AppScan Rest API

Name: AppScan Rest API API
Brand: AppScan Rest API
Availability: InStock

✓ Official Vendor SpecSecurityVulnerability Managementbearer, apiKey158 EndpointsREST

For Agents

Launch AppScan SAST, DAST, and SCA scans on registered applications, list issues, and manage asset groups and policies through the v4 REST API.

Quickstart

Get started with AppScan Rest API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"list application security findings"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with AppScan Rest API API.

Authenticate with an API key through /api/v4/Account/ApiKeyLogin to retrieve a bearer token for subsequent calls

Group apps into asset groups for shared policy and reporting via /api/v4/AssetGroups

Apply security and compliance policies to apps through the /api/v4/Apps/{appId}/Policy endpoints

GET STARTED

Start building with AppScan Rest API API

Explore with Jentic

View OpenAPI Spec

Use for: I need to launch a DAST scan on an AppScan application, List all applications registered in our AppScan tenant, Retrieve the policy attached to a specific AppScan app, Create a new asset group and assign apps to it

Not supported: Does not handle source-control hosting, runtime error monitoring, or container registry scanning — use for AppScan application security testing operations only.

HCL AppScan on Cloud is a security testing platform for static, dynamic, and software composition analysis. Its v4 REST API exposes the same operations as the AppScan UI plus additional automation hooks: managing application records, launching SAST and DAST scans, exporting issues, and integrating with asset groups and policies. Security teams use it to embed AppScan into CI/CD pipelines and pull issue data into ticketing systems for triage.

Use Cases

Patterns agents use AppScan Rest API API for, with concrete tasks.

★ CI Pipeline Application Security Scans

Wire AppScan into CI/CD so each merge to main triggers a SAST or DAST scan on the relevant application record. The pipeline calls /api/v4/Account/ApiKeyLogin to mint a token, posts to the apps endpoint to create or update the target, and then runs scans through the AppScan v4 endpoints. Findings flow back into the build log so developers see issues alongside test failures.

Authenticate with an API key, create or update an app via /api/v4/Apps, and verify the response returns an application id

Policy and Compliance Management at Scale

Large security programs apply different policies — OWASP Top 10, PCI, internal hardening — to different application portfolios. Use /api/v4/Apps/{appId}/Policy to attach the right policy to each app and /api/v4/AssetGroups to group apps so policy assignment can be done at the group level. This keeps compliance reporting clean as the portfolio grows.

List existing policies, then POST to /api/v4/Apps/{appId}/Policy/{policyId} to attach the OWASP Top 10 policy to a target app

Audit Trail Export to SIEM

Pull tenant audit events from /api/v4/Audits into your SIEM or data lake to track who did what — scans launched, policy changes, user invites — across the AppScan tenant. The /api/v4/Audits/AdditionalData/{auditId} endpoint returns the full payload for each event when an investigation needs detail. This gives security teams a queryable record without screen-scraping the UI.

GET /api/v4/Audits filtered by date, then call /api/v4/Audits/AdditionalData/{auditId} for any high-severity events and push the payload to the SIEM

AI Agent Security Triage via Jentic

An agent searches Jentic for 'list application security findings' and Jentic returns the relevant AppScan apps and audit operations. The agent fetches issues, groups them by severity, and opens tickets in the issue tracker — all without storing the AppScan API key locally because Jentic vaults it. This turns AppScan into a triage-ready tool for security copilots.

Use Jentic to call /api/v4/Account/ApiKeyLogin and then list apps via /api/v4/Apps with a filter for the team's portfolio

Key Endpoints

158 endpoints — hcl appscan on cloud is a security testing platform for static, dynamic, and software composition analysis.

METHOD

PATH

DESCRIPTION

POST

/api/v4/Account/ApiKeyLogin

Exchange an API key for a bearer token

GET

/api/v4/Apps

List registered applications

POST

/api/v4/Apps

PUT

/api/v4/Apps/{id}

Update an application record

POST

/api/v4/Apps/{appId}/Policy/{policyId}

Attach a policy to an application

GET

/api/v4/AssetGroups

List asset groups

GET

/api/v4/Audits

Read tenant audit events

POST

/api/v4/Account/ApiKeyLogin

Exchange an API key for a bearer token

GET

/api/v4/Apps

List registered applications

POST

/api/v4/Apps

PUT

/api/v4/Apps/{id}

Update an application record

POST

/api/v4/Apps/{appId}/Policy/{policyId}

Attach a policy to an application

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AppScan API keys grant tenant-wide scan and policy control. Jentic stores the key in the vault (MAXsystem) and either attaches the X-API-KEY header or first exchanges it for a bearer token via /api/v4/Account/ApiKeyLogin, depending on the operation.

Intent-based discovery

Agents search Jentic for intents like 'list applications' or 'attach a security policy' and Jentic returns the matching v4 operations under hcltechsw.com with their input schemas.

Time to first call

Direct AppScan v4 integration: 3-5 days to wire login token refresh, paging, and policy modeling. Through Jentic: under 1 hour — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Snyk API

Snyk covers SCA, SAST, and IaC scanning with a developer-first workflow; AppScan focuses on enterprise SAST and DAST

Pick Snyk for code-level developer integrations and dependency scanning; pick AppScan for centrally managed enterprise scanning programs

Complementary

GitHub API

GitHub hosts the source code and CI workflows that trigger AppScan scans

Use GitHub to read repos and trigger Actions workflows, then call AppScan to run the scans and pull results

Complementary

Sentry API

Sentry tracks runtime errors that often correlate with vulnerabilities AppScan flags statically

Use AppScan for pre-deploy SAST and DAST findings, and Sentry to confirm whether those issues surface as runtime errors in production

FAQs

Specific to using AppScan Rest API API through Jentic.

What authentication does the AppScan Rest API use?

AppScan supports two schemes: an X-API-KEY header for direct calls, and a bearer token returned by POST /api/v4/Account/ApiKeyLogin for session-style use. Jentic stores the API key in the vault and either passes it directly or exchanges it for a token before calls.

Can I launch a DAST scan from the AppScan Rest API?

Yes. Register the target through /api/v4/Apps, attach the DAST configuration, and trigger scans through the corresponding scan endpoints in the v4 surface. The same flow works for SAST and SCA targets.

How do I attach a policy to an application?

Call POST /api/v4/Apps/{appId}/Policy/{policyId} with the application id and the policy id. To remove a policy, send DELETE to the same path. Use /api/v4/Apps/{appId}/Policy to list what is currently attached.

What are the rate limits for the AppScan Rest API?

AppScan on Cloud applies tenant-level rate limits but does not publish a numeric limit in the spec. For high-volume CI integrations, batch reads where possible and back off on HTTP 429 responses.

How do I list all my AppScan applications through Jentic?

Search Jentic for 'list application security findings' or 'list applications' and load the /api/v4/Apps GET operation for hcltechsw.com. Jentic injects the X-API-KEY header from the vault, so the call returns the list with no local credential handling.

Can the AppScan API export audit events for a SIEM?

Yes. GET /api/v4/Audits returns tenant audit entries, and /api/v4/Audits/AdditionalData/{auditId} returns the full payload for a specific event. Page through results and forward each entry to your SIEM ingestion endpoint.