start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Select Page

Finding and remediating vulnerabilities in source code is an essential part of developing secure software. For many developers worldwide, the popular GitHub source control management system has become similarly essential in speeding up the development life cycle. Now HCL AppScan has two GitHub actions that can help you find and fix vulnerabilities in your source code — all without slowing your GitHub workflow.

Find code vulnerabilities before they reach the main branch of the repository

The HCL AppScan CodeSweep GitHub Action is triggered whenever a developer opens or updates a pull request in GitHub. The action only scans the code that the developer has modified or added in that request. This allows the developer to focus on finding and fixing only the vulnerabilities that they would be introducing with the new or modified code, rather than looking at the results from scanning the entire application.

Once the Codesweep GitHub Action is triggered, the scan results are shown to the developer in several parts of the GitHub web user interface (UI).

  • In the “checks” on the main page of the pull request (users can specify the status of the checks when issues are found):

    add merging rule
  • Alongside the vulnerable code in the diff view:

    appscan codesweep
  • In the “checks” view:appscan codesweep
  • Additionally, remediation information including sample code is provided:session management cookies

All of this information helps the developer—and those doing the pull request reviews—to understand the possible vulnerabilities introduced by the code changes. It also educates them on secure coding practices for the future.

Use AppScan on Cloud to scan for vulnerabilities in the repository

Once a pull request has been merged, the new code is added into the main branch of the repository alongside existing application code. For further security testing, the HCL AppScan SAST GitHub Action can be used to scan all code in the repository, and can be triggered by any event that the user chooses. It can also be included in a scheduled workflow, so the entire repository is scanned nightly, weekly, or at any other time interval.

Whereas the previous Codesweep Action is free to use, this SAST Action requires an AppScan on Cloud account to view the results. Each run of the action includes a direct link in AppScan on Cloud to the scan that was run.

asoc service

The snippet above is an example of the log output the GitHub user will see after running a scan. By default, the action will complete once the scan is submitted, but the user can wait for analysis to complete — so they can base the pass/fail of the action on whether any security issues were found.

HCL AppScan Resources:

GitHub Marketplace Resources:

Comment wrap
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Secure DevOps | August 2, 2023
Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.
Secure DevOps | August 2, 2023
Find More Vulnerabilities Than Ever Before with the new HCL AppScan Version 10.3.0
HCL AppScan continues to push forward on an accelerated innovation roadmap with the release of version 10.3.0 for three on-prem software products: HCL AppScan Standard, Enterprise, and Source.