HCL AppScan Azure DevOps extension enables you to execute SAST (Static Application Security Testing) scans using HCL AppScan On Cloud and DAST (Dynamic Application Security Testing) scans using both HCL AppScan On Cloud (ASoC) and HCL AppScan Enterprise (ASE)
This extension runs on Windows, Linux and MacOS agents and works with Azure DevOps Service and Azure DevOps Server 2018 Update 2 and above. Please note that AppScan Enterprise DAST scans can only be executed on Self-Hosted agents.
Prerequisites
The plugin supports scanning through HCL AppScan on Cloud and HCL AppScan Enterprise.
HCL AppScan on Cloud prerequisites
An account at the HCL AppScan on Cloud service. You'll need to create an application on the service to associate your scans with.
HCL AppScan Enterprise prerequisites
HCL AppScan Azure DevOps Plug-in supports integration with HCL AppScan Enterprise for creation and execution of DAST Scans. To use this integration, you must have access to a running instance of AppScan Enterprise Server version 9.0.3.14 or later. Please note that Content Scan jobs are not supported through this integration.
Highlights of the extension:
Dedicated HCL AppScan service endpoints for authentication to ASoC and AppScan Enterprise servers.

Three build tasks:
HCL AppScan On Cloud to configure all the required settings before executing the build on HCL AppScan On Cloud.
HCL AppScan Enterprise to configure all the required settings before executing the build on HCL AppScan Enterprise
HCL AppScan - This is a deprecated task to support jobs configured prior to 2.0.0 release. This only supports integration with HCL AppScan On Cloud. Any enhancements for executing scans on HCL AppScan On Cloud will not be available in this deprecated task.

Features of HCL AppScan On Cloud Task
Configuration parameters and fail build conditions for Dynamic and Static analysis.

A Build Summary info displaying the non-compliant issue count based on severity, once the scan completes successfully.

An option to download scan report in HTML format, post successful scan completion. This report includes only the non-compliant issues.

Please note that scan report and summary are available only if Suspend job until security analysis completes option is selected. Otherwise, download the report from HCL AppScan on Cloud portal post successful scan completion.
This Getting Started guide, includes comprehensive information on installing, configuring and using the HCL AppScan extension for Azure DevOps.
Features of HCL AppScan Enterprise Task
Configuration parameters and fail build conditions for DAST scans

A Build Summary info displaying the issue count based on severity, once the scan completes successfully.

An option to download scan report in JSON and PDF formats from pipeline logs post successful scan execution. PDF report will be generated and available as a zip file, only when Application ID is specified while configuring the pipeline.

Please note that .login file is supported from AppScan Enterprise 10.0.4 release onwards.
Known Issues
- If you add same AppScan task more than once in the same pipeline, the report displayed in Summary tab, post successful scan execution, will only be for the last executed task. The reports for all the tasks will be available in build pipeline logs.
- If you have created an ASoC YAML pipeline with Azure DevOps Plugin version 2.0.0, you will encounter the following error while trying to execute the pipeline post upgrade to Azure DevOps Plugin version 2.0.1:
"The task name HCLAppScan is ambiguous. Specify one of the following identifiers to resolve the ambiguity:
HCLTechnologies.ApplicationSecurity-VSTS.custom-build-release-task.HCLAppScan,
HCLTechnologies.ApplicationSecurity-VSTS.custom-asoc-task.HCLAppScan"
To resolve this issue, edit the name of the task to HCLAppScanOnCloud@2.
- If you have created an ASoC pipeline to run dynamic scans with Azure DevOps Plugin versions prior to 2.0.4, please make a note of below changes to be done post upgrade to 2.0.4 or above:
- Site Type option 'NA' is deprecated from version 2.0.4.onwards. If you have selected 'NA', please update this to 'Staging' or 'Production' in Environment section.
- If you have not configured presence, post 2.0.4 upgrade, you need to manually select 'Public Network' option in Network section.
- Until version 2.0.3, login credentials were optional. From version 2.0.4 onwards, you will have to explicitly select 'Login not required' in the Login management section if no login is needed.
Release Summary
2.0.6 (2022-03-31)
- Discontinued Mobile Application Security Testing (MAST) support from HCL AppScan on Cloud task. Refer to this page for more information.
- Included an option in AppScan on Cloud task to control intervention by scan enablement team
- Bug Fixes
2.0.5 (2022-01-28)
2.0.4 (2021-12-23)
- Support pdf report download in HCL AppScan Enterprise.
- Support additional login options for HCL AppScan on Cloud dynamic scans.
- Bug Fixes
2.0.3 (2021-09-22)
- Support Personal scans in HCL AppScan on Cloud.
- Bug Fixes
2.0.1 (2021-05-04)
- Fix a customer reported bug to ensure, pipelines created using YAML scripts for execution of scans on HCL AppScan On Cloud work as expected when the extension is upgraded from 1.2.8 to version 2.0.1 or above.
2.0.0 (2021-03-30)
- Supports integration with HCL AppScan Enterprise for creation and execution of DAST scans.
1.2.8 (2020-11-19)
- Support open source only scans in Static Analysis.
- Bug Fixes
1.2.7 (2020-07-10)
- Fix a customer reported bug to ensure static scans do not fail for successful IRX file generation, even if output is written to stderr.
1.2.6 (2020-06-05)
- Extension name change from Application Security Testing by HCL Technologies to HCL AppScan.
- Marketplace overview update, highlighting major features of the plugin.
- Support for specifying speed and depth levels for static scans. The levels include "simple", "balanced", "deep" and "thorough" with "deep" set as default.
1.2.5 (2020-04-28)
- Support for V10 Test Optimization levels for Dynamic Scans. These are "No Optimization", "Fast", "Faster", "Fastest".
- Added License terms to marketplace
- Updated the extension icon to AppScan
1.2.4 (2020-02-28)
- Validation of Starting URL for dynamic scans
- Bug Fixes
1.2.3 (2019-10-28)
1.2.2 (2019-11-23)
- Added "Suspend Job" option, to allow users to continue with Build pipeline while security scans run in background.
1.1.2 (2019-09-11)
1.1.1 (2019-04-10)
- Support for Test Optimization in DAST Scans.
- Updated Overview section with a link to Getting Started guide
1.1.0 (2019-02-22)
- Support for Dynamic Application Security testing (DAST) and Mobile Application Security Testing (MAST) in Azure Pipelines
- Display of Issue Info in Build Summary page.
- Bug Fixes
1.0.0 (2018-12-05)
- First Release
- Support for Static Application Security Testing (SAST) in Azure pipelines.
| |