All integrations
DASTSAST

HCL AppScan on Cloud integration

AppScan on Cloud (ASoC) is HCL’s SaaS AppScan platform. Centraleyezer connects with an ASoC API key and imports open issues per application — as two sources, one for DAST and one for SAST. DAST findings arrive with full HTTP request/response evidence; SAST findings carry the source file, line and the complete call trace with best-fix-point markers. An ASoC XML report template is also available for file-based imports.

Scan types imported

  • Dynamic web application testing (DAST)
  • Static source code analysis (SAST)

File import

XML (ASoC report)

Upload the AppScan on Cloud XML report export using the ASoC template — resolved the same way as AppScan Standard reports, with remediation text taken from the report’s remediation groups.

What Centraleyezer expects in the file

  • The ASoC XML report with its issue, issue-type, remediation and article groups intact.
  • Per issue: issue type, CWE, CVE, cause description, remediation, affected URL and severity (1–3).

API connection

Create an API key in ASoC and configure two sources against cloud.appscan.com: AppScanCloud (DAST) and AppScanCloud-SAST. DAST maps each web asset to an ASoC application by URL; SAST maps each asset to an application by name. Centraleyezer pages through all open issues of the matched application, filtered by discovery method.

Configuration

Hostname
cloud.appscan.com (the ASoC service; EU tenants are handled via the regional path automatically).
API Key ID
The ASoC API key identifier (entered in the username field).
API Key Secret
The ASoC API key secret (entered in the password field). Centraleyezer logs in via /api/v4/Account/ApiKeyLogin and uses the returned bearer token.
Application mapping
DAST: the asset’s URL must match the ASoC application URL. SAST: the asset name must match the ASoC application name.
Proxy (optional)
HTTP proxy host:port plus optional proxy credentials.

Where to get the credentials

Generate the API key in AppScan on Cloud under Settings → API — you receive a Key ID and Key Secret pair. The key inherits your account’s access to applications.

What gets imported on every run

  • All open issues of the application, filtered by discovery method (DAST or SAST), paged 1,000 at a time.
  • Per issue: issue type, severity (Informational → Critical), CVE, CVSS, CWE and location.
  • DAST: the raw test HTTP request and response, cleaned of AppScan’s highlight markers.
  • SAST: source file, line, and the full call trace rendered with Source/Sink and Best Fix Point markers.
  • Issue-type security articles are parsed into the finding’s description and fix recommendation.

How imported findings are risk-scored

Every HCL AppScan on Cloud finding is normalised into Centraleyezer’s risk model on import: the scanner’s native severity scale maps to a configurable DREAD vector (Damage, Reproducibility, Exploitability, Affected users, Discoverability), which combines with asset criticality, network exposure, exploitability intelligence and the platform’s other risk factors to produce one comparable risk score across every scanner you run. CVE, CVSS and CWE metadata are preserved on the finding for reference and reporting, and duplicate findings from repeated imports are automatically correlated instead of creating noise.

See the HCL AppScan on Cloud integration live

Book a demo and we’ll connect your HCL AppScan on Cloud data and walk through risk-based prioritisation on your own findings.

HCL AppScan on Cloud Integration — Setup & Imported Scan Types