HCL AppScan MCP. Audit App Security and Manage Vulnerabilities via AI
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
HCL AppScan. Manage application security scans and vulnerabilities directly through your AI client. Use the HCL AppScan MCP Server to list, track, and audit security issues across your application inventory.
Get real-time scan status, start DAST scans, and retrieve detailed vulnerability reports instantly.
What your AI agents can do
Get account check
Verifies that the AppScan account connection is successfully authenticated.
Get account info
Retrieves basic details about the currently authenticated user.
Get app
Gets specific details for a single application ID.
Retrieves a full list of applications in your AppScan inventory, providing unique IDs for targeted analysis.
Fetches detailed records of security issues, including severity and current status, for a known application.
Checks the real-time status of active scans or initiates new Dynamic Analysis (DAST) scans for web applications.
Verifies the connection status and retrieves basic user account information for use within the server.
Lists available local scanning agents (Presences) used for internal application testing.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
HCL AppScan MCP Server: 10 Tools for Security Audits
These tools let your AI client interact with HCL AppScan to check accounts, list applications, track vulnerabilities, and initiate security scans.
019d7550get account check
Verifies that the AppScan account connection is successfully authenticated.
019d7550get account info
Retrieves basic details about the currently authenticated user.
019d7550get app
Gets specific details for a single application ID.
019d7550get issue
Retrieves detailed information about one specific vulnerability found during a scan.
019d7550get scan
Gets the full details and current status for a specific scan ID.
019d7550list apps
Lists every application stored in your AppScan security inventory.
019d7550list issues
Lists all vulnerabilities found for a specific application ID.
019d7550list presence
Lists the available local agents (Presences) used for scanning internal applications.
019d7550list scans
Lists all scans that have been performed within the account.
019d7551start dast scan
Initiates a new Dynamic Analysis (DAST) scan for a specified web application URL.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with HCL AppScan, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
You can use this server to manage application security scans and vulnerabilities right through your AI client. It lets you list, track, and audit security issues across your entire application inventory. You'll get real-time scan status, start Dynamic Analysis (DAST) scans, and pull detailed vulnerability reports instantly.
To start, you'll use get_account_check to verify the AppScan account connection. Then, you can run get_account_info to grab basic details about the user. You can list every application in your AppScan inventory with list_apps, and you'll get unique IDs for targeted analysis. For a single application, you can pull specific details using get_app.
To check which vulnerabilities were found for a specific app, run list_issues with the app's ID. You can pull deep info on one vulnerability using get_issue.
Want to know about scans? You can list all scans that ran with list_scans, and you'll get the full details and current status for a specific scan ID using get_scan. You can kick off a new DAST scan for a web app URL with start_dast_scan. You can also list the local agents, or 'Presences', used for testing internal applications with list_presence.
How HCL AppScan MCP Works
- 1 Your AI client first calls
get_account_checkto verify the AppScan connection is active. - 2 Next, the agent uses
list_appsto gather all application IDs and then callslist_issuesfor a specific app to find vulnerabilities. - 3 Finally, you pass the gathered data to your agent, which summarizes the findings and suggests remediation steps.
The bottom line is, your AI client uses the 10 tools to gather security data from AppScan, and then you use your agent to process that data into actionable intelligence.
Who Is HCL AppScan MCP For?
This is for security engineers and devSecops staff who are tired of jumping between multiple dashboards just to build a risk picture. If you need to automate the process of finding, tracking, and prioritizing vulnerabilities across dozens of applications, this is for you.
Audits security findings across multiple applications by using list_apps and then calling list_issues to aggregate high-severity vulnerabilities without manual data exports.
Integrates security into CI/CD pipelines by triggering new DAST scans using start_dast_scan and monitoring the results with list_scans.
Ensures application compliance by checking the security status of every mandated app using get_app and verifying vulnerability tracking via get_issue.
What Changes When You Connect
- See the full scope of your inventory instantly. Use
list_appsto get a complete list of all applications and their unique IDs, eliminating manual dashboard navigation. - Prioritize fixes immediately. Instead of wading through thousands of alerts, use
list_issuesto pull detailed lists of vulnerabilities, letting your agent focus on severity and status. - Automate the testing cycle. You can start new DAST scans directly via the chat interface using
start_dast_scan, then monitor the progress usingget_scanandlist_scans. - Build compliance reports faster. Check the status of every required application using
get_appand verify the latest findings withget_issue—all without leaving your chat window. - Simplify complex data retrieval. Use
get_account_infoto confirm credentials andget_appto pull specific app metadata before running any checks.
Real-World Use Cases
Compliance Check: Auditing all mandated apps
The compliance officer needs to prove that 15 specific applications were scanned last month. They tell their agent: 'Use list_apps to get all IDs, then loop through them, calling get_app for status, and finally running list_issues to confirm the vulnerability count.' The agent compiles a single, auditable report.
Incident Response: Finding the root cause
A critical vulnerability is reported in the 'Payment API'. The security engineer instructs the agent: 'First, run list_apps to confirm the ID. Then, use list_issues and get_issue with the ID to pull all high-severity findings and the associated remediation details immediately.'
Proactive Testing: Running a fresh scan
The team just deployed a major update to the 'Customer Portal'. The devSecops specialist asks the agent to execute: 'Start a new DAST scan for the portal using start_dast_scan.' The agent initiates the test and uses list_scans to track the job ID until it's complete.
Debugging: Checking system health
Before running any complex audit, the agent first calls get_account_check to validate the connection. If that passes, they can use list_presence to confirm which local agents are online and ready for internal scans.
The Tradeoffs
Manual Dashboard Exporting
A security team member logs into the AppScan web portal, clicks 'Export Issues,' filters by severity, and then manually copies the data into a spreadsheet for the compliance report. This takes 30 minutes and is prone to human error.
→
Instead, ask your agent to use list_apps to get the target list, then loop through those IDs calling list_issues and get_issue for the required details. Your agent handles the data collection and structuring automatically.
Ignoring Scan Status
A developer triggers a DAST scan using the UI, gets a success message, and assumes the job is done. They don't check if the scan failed or is still running, leading to missed vulnerabilities.
→
Always follow up the scan initiation (start_dast_scan) by calling list_scans and then get_scan to verify the status is 'Completed' before relying on the results.
Using Old Credentials
A new team member attempts to run list_apps but the connection fails, forcing them to manually re-enter API keys and wait for system administrators to restart the service.
→
Always start by checking the connection using get_account_check. This verifies the API key and service access are valid before running any other tool.
When It Fits, When It Doesn't
Use this server if your primary goal is to gather, correlate, and act on security vulnerability data across many applications. You need the AI agent to manage the workflow of checking status, listing assets, and retrieving specific details from 10 distinct APIs. Don't use it if you just need a simple list of all applications—just use list_apps. If you only need to know if your account is connected, run get_account_check. You need this suite when you're building a repeatable, multi-step audit process, like 'Find all apps, list their issues, and start a scan.'
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HCL AppScan. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
The old way of auditing security findings is a headache.
Right now, auditing security requires jumping between the AppScan dashboard, running reports, filtering results by severity, and then manually downloading CSVs. You spend half your morning just collecting data, which is a terrible use of time.
With the HCL AppScan MCP Server, you simply tell your agent what you need—like 'Show me all high-severity SQL Injection issues.' The agent runs `list_apps`, then `list_issues`, and `get_issue` to pull the data. You get a clean, summarized report instantly.
HCL AppScan MCP Server: Track Vulnerabilities and Scan Progress
Manual processes require you to remember which scan ID was started, wait for the job to finish, and then find the final report. This is error-prone and slow.
Now, you start the scan with `start_dast_scan`, and your agent uses `list_scans` and `get_scan` to monitor the job status in real time. You don't wait; you just ask for the status, and the answer is ready.
Common Questions About HCL AppScan MCP
How do I use the `list_apps` tool with HCL AppScan? +
Run list_apps to get a complete list of all applications in your inventory. This returns the unique IDs you need to target subsequent vulnerability checks.
What is the difference between `list_issues` and `get_issue`? +
list_issues gives you a summary list of all vulnerabilities for an app. get_issue pulls the full, detailed report for one specific vulnerability, including remediation steps.
Can I start a DAST scan using `start_dast_scan`? +
Yes, start_dast_scan initiates a new Dynamic Analysis (DAST) scan for a specified web application URL. Your agent handles the parameters for you.
Which tool should I use to check the AppScan connection? +
You should use get_account_check. It verifies your AppScan account credentials and connection status before any other data retrieval.
How do I list all available scanners? +
Use list_presence to list all available local agents (Presences). This confirms which scanners are online and ready to test internal applications.
How do I check the status of a specific scan using the `get_scan` tool? +
You use get_scan with the unique scan ID. This returns the scan's status, start time, end time, and associated application details. You can confirm if the scan is active, completed, or failed.
What information can I retrieve about a single application using the `get_app` tool? +
The get_app tool provides comprehensive details for a given application ID. You get its name, creation date, associated security policies, and the list of vulnerabilities found so far.
How do I find all the available local agents using the `list_presence` tool? +
Running list_presence returns a list of configured AppScan agents (Presences). This list includes the agent's name, its connection status, and the last time it reported data, helping you confirm connectivity.
How do I get my AppScan API Key ID and Secret? +
Log in to the AppScan on Cloud console, go to your User Profile (top right), and select API Keys. You can generate a new Key ID and Key Secret there.
Does this server support the EU region? +
Yes, you can configure the APPSCAN_REGION environment variable to eu to connect to the European data center (eu.cloud.appscan.com).
Can I start a scan for an internal application? +
Yes, provided you have an AppScan Presence (local agent) configured. You can use the list_presence tool to check their availability before starting a scan.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
OneTrust
Manage privacy requests, assessments, vendors, consent, and incidents via OneTrust — automate GDPR, CCPA, and data governance from any AI agent.
Snyk
Bring your Snyk code security ecosystem directly to your AI. Analyze vulnerabilities, project metadata, and scan issues right from your editor.
Aporia
Monitor AI models and validate LLM interactions with guardrails directly from your AI agent to ensure safety and observability.
You might also like
Unpaywall (Open Access Papers)
Access millions of open-access scholarly articles. Check OA status and retrieve full-text PDF links using DOIs.
Enspire Commerce
Equip your AI agent to manage omni-channel orders, track inventory, and monitor shipments via the Enspire API.
Veraset
Equip your agent to seamlessly query Veraset's mobility datasets. Run geospatial SQL, extract insights, and manage S3 buckets.