{"id":23624878,"url":"https://github.com/hcl-tech-software/appscan-dast-action","last_synced_at":"2025-10-07T07:30:05.672Z","repository":{"id":155627026,"uuid":"630845948","full_name":"HCL-TECH-SOFTWARE/appscan-dast-action","owner":"HCL-TECH-SOFTWARE","description":"A GitHub Action for running DAST scans in AppScan on Cloud","archived":false,"fork":false,"pushed_at":"2025-05-02T13:59:57.000Z","size":1551,"stargazers_count":3,"open_issues_count":0,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-10-02T07:29:47.988Z","etag":null,"topics":["application-security","appscan","dast","dynamic-analysis","hcl","security","security-automation","security-tools"],"latest_commit_sha":null,"homepage":"https://cloud.appscan.com","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HCL-TECH-SOFTWARE.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-04-21T09:31:36.000Z","updated_at":"2025-05-02T13:59:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"86529651-7d5f-4906-bc4d-1147df37985a","html_url":"https://github.com/HCL-TECH-SOFTWARE/appscan-dast-action","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/HCL-TECH-SOFTWARE/appscan-dast-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fappscan-dast-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fappscan-dast-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fappscan-dast-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fappscan-dast-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HCL-TECH-SOFTWARE","download_url":"https://codeload.github.com/HCL-TECH-SOFTWARE/appscan-dast-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fappscan-dast-action/sbom","scorecard":{"id":60292,"data":{"date":"2025-08-11","repo":{"name":"github.com/HCL-TECH-SOFTWARE/appscan-dast-action","commit":"dea44da4ec0055357a94abc481265fa66e5f39a9"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.5,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: dockerfile:1: pin your Docker image by updating registry.access.redhat.com/ubi8/ubi-minimal:latest to registry.access.redhat.com/ubi8/ubi-minimal:latest@sha256:af9b4a20cf942aa5bce236fedfefde887a7d89eb7c69f727bd0af9f5c80504ab","Info: 0 out of 1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-15T01:33:09.127Z","repository_id":155627026,"created_at":"2025-08-15T01:33:09.127Z","updated_at":"2025-08-15T01:33:09.127Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278739996,"owners_count":26037476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","appscan","dast","dynamic-analysis","hcl","security","security-automation","security-tools"],"created_at":"2024-12-27T21:16:58.027Z","updated_at":"2025-10-07T07:30:05.664Z","avatar_url":"https://github.com/HCL-TECH-SOFTWARE.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HCL AppScan DAST Github Action\nYour code is better and more secure with HCL AppScan.\n\nThe HCL AppScan DAST Github Action enables you to run dynamic analysis security testing (DAST) against your application. The DAST scan identifies security vulnerabilities in your code and stores the results in AppScan on Cloud.\n\nDemo Video:\n\nhttps://www.youtube.com/watch?v=D9qGgnhM3ic\n\n# Notable Features\n\n## 1. Ephemeral Presence\nWhen this optional feature is enabled, a temporary instance of [AppScan Presence](https://help.hcltechsw.com/appscan/ASoC/Presence1.html) is deployed within the runner. This instance of the AppScan Presence will be used for conducting the DAST scan. Once the scan is complete, this instance of AppScan Presence gets automatically deleted from AppScan on Cloud. \n\n![Ephemeral Presence drawio](https://user-images.githubusercontent.com/5158535/231660384-557c6567-d513-40d8-8978-469eb5dd2ecc.png)\n\nThis feature is useful for running a DAST scan against a temporary instances of your web application that is also deployed within the runner itself which may not be accessible from other locations. To turn on this feature, simply set ephemeral_presence = true.\n\n## 2. Auto Scan Cancellation\nIn the event of a user cancelling an action workflow midway through a DAST scan, this action will also automatically cancel the same scan in AppScan on Cloud, thereby freeing up your scan queues. \n\n![image](https://user-images.githubusercontent.com/5158535/226275969-d25b1a78-cf8a-4303-89c5-b0f17a051602.png)\n\n![image](https://user-images.githubusercontent.com/5158535/226275988-599c03d6-aac5-4e16-b6a0-22b77ef92d86.png)\n\n## 3. Auto embed of GITHUB SHA in AppScan on cloud reports\nThe Github SHA associated to the action will be embedded in AppScan on Cloud in the following locations:\n- Scan name (Only if scan_name is not set in the configuration) \n- Issue comment\n- Generated report under the notes section\n\n![image](https://user-images.githubusercontent.com/5158535/226276591-eefa3218-e40b-4937-a7bc-98aa420b0979.png)\n\n\n## 4. Issue count by severity overview\nIssue count are displayed in github workflow logs\n\n![image](https://user-images.githubusercontent.com/5158535/226276267-81f43cfd-2d46-4d96-b5c3-4432e250d8d8.png)\n\n## 5. Auto download of scan result into scan artifacts\nScan report (.html) is automatically generated and sent to github workflow overview page\n\n![image](https://user-images.githubusercontent.com/5158535/226276115-9fb28cc3-535e-4698-8309-c8056b79ad91.png)\n\n\n\n\n\n# Usage\n## Register\nIf you don't have an account, register on [HCL AppScan on Cloud (ASoC)](https://cloud.appscan.com/) to generate your API key and API secret.\n\n## Setup\n1. Generate your API key and API secret on [the API page](https://cloud.appscan.com/main/apikey).\n- The API key and API secret map to the `asoc_key` and `asoc_secret` parameters for this action. Store the API key and API secret as [secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in your repository.\n![adingkeys_animation](img/keyAndSecret.gif)\n2. Create the application in ASoC. \n- The application ID in ASoC maps to application_id for this action.\n\n# Required Inputs\n| Name | Description |\n| :--- | :--- |\n| asoc_key | Your API key from [the API page](https://cloud.appscan.com/main/apikey) |\n| asoc_secret | Your API secret from [the API page](https://cloud.appscan.com/main/apikey) |\n| application_id | The ID of the application in ASoC. |\n\n# Optional Inputs\n| Name | Description | Default Value | Available options |\n|:---------------------------------------| :--- |:---------------------------------------| :--- |\n| scan_name | The name of the scan created in ASoC. | The GitHub repository name + GITHUB SHA | | |\n| dynamic_scan_type | Choose between dast or upload. DAST will require you to specify starting URL and login, while upload will only require you to specify a .scan or .scant file | dast | dast, upload |\n| scan_or_scant_file |(applicable only if **dynamic_scan_type** = upload) Provide the path to the .scan or .scant file here| | |\n| starting_URL |(applicable only if **dynamic_scan_type** = dast)The starting URL of the DAST scan| https://demo.testfire.net?mode=demo ||\n| optimization |Level of test optimization| Fast |NoOptimization, Fast, Faster, Fastest|\n| network |Set the type of network, if this is set to private, you must have AppScan Presence created in advance| public |public, private|\n| presence_id |(applicable only if network = private)|||\n| login_method |(applicable only if **dynamic_scan_type** = dast)Login Method of the scan, none: no authentication required for the application, userpass: basic username/password authentication, recorded: you will provide a recorded login sequence dast.config file | none |none, userpass, or recorded|\n| login_user |(applicable only if **login_method** = userpass) Type the username used for logging into the application|||\n| login_password |(applicable only if **login_method** = userpass) Type the password used logging into the application|||\n| login_sequence_file |Provide a path to the Login Traffic File data. Supported file type: DAST.CONFIG: AppScan Activity Recorder file|||\n| email_notification |Send email notification uponn scan completion| false |true,false|\n| personal_scan | Make this a [personal scan](https://help.hcltechsw.com/appscan/ASoC/appseccloud_scans_personal.html). | false | true, false|\n| wait_for_analysis |If set to true, the job will suspend and wait until DAST scan is complete before finishing the job| true | true, false|\n| wait_for_analysis_timeout_minutes |(applicable only if **wait_for_analysis** = true) Maximum duration in minutes before the job will no longer wait and proceeds to complete, default is 360 (6 hours)| 360 ||\n| fail_for_noncompliance |If **fail_for_noncompliance** is true, fail the job if any non-compliant issues are found in the scan| false |true, false|\n| fail_by_severity |If **fail_by_severity** is set to true, failure_threshold must also be set. This will fail the job if any issues equal to or higher (more severe) than **failure_threshold** are found in the scan| false |false|\n| failure_threshold |(applicable only if **failure_threshold** = true) Set the severity level that indicates a failure. Lesser severities will not be considered a failure. For example, if **failure_threshold** is set to Medium, Informational and/or Low severity issues will not cause a failure. Medium, High, and/or Critical issues will cause a failure.| High |Informational, Low, Medium, High, Critical|\n| ephemeral_presence | If set to true, a temp instance of AppScan Presence will be deployed in the runner and will be used for the scan. When enabled, this will force **wait_for_analysis** to true and **network** to private regardless of user settings | false | true, false |\n\n# Example 1 - DAST scan with basic username and password login method, using the public network\n```yaml\nname: \"HCL AppScan DAST - basic\"\non:\n workflow_dispatch\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n - name: Run ASoC DAST Scan\n uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.7\n with:\n baseurl: https://cloud.appscan.com\n asoc_key: ${{secrets.ASOC_KEY}}\n asoc_secret: ${{secrets.ASOC_SECRET}}\n application_id: acd3ef50-6276-461d-8514-abc6e7113577\n dynamic_scan_type: dast\n starting_URL: 'https://demo.testfire.net?mode=demo'\n login_method: userpass\n login_user: jsmith\n login_password: demo1234\n network: public\n fail_for_noncompliance: false\n wait_for_analysis: true\n - uses: actions/upload-artifact@v4\n name: Upload HCL AppScan HTML Report to Github Artifacts\n with:\n name: AppScan Security Scan HTML Report \n path: '**/AppScan*.html'\n if: success() || failure()\n```\n\n# Example 2 - DAST scan using a .scant template file with private network through appscan presence\n```yaml\nname: \"HCL AppScan DAST - scan template\"\non:\n workflow_dispatch\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n - name: Run ASoC DAST Scan\n uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.7\n with:\n baseurl: https://cloud.appscan.com\n asoc_key: ${{secrets.ASOC_KEY}}\n asoc_secret: ${{secrets.ASOC_SECRET}}\n application_id: acd3ef50-6276-461d-8514-abc6e7113577\n dynamic_scan_type: upload\n scan_or_scant_file: 'altoro.scant'\n network: private\n presence_id: f185efda-67bf-ed11-ba76-14cb65723612\n fail_for_noncompliance: false\n wait_for_analysis: true\n - uses: actions/upload-artifact@v4\n name: Upload HCL AppScan HTML Report to Github Artifacts\n with:\n name: AppScan Security Scan HTML Report \n path: '**/AppScan*.html'\n if: success() || failure()\n```\n# Example 3 - DAST scan using ephemeral presence\n```yaml\nname: \"HCL AppScan DAST - ephemeral presence\"\non:\n workflow_dispatch\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n - name: Run ASoC DAST Scan\n uses: HCL-TECH-SOFTWARE/appscan-dast-action@v1.0.7\n \n with:\n baseurl: https://cloud.appscan.com\n asoc_key: ${{secrets.ASOC_KEY}}\n asoc_secret: ${{secrets.ASOC_SECRET}}\n application_id: acd3ef50-6276-461d-8514-abc6e7113577\n dynamic_scan_type: dast\n starting_URL: 'https://demo.testfire.net'\n ephemeral_presence: true\n - uses: actions/upload-artifact@v4\n name: Upload HCL AppScan HTML Report to Github Artifacts\n with:\n name: AppScan Security Scan HTML Report \n path: '**/AppScan*.html'\n if: success() || failure()\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhcl-tech-software%2Fappscan-dast-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhcl-tech-software%2Fappscan-dast-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhcl-tech-software%2Fappscan-dast-action/lists"}