Skip to content

Latest commit

 

History

History
222 lines (177 loc) · 11.4 KB

README.md

File metadata and controls

222 lines (177 loc) · 11.4 KB

HCL AppScan Cloud CLI 📝

The HCL AppScan command line utility (CLI) is designed to streamline security testing with AppScan on Cloud or AppScan 360°. This tool can be integrated into any CI/CD platform or used independently.

Prerequisites 🚀

  • HCL AppScan on Cloud account or HCL AppScan 360° account.
  • API Key and secret for AppScan on Cloud or AppScan 360° authentication. To generate an API key and secret for AppScan on Cloud, see to Generating API Keys. To generate an API key and secret for AppScan 360°, see to Generating API Keys
  • An AppScan on Cloud application or an AppScan 360° application.
  • A target URL for dynamic scanning.
  • Access to appscan-cloud-cli hosted on Maven Central.
  • Java 11 or later.

CLI Commands

getapplications

Returns a list of application IDs from AppScan on Cloud.

Usage:  getapplications [-hV] --key=<key> --secret=<secret> [COMMAND]

  -h, --help              Show this help message and exit.
  -V, --version           Print version information and exit.
      --key=<key>         [Required] Appscan on Cloud or AppScan 360° API Key
      --secret=<secret>   [Required] Appscan on Cloud or AppScan 360° API Secret
      --serviceUrl=<serviceUrl> [Optional] AppScan Service URL
      --acceptssl=BOOLEAN   [Optional] Ignore untrusted certificates when connecting to AppScan 360°. Only intended for testing purposes. Not applicable to AppScan on Cloud.
                              Default: false
Commands:
  help : Display help information about the specified command

Examples:
For AppScan on Cloud:
java -jar appscan-cloud-cli-1.2.0.jar getapplications --key=<your_api_key> --secret=<your_api_secret>

For AppScan 360°:
java -jar appscan-cloud-cli-1.2.0.jar getapplications --key=<your_api_key> --secret=<your_api_secret> --serviceUrl=<AppScan 360° URL> --acceptssl=false

invokedynamicscan

Configures and initiates a dynamic analysis (DAST) scan on AppScan on Cloud or AppScan 360°, and returns scan results. The CLI lets you know if a scan succeeds or fails based on failure criteria as specified with command options. When the scan is complete, the scan report and scan log zip file are downloaded to the AppScanReports folder. Scan results include a list of pinpointed vulnerabilities, comprehensive analytical documents, and associated URLs.

Usage:  invokedynamicscan [-hV] [--allowIntervention]
                                 [--emailNotification]
                                 [--failBuildNonCompliance] [--waitForResults]
                                 --appId=<appId> --key=<key>
                                 [--loginPassword=<loginPassword>]
                                 [--loginType=<loginType>]
                                 [--loginUser=<loginUser>]
                                 [--optimization=<optimization>]
                                 [--presenceId=<presenceId>]
                                 [--reportFormat=<reportFormat>]
                                 [--scanFile=<scanFile>] --scanName=<scanName>
                                 [--scanType=<scanType>] --secret=<secret>
                                 [--serviceUrl=<serviceUrl>]
                                 [--acceptssl=BOOLEAN]
                                 --target=<target>
                                 [--trafficFile / --loginSequenceFile=<loginSequenceFile>] [COMMAND]

Options:
  -h, --help                Show this help message and exit.
  -V, --version             Print version information and exit.
      --key=<key>           [Required] Appscan on Cloud API Key
      --secret=<secret>     [Required] Appscan on Cloud API Secret
      --appId=<appId>       [Required] The HCL AppScan on Cloud application
                              that this scan will be associated with
      --scanName=<scanName> [Required] Specify a name to use for the scan. This
                              value is used to distinguish this scan and its
                              results from others.
      --target=<target>     [Required] Enter the URL from where you want the
                              scan to start exploring the site.
      --scanType=<scanType> [Optional] Mention whether your site is a Staging
                              site (under development) or a Production site
                              (live and in use). Valid values : Production,
                              Staging
                              Default: Production
      --optimization=<optimization>
                            [Optional] You can reduce scan time by choosing a
                              balance between speed and issue coverage. Valid
                              values : Fast, Faster, Fastest, NoOptimization
                              Default: fast
      --emailNotification   [Optional] Send the user an email when analysis is
                              complete. Valid values : true , false
                              Default: false
      --reportFormat=<reportFormat>
                            [Optional] Specify format for the scan result
                              report. Valid values : html, pdf, csv, xml.
                              Default: html
      --allowIntervention   [Optional] When set to true, our scan enablement
                              team will step in if the scan fails, or if no
                              issues are found, and try to fix the
                              configuration. This may delay the scan result. 
                              This option is valid only for AppScan on Cloud
                              scans.
                              Default: false
      --presenceId=<presenceId>
                            [Optional] For sites not available on the internet,
                              provide the ID of the AppScan Presence that can
                              be used for the scan.
      --waitForResults      [Optional] Suspend the job until the security
                              analysis results are available.
                              Default: true
      --failBuildNonCompliance
                            [Optional] Fail the job if one or more issues are
                              found which are non compliant with respect to the
                              selected application's policies.
                              Default: false
      --scanFile=<scanFile> [Optional] The path to a scan template file (.scan
                              or .scant).
                              Default: null
      --loginType=<loginType>
                            [Optional] Which Login method do you want to use?
                              Type None if login not required. Type Automatic
                              if you want to provide loginUser and password.
                              Type Manual if you want to specify Login Sequence
                              File. Valid values : None, Automatic, Manual
                              Default: None
      --loginUser=<loginUser>
                            [Optional] If your app requires login, enter valid
                              user credentials so that Application Security on
                              Cloud can log in to the site.
      --loginPassword=<loginPassword>
                            [Optional] If your app requires login, enter valid
                              user credentials so that Application Security on
                              Cloud can log in to the site.
      --trafficFile, --loginSequenceFile=<loginSequenceFile>
                            [Optional] Provide a path to the login sequence
                              file data. Supported file type: CONFIG: AppScan
                              Activity Recorder file.
                              Default: null
      --serviceUrl=<serviceUrl>
                            [Optional] AppScan Service URL
      --acceptssl=BOOLEAN   [Optional] Ignore untrusted certificates when
                              connecting to AppScan 360°. Only intended for
                              testing purposes. Not applicable to AppScan on
                              Cloud.
                              Default: false
Examples:
For AppScan on Cloud:

java -jar appscan-cloud-cli-1.2.0.jar invokedynamicscan --key=<your_api_key> --secret=<your_api_secret>
--appId=<your_asoc_app_id> --scanName=test_scan --target==https://demo.testfire.net

For AppScan 360°:

java -jar appscan-cloud-cli-1.2.0.jar invokedynamicscan --key=<your_api_key> --secret=<your_api_secret>
--appId=<your_appscan360_app_id> --scanName=test_scan --target==https://demo.testfire.net --serviceUrl=<AppScan 360° URL> --acceptssl=false

Commands:
  help         Display help information about the specified command.
  failbuildif  [Optional] A list of conditions that will fail the build. These
                 conditions are logically "OR"'d together, so if one of the
                 conditions is met, the build will fail.

 Usage:  invokedynamicscan failbuildif [-ci=<arg4>] [-hi=<arg1>] [-li=<arg3>] [-mi=<arg2>] [-ti=<arg0>] 

 Options 

        -ci, --criticalissuesgt=<arg4> 
            Fail build if critical sev issues greater than 

        -hi, --highissuesgt=<arg1> 

          Fail build if high sev issues greater than 

        -li, --lowissuesgt=<arg3> 

          Fail build if low sev issues greater than 

        -mi, --medissuesgt=<arg2> 

          Fail build if medium sev issues greater than 

        -ti, --totalissuesgt=<arg0> 

          Fail build if total issues are greater than 
          
Examples:
For AppScan on Cloud:

java -jar appscan-cloud-cli-1.2.0.jar invokedynamicscan --key=<your_api_key> --secret=<your_api_secret>
--appId=<your_asoc_app_id> --scanName=test_scan --target==https://demo.testfire.net failbuildif --highissuesgt 5 --criticalissuesgt 0 --medissuesgt 10 --lowissuesgt 10        

For AppScan 360°:

java -jar appscan-cloud-cli-1.2.0.jar invokedynamicscan --key=<your_api_key> --secret=<your_api_secret>
--appId=<your_appscan360_app_id> --scanName=test_scan --target==https://demo.testfire.net --serviceUrl=<AppScan 360° URL> --acceptssl=false failbuildif --highissuesgt 5 --criticalissuesgt 0 --medissuesgt 10 --lowissuesgt 10  

getpresenceids

Returns a list of presence IDs from AppScan on Cloud.

Usage:  getpresenceids [-hV] --key=<key> --secret=<secret> [COMMAND]
Get list of presence id's from Appscan on Cloud
  -h, --help              Show this help message and exit.
  -V, --version           Print version information and exit.
      --key=<key>         [Required] Appscan on Cloud API Key
      --secret=<secret>   [Required] Appscan on Cloud API Secret
Examples:
java -jar appscan-cloud-cli-1.2.0.jar getpresenceids --key=<your_api_key> --secret=<your_api_secret>

help

Display help information about the specified command.

Note

If a scanName contains special characters, enclose scanName in double quotes. For exampl : --scanName="Test Rel" or --scanName="Test>Rel".

License

All files in this project are licensed under Apache License 2.0.