HCL AppScan on Cloud integration
AppScan on Cloud (ASoC) is HCL’s SaaS AppScan platform. Centraleyezer connects with an ASoC API key and imports open issues per application — as two sources, one for DAST and one for SAST. DAST findings arrive with full HTTP request/response evidence; SAST findings carry the source file, line and the complete call trace with best-fix-point markers. An ASoC XML report template is also available for file-based imports.
Scan types imported
- Dynamic web application testing (DAST)
- Static source code analysis (SAST)
File import
Upload the AppScan on Cloud XML report export using the ASoC template — resolved the same way as AppScan Standard reports, with remediation text taken from the report’s remediation groups.
What Centraleyezer expects in the file
- The ASoC XML report with its issue, issue-type, remediation and article groups intact.
- Per issue: issue type, CWE, CVE, cause description, remediation, affected URL and severity (1–3).
API connection
Create an API key in ASoC and configure two sources against cloud.appscan.com: AppScanCloud (DAST) and AppScanCloud-SAST. DAST maps each web asset to an ASoC application by URL; SAST maps each asset to an application by name. Centraleyezer pages through all open issues of the matched application, filtered by discovery method.
Configuration
Where to get the credentials
Generate the API key in AppScan on Cloud under Settings → API — you receive a Key ID and Key Secret pair. The key inherits your account’s access to applications.
What gets imported on every run
- All open issues of the application, filtered by discovery method (DAST or SAST), paged 1,000 at a time.
- Per issue: issue type, severity (Informational → Critical), CVE, CVSS, CWE and location.
- DAST: the raw test HTTP request and response, cleaned of AppScan’s highlight markers.
- SAST: source file, line, and the full call trace rendered with Source/Sink and Best Fix Point markers.
- Issue-type security articles are parsed into the finding’s description and fix recommendation.
How imported findings are risk-scored
Every HCL AppScan on Cloud finding is normalised into Centraleyezer’s risk model on import: the scanner’s native severity scale maps to a configurable DREAD vector (Damage, Reproducibility, Exploitability, Affected users, Discoverability), which combines with asset criticality, network exposure, exploitability intelligence and the platform’s other risk factors to produce one comparable risk score across every scanner you run. CVE, CVSS and CWE metadata are preserved on the finding for reference and reporting, and duplicate findings from repeated imports are automatically correlated instead of creating noise.
Related integrations
HCL AppScan Standard
Import HCL AppScan Standard DAST results into Centraleyezer via the scanner’s XML report export — issue types, severities, CWE/CVE and HTTP evidence.
HCL AppScan 360
Connect your self-managed HCL AppScan 360 deployment — same API-key integration as AppScan on Cloud, pointed at your own AppScan 360 hostname.