HCL AppScan Boards Integration for Azure DevOps

The HCL AppScan Boards Integration plugin lets you import security issues from HCL AppScan on Cloud or HCL AppScan 360° directly into Azure Boards.

This plugin includes two main components:

A Service Connection for secure authentication.
A Pipeline Task that filters and imports security issues as work items.

Prerequisites

Before configuring the plugin, make sure your environment and Azure project meet the following requirements:

Azure pipeline requirements

To run this task, your build agent must meet specific version requirements. You can verify your agent version in Project Settings > Agent Pools > [Your Agent] > Capabilities.

Agent version: 1.95.0 or later.
Runtime: Node 20 (The agent must support Node 20 execution).
Permissions: The pipeline requires the vso.work permission scope to create work items.

Azure Boards project requirements

To import issues successfully, your Azure DevOps project must use a supported process template and have the Bug work item configured correctly. If these requirements are not met, the pipeline task will fail during execution.

⚠️ Important: The Basic process template is not supported because it does not define the standard Bug work item type required by this plugin.

Template type	Status
Supported	Agile, Scrum, CMMI, Custom
Unsupported	Basic

Work item configuration

The Bug work item type must be enabled in your project and must contain the following fields:

System.Title
Microsoft.VSTS.TCM.ReproSteps (Repro Steps)
Microsoft.VSTS.Common.Priority (Must accept integers 1, 2, 3, 4)
Microsoft.VSTS.Common.Severity (Must accept strings "1 - Critical", "2 - High", "3 - Medium", "4 - Low")
System.Tags

Note: Ensure the Bug work item does not have any other mandatory fields (unless they have default values defined), or the import may fail.

1. Configure the Service Connection

To enable the plugin to communicate with your AppScan server, you must first configure a service connection. This connection will be used by the pipeline task in the next step.:

In your Azure DevOps project, go to Project Settings > Service Connections.
Select New service connection.
Search for and select HCL AppScan on Cloud/HCL AppScan 360°, and then select Next.

The Service Connection selection screen in Azure DevOps

Configuration parameters

Parameter	Description
Server URL	Enter the URL for your AppScan environment. • AppScan on Cloud: https://cloud.appscan.com • AppScan 360°: Enter your private or on-premises AppScan 360° server URL.
Key ID	Enter your AppScan API Key ID.
Key Secret	Enter your AppScan API Key Secret.
Service connection name	Enter a unique name for this connection.

Verification steps

The verification process differs depending on your AppScan environment:

Option A: AppScan on Cloud

Select Verify and save.
Azure validates your credentials with the AppScan server. If correct, the connection is saved.

Option B: AppScan 360° (Private/On-Premises)

If you connect to an environment hosted on a private network, standard verification will fail because public Azure servers can't reach your internal network. Follow these steps instead:

Select the Allow Untrusted Connections checkbox.
Security warning: This bypasses SSL certificate validation to allow communication with internal servers using self-signed certificates. Make sure this is compliant with your organization's security policies.
Don't select Verify and save.
Instead, scroll to the bottom of the pane, select the arrow next to Verify and save, and then select Save without verification.

The Save without verification dropdown menu option

2. Configure the Pipeline Task

The HCL AppScan Boards Integration task retrieves security issues and creates corresponding work items in Azure Boards. This task is typically added to the build or release pipeline after a scan completes.

To add the task:

Go to your pipeline definition.
Search for HCL AppScan Boards Integration and add it to your agent job.

The AppScan Boards Integration task in the pipeline editor

Task inputs

Connection and scope

AppScan credentials: Select the service connection created in the previous section.
Scope: Select whether to import issues from an application or a specific scan.
Application ID / Scan ID:
- AppScan on Cloud users: Select the specific ID from the drop-down list.
- AppScan 360° users: Manually enter the specific Application or Scan ID (automatic retrieval isn't available for private networks).

Filters

Configure the following filters to control which issues are imported:

Scan type: Select the scan types to include (SAST, DAST, SCA, IAST).
Issue status: Select the statuses to import (for example, Open, In Progress, Reopened).
Issue severity: Select the severity levels to import (for example, Critical, High, Medium, Low, Informational).

Troubleshooting and FAQ

Why does the "Test Connection" or "Verify" step fail for AppScan 360°?

Cause: AppScan 360° is often hosted on an on-premises, private network. The Azure DevOps "Verify" function originates from public Azure servers and cannot reach your internal URL.

Solution: This is expected behavior for private networks because the public Azure service can't reach your internal URL. When creating the Service Connection, you must select Save without verification from the save menu.

Why is the Application/Scan ID drop-down list empty?

Cause: If you're using AppScan 360° on a private network, the plugin can't query your server to populate the list dynamically during configuration.

Solution: You must manually copy the Application ID or Scan ID from your AppScan 360° dashboard and paste it into the task field.

What permissions does the task need?

The task creates work items in Azure Boards. Make sure your pipeline agent has the vso.work permission scope enabled.

Change Log

1.0.0 (February, 2025)

Initial release of HCL AppScan Boards Integration for Azure DevOps

HCL AppScan Boards Integration

HCL Software