HCL AppScan Azure DevOps extension enables you to execute SAST (Static Application Security Testing) scans using HCL AppScan on Cloud and HCL AppScan 360°, SCA (Software Composition Analysis) scans using HCL AppScan on Cloud and DAST (Dynamic Application Security Testing) scans using HCL AppScan on Cloud (ASoC), HCL AppScan 360° and HCL AppScan Enterprise (ASE).

This extension runs on Windows, Linux and MacOS agents and works with Azure DevOps Service and Azure DevOps Server 2018 Update 2 and newer.

Please note that AppScan 360° scans and AppScan Enterprise DAST scans can be executed on self-hosted agents only.

Prerequisites

The plugin supports scanning through HCL AppScan on Cloud, HCL AppScan 360° and HCL AppScan Enterprise. Support for SAST scanning using HCL AppScan 360° was added in version 2.1.0 of the Azure DevOps extension, and DAST scanning support was introduced in version 2.4.0. The existing HCL AppScan on Cloud connection endpoint and build task have been enhanced to allow users to connect to HCL AppScan 360°. To learn more about AppScan 360° features and installation, click here.

HCL AppScan on Cloud prerequisites
An account at the HCL AppScan on Cloud service. Create an application on the service to associate with your scans.
HCL AppScan 360° prerequisites
Access to an instance of AppScan 360°.
HCL AppScan Enterprise prerequisites
HCL AppScan Azure DevOps Plug-in supports integration with HCL AppScan Enterprise for creation and execution of DAST Scans. To use this integration, you must have access to a running instance of AppScan Enterprise Server version 9.0.3.14 or later. Please note that Content Scan jobs are not supported through this integration.

Highlights of the Extension

Dedicated HCL AppScan service endpoints for authentication to AppScan on Cloud, AppScan 360° and AppScan Enterprise servers.
Two build tasks:
- HCL AppScan on Cloud /HCL AppScan 360° to configure required settings before executing the build on HCL AppScan on Cloud or HCL AppScan 360°.
- HCL AppScan Enterprise to configure required settings before executing the build on HCL AppScan Enterprise.

HCL AppScan on Cloud /HCL AppScan 360° Task Features

Configuration parameters and fail build conditions for different scan types.
- For AppScan Static Analysis
  - Static Analysis Rescan
- For AppScan Dynamic Analysis
  - Dynamic Analysis Rescan
Please read this section carefully prior to configuring and using this plugin with HCL AppScan 360° for execution of static scans:
- Save in Service Connection: To save AppScan 360° credentials in Azure Service connection, click Save. If you click Verify and Save you see an error (The remote name could not be resolved).
- Application: Enter the Application ID from HCL AppScan 360° in Application field.
- Execution of SCA Scan: AppScan 360° does not support SCA scanning. Attempting to configure AppScan 360° for SCA scanning results in an error (##[error]HCL AppScan task failed: Software Composition Analysis (SCA) is available in AppScan on Cloud only.).
- Execution of SAST with Software Composition Analysis (Open Source Only) Enabled: AppScan 360° does not support Software Composition Analysis (SCA) scans. Attempting to configure AppScan 360° for SCA results in an error (##[error]HCL AppScan task failed: Software Composition Analysis (SCA) is available in AppScan on Cloud only).
- Usage of Allow Intervention Option: AppScan 360° does not support scan intervention. Checking “Allow Intervention" results in an error (##[warning] Incorrect scan settings: Intervention is available in AppScan on Cloud only).
Upon successful completion of the scan, the Extensions tab displays the non-compliant issue count based on severity.
- For AppScan on Cloud
- For AppScan 360°
Upon successful completion of the scan, the option to Download Scan Report in HTML format. This report includes only the non-compliant issues.
- For AppScan on Cloud
  
  When SCA is included in the SAST scan, SCA scan report will be displayed under Include SCA Report Tab.
- For AppScan 360°

Notes: The scan report and summary are available only if Suspend job until security analysis completes is selected. The report and summary otherwise are available for download from HCL AppScan on Cloud or HCL AppScan 360°.

AppScan on Cloud (ASoC) now performs SAST and SCA analysis as separate scans. To execute an open-source only scan, use the Software Composition Analysis (SCA) scan type.

For additional information on installing, configuring and using the HCL AppScan extension for Azure DevOps see the online documentation .

HCL AppScan Enterprise Task Features

Configuration parameters and fail build conditions for DAST scans
AppScan Enterprise Web API scanning using Postman collections
Upon successful completion of the scan, the Extensions tab displays the non-compliant issue count based on severity.
Upon successful completion of the scan, an option to Download Scan Report in JSON and PDF formats from pipeline logs. A PDF report is generated and available as a zip file only when Application ID is specified while configuring the pipeline.

Note: .login file is supported in AppScan Enterprise version 10.0.4 and newer.

Known Issues

If you add the same AppScan task more than once in the same pipeline, the report displayed in Summary tab is for the last executed task only. The reports for all the tasks are available in build pipeline logs.
If you created an ASoC YAML pipeline with Azure DevOps plugin version 2.0.0 and attempt to execute the pipeline after upgrading to Azure DevOps plugin version 2.0.1, you see the following error: The task name HCLAppScan is ambiguous. Specify one of the following identifiers to resolve the ambiguity: HCLTechnologies.ApplicationSecurity-VSTS.custom-build-release-task.HCLAppScan, HCLTechnologies.ApplicationSecurity-VSTS.custom-asoc-task.HCLAppScan. To resolve this issue, edit the name of the task to HCLAppScanOnCloud@2.
If you are unable to view the scan summary on the Azure DevOps Extensions tab, first verify that the scan name does not include special characters.

Additional Resources

Release Summary

2.6.0 (2024-12-18)

Support for Rescan of DAST Scans in both HCL AppScan on Cloud and HCL AppScan 360°.
Support for Web API scanning using Postman collections in HCL AppScan Enterprise.
Bug fixes.

2.5.0 (2024-09-27)

Support for Rescan of SAST Scans in both HCL AppScan on Cloud and HCL AppScan 360°.
Support for Rescan of SCA Scans in HCL AppScan on Cloud.
Bug fixes.

2.4.0 (2024-06-26)

Support to execute DAST scans via HCL AppScan 360° v1.3 and above.
Support to execute SAST and SCA scans as a single pipeline job for HCL AppScan on Cloud.
Support to execute Source code only SAST scans via HCL AppScan on Cloud and HCL AppScan 360°.
Bug fixes.

2.3.1 (2024-03-27)

Migration to version 4 of ASoC REST APIs.
Bug fixes.

2.3.0 (2023-11-17)

Support for new scan type : Software Composition Analysis (SCA) in AppScan on Cloud.
Support for adding Contact and Description for AppScan Enterprise jobs.
Bug fixes.

2.2.0 (2023-08-22)

Added support for uploading files and folders in AppScan on Cloud/AppScan 360° for static analysis scans.
Renamed static analysis scan speeds
Bug fixes.

2.1.1 (2023-06-14)

Bug Fixes

2.1.0 (2023-06-09)

Support for executing SAST Scans via AppScan 360°.
Removal of deprecated HCL AppScan build task.
Bug Fixes

2.0.8 (2023-04-21)

Bug Fixes

2.0.7 (2023-03-14)

Users will no longer be able to execute the deprecated HCL AppScan build task. Any existing "HCL AppScan" build task configurations will have to be used to create new “HCL AppScan on Cloud” tasks, for further execution.
Support for critical severity.
Bug Fixes

2.0.6 (2022-03-31)

Discontinued Mobile Application Security Testing (MAST) support from HCL AppScan on Cloud task. Refer to this page for more information.
Included an option in AppScan on Cloud task to control intervention by scan enablement team
Bug Fixes

2.0.5 (2022-01-28)

Bug Fixes

2.0.4 (2021-12-23)

Support pdf report download in HCL AppScan Enterprise.
Support additional login options for HCL AppScan on Cloud dynamic scans.
Bug Fixes

2.0.3 (2021-09-22)

Support Personal scans in HCL AppScan on Cloud.
Bug Fixes

2.0.1 (2021-05-04)

Fix a customer reported bug to ensure, pipelines created using YAML scripts for execution of scans on HCL AppScan on Cloud work as expected when the extension is upgraded from 1.2.8 to version 2.0.1 or above.

2.0.0 (2021-03-30)

Supports integration with HCL AppScan Enterprise for creation and execution of DAST scans.

1.2.8 (2020-11-19)

Support open source only scans in Static Analysis.
Bug Fixes

1.2.7 (2020-07-10)

Fix a customer reported bug to ensure static scans do not fail for successful IRX file generation, even if output is written to stderr.

1.2.6 (2020-06-05)

Extension name change from Application Security Testing by HCL Technologies to HCL AppScan.
Marketplace overview update, highlighting major features of the plugin.
Support for specifying speed and depth levels for static scans. The levels include "simple", "balanced", "deep" and "thorough" with "deep" set as default.

1.2.5 (2020-04-28)

Support for V10 Test Optimization levels for Dynamic Scans. These are "No Optimization", "Fast", "Faster", "Fastest".
Added License terms to marketplace
Updated the extension icon to AppScan

1.2.4 (2020-02-28)

Validation of Starting URL for dynamic scans
Bug Fixes

1.2.3 (2019-10-28)

HCL Washed Changes

1.2.2 (2019-11-23)

Added "Suspend Job" option, to allow users to continue with Build pipeline while security scans run in background.

1.1.2 (2019-09-11)

Bug Fixes

1.1.1 (2019-04-10)

Support for Test Optimization in DAST Scans.
Updated Overview section with a link to Getting Started guide

1.1.0 (2019-02-22)

Support for Dynamic Application Security testing (DAST) and Mobile Application Security Testing (MAST) in Azure Pipelines
Display of Issue Info in Build Summary page.
Bug Fixes

1.0.0 (2018-12-05)

First Release
Support for Static Application Security Testing (SAST) in Azure pipelines.

HCL AppScan

HCL Software