Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
HCL AppScan Enterprise DAST/API Integration
HCL AppScan Enterprise is an enterprise-scale DAST platform for managing and scaling web application security testing across large organizations. This integration allows Invicti AppSec to trigger scans in AppScan Enterprise and import vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| AppScan Enterprise URL | The base URL of your AppScan Enterprise instance (e.g., https://appscan.your-company.com) |
| Username | The AppScan Enterprise service account username |
| Password | The AppScan Enterprise service account password |
Get Credentials (on HCL AppScan Enterprise Side)
- Contact your AppScan Enterprise administrator to create a dedicated service account.
- The administrator navigates to Administration > Users in the AppScan Enterprise console.
- A new user account is created with at minimum the Scanner or AppScan Author role.
- Use the username and password for this service account in the integration.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate HCL AppScan Enterprise
Locate the HCL AppScan Enterprise card. Click the toggle or Activate button to enable it.
Step 4: Configure Connection Settings
Click the gear icon on the HCL AppScan Enterprise card to open the settings panel. Fill in the following fields:
| Field | Description |
|---|---|
| URL | Your AppScan Enterprise base URL |
| Username | Service account username |
| Password | Service account password |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with AppScan Enterprise.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate HCL AppScan Enterprise |
| 4 | Enter URL, Username, and Password |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add HCL AppScan Enterprise Scanner
- Select DAST/API as the scanner type.
- Choose HCL AppScan Enterprise from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Application | AppScan Enterprise application to scan | Yes |
| Scan Name | Name for this scan | Yes |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive notifications when the scan completes.
KDT Command
kdt scan -p <project_name> -t appscanenterprise -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid credentials | Verify the username and password with your AppScan Enterprise administrator |
| Wrong URL | Confirm the AppScan Enterprise server URL and path are correct |
| SSL/TLS errors | Ensure the AppScan Enterprise server certificate is valid and trusted |
| Firewall block | Open the required ports (typically 443 or 9443) between Invicti AppSec and AppScan Enterprise |
Scan Issues
| Issue | Resolution |
|---|---|
| No applications listed | Ensure the service account has access to the target applications in AppScan Enterprise |
| Scan failed to start | Verify the AppScan Enterprise scan engine is running and available scan agents exist |
| Results not imported | Check that the scan job completed in AppScan Enterprise and reports are generated |
| Access denied | The service account requires at minimum the AppScan Author role for scan creation |
Best Practices
- Create a dedicated service account in AppScan Enterprise with only the required permissions.
- Use role-based access control to limit the service account's scope to specific applications.
- Rotate passwords regularly and update the integration immediately.
- Use HTTPS with a valid certificate for the AppScan Enterprise deployment.
- Align scan templates with your security policy requirements before triggering scans from Invicti AppSec.
Limitations
- AppScan Enterprise must be network-accessible from the Invicti AppSec host.
- Concurrent scan capacity depends on the number of AppScan Enterprise agents licensed.
- Scan template configuration must be done directly within AppScan Enterprise.
- Username/password authentication is required; token-based authentication is not supported for this integration.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center