HCL AppScan Executor¶

Category: Network and Vulnerability Scanners Script: appscan.py Integration: REST API (HCL AppScan on Cloud) Faraday Plugin: AppScanPlugin Website: https://www.hcltechsw.com/appscan

Description¶

Authenticates with the HCL AppScan on Cloud API (formerly IBM AppScan), creates or re-executes a DAST or SAST scan, waits for completion, generates an XML report, downloads it, and parses it into Faraday.

Prerequisites¶

• HCL AppScan on Cloud account with API access
• API Key ID and Secret (generated in AppScan Cloud settings)
• Application ID for the target application

Configuration¶

Environment Variables (Setup)¶

Execution Arguments¶

YAML Configuration Example¶

executors:
  appscan_scan:
    repo_executor: appscan.py
    max_size: 65536
    varenvs:
      HCL_KEY_ID: "${APPSCAN_KEY_ID}"
      HCL_KEY_SECRET: "${APPSCAN_KEY_SECRET}"
      HCL_APP_ID: "${APPSCAN_APP_ID}"
    params:
      HCL_SCAN_TYPE:
        mandatory: true
        type: string
        base: string
      HCL_SCAN_TARGET:
        mandatory: false
        type: string
        base: string

How It Works¶

1. Authenticates with the AppScan Cloud API at https://cloud.appscan.com/api/v2/
2. Either creates a new scan or re-executes an existing one by HCL_SCAN_ID
3. For new DAST scans: creates a scan targeting the specified URL
4. For new SAST scans: creates a scan for the specified FileId
5. Polls scan status until completion
6. Generates an XML report and downloads it
7. Parses the XML through AppScanPlugin and outputs Faraday JSON

Notes¶

• Use HCL_SCAN_ID to re-execute an existing scan with its previous configuration
• Without HCL_SCAN_ID, both HCL_SCAN_TYPE and HCL_SCAN_TARGET are required
• The API endpoint is hardcoded to https://cloud.appscan.com/api/v2/