows for integrations with containerization technology, and for scan automation using containers.
    - Creating containers using a Podman image
    - Configuring scan automation with Jenkins and containers
      The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal (MHS), can be used to automate static analysis scans with Jenkins, and without installing a full instance of AppScan Source.
    - Configuring scan automation with Azure and containers
      The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal (MHS), can be used to automate static analysis scans with Azure, and without installing a full instance of AppScan Source.
    - Configuring scan automation with GitHub Action and containers
      The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal, can be used to automate static analysis scans with GitHub, and without installing a full instance of AppScan Source.
    - Configuring scan automation with GitLab CI/CD and containers
      The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal), can be used to automate static analysis scans with GitLab, and without installing a full instance of AppScan Source.
  - Scanning secrets
    Enable the secrets scanner for all applications, projects, and folders globally from the scan.ozsettings file.
  - Excluding a file from a scan
  - Excluding a folder from a scan
  - Canceling or stopping a scan
    Although you can cancel a scan in progress, canceling a scan causes a loss of all data for that scan. Alternatively, you can stop a scan to halt it and produce an assessment with results that are found so far.
  - AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™
    On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and the AppScan Source for Development Eclipse plug-in may exhibit symptoms such as a hang after login or a fail during product use.
- Managing My Assessments
  The My Assessments view contains a list of assessments (the currently-opened assessment, along with any assessments that you have saved). In this view, you can open, delete, save, rename, or compare assessments. When a scan completes or you open a saved assessment, the assessment appears in the My Assessments view. My Assessments displays a table of open or saved assessments, and identifies a published or modified assessment. Removing an assessment from this view (without saving or publishing it) permanently deletes that assessment.
- Publishing assessments
  AppScan® Source offers two publishing options. You can publish assessments to the AppScan Source Database, for the purpose of storing and sharing assessments. Or, if your AppScan Enterprise Server has been installed with the Enterprise Console option, you can publish assessments to it. The AppScan Enterprise Console offers a variety of tools for working with your assessments, such as reporting features, issue management, trend analysis, and dashboards.
- Opening and saving assessments
  AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.
- Removing assessments from My Assessments
  When assessments are removed from the My Assessments view, they are not removed from your local file system. If an assessment is removed from the view, it can be added back with the Open Assessment action.
- Defining variables
  When saving assessments or bundles, or publishing assessments, AppScan® Source for Analysis may suggest that you create a variable to replace absolute paths (without variables, AppScan Source for Analysis writes absolute paths to the assessment file to reference items such as source files). When you configure variables for absolute paths, you facilitate the sharing of assessments on multiple computers. It is recommended that you use variables when sharing assessments.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Reporting
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Extending product function
Learn how to extend the product to meet specific development requirements.
Reference
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Scanning without manual intervention

The AppScan® Source CLI shell starts by default when a container is created; all supported AppScan® Source CLI commands can be executed within the container. The CLI also supports defining a set of commands in a script file and specifying the file using the script command to execute all those commands sequentially.

By making use of a script command, a scan can be performed without manual intervention.

For example:

Create a script:

> vi /host_machine_workspace/cli.script
> login …
> oa /container_workspace/simpleIOT/SimpleIOT.paf
> scan
> report "Findings by Fix Group" pdf-annotated /Apps/owasp_report.pdf
        -includeSrcBefore:5 -includeSrcAfter:5 -includeTrace:suspect
      -includeHowToFix
> logout

Run the scan in the container, specifying the script:

podman run -it --rm --env-file ./env.list --volume
        /host_machine_workspace/:/container_workspace/
        hcl/appscan/source/cli:10.1.0 script .“/container_workspace/cli.script

Note: As of version 10.3.0, AppScan® Source supports containerization using Podman. Since Docker is not supported in Red Hat Enterprise Linux 8 and 9, use Podman if your host is running RHEL 8 or 9. Podman supports all major Docker commands; replace Docker with Podman in the examples in this topic to create containers and scan in the Podman environment.