# HCL AppScan MCP

> HCL AppScan MCP connects application security testing directly to your AI client. It lets you manage complex security scans across multiple applications, track vulnerabilities, and audit an entire software inventory using natural conversation. Quickly check scan statuses, list apps, or even start new dynamic analysis (DAST) tests without ever leaving your chat window.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** application-security, security-testing, vulnerability-management, code-auditing, threat-detection, devsecops

## Description

This MCP brings powerful application security testing straight to your agent. Instead of logging into separate dashboards, you can monitor vulnerabilities and audit your entire application inventory using natural conversation. Your AI client talks directly to the tools here, giving you instant insight into your security posture across HCL AppScan on Cloud (ASoC). You can list all applications in your inventory to find their unique IDs or check the real-time status of any active scan. Need more detail? You can retrieve detailed lists of security issues found during scans, including severity and current status. If you're ready for a new audit, you can start DAST scans right from the chat interface. All this capability is available through Vinkius, giving your agent access to industry-leading tools without needing multiple subscriptions or logins.

## Tools

### get_account_check
Verifies that your AppScan account connection is active and ready to use.

### get_account_info
Retrieves specific information about the user who authenticated to the service.

### get_app
Pulls detailed data for one specific application within your inventory.

### get_issue
Gathers granular information about a single, identified vulnerability or security issue.

### get_scan
Retrieves the status and details for one specific scan job.

### list_apps
Shows a comprehensive list of every application registered in your AppScan inventory.

### list_issues
Generates a full listing of all vulnerabilities found for a given application ID.

### list_presence
Lists the local agents, or Presences, that are available to scan internal applications.

### list_scans
Provides a complete record of all scans that have ever been run in your account history.

### start_dast_scan
Begins a new Dynamic Analysis (DAST) scan for a specified web application URL.

## Prompt Examples

**Prompt:** 
```
List all applications in my AppScan inventory.
```

**Response:** 
```
I've retrieved your application inventory. You have 15 applications, including 'Customer Portal', 'Payment API', and 'Mobile Backend'.
```

**Prompt:** 
```
Show me high severity issues for application 'Customer Portal'.
```

**Response:** 
```
I've found 3 high severity issues for 'Customer Portal', including a 'SQL Injection' vulnerability and a 'Cross-Site Scripting' (XSS) issue.
```

**Prompt:** 
```
Start a new DAST scan for appId '12345' with URL 'https://portal.example.com'.
```

**Response:** 
```
A new DAST scan (ID: scan_998877) has been successfully started for 'Customer Portal' targeting 'https://portal.example.com'.
```

## Capabilities

### Audit Application Inventory
You list all applications in your security inventory to get their unique IDs and names.

### Check Scan Statuses
You monitor all performed scans, checking the current status of any active security tests.

### Identify Vulnerabilities
You get detailed lists and specific information about security issues found during a scan.

### Initiate Security Scans
You start new Dynamic Analysis (DAST) scans for your web applications directly from the chat.

### Manage Internal Agents
You list available local agents used to scan internal, non-web applications.

## Use Cases

### Pre-Compliance Audit Check
A compliance officer needs to prove that all 40 internal applications were scanned this quarter. They ask their agent to run `list_apps` first, then use `list_scans` for each app ID to confirm coverage and gather proof of regular auditing.

### Immediate Flaw Discovery
A developer asks the agent to check a newly deployed service. The agent uses `start_dast_scan`, waits for completion, and then runs `list_issues` to immediately report any high-severity flaws found.

### Deep Dive into One Vulnerability
A security engineer finds a suspicious vulnerability ID. They ask the agent to run `get_issue` with that ID. The tool returns detailed context, including remediation steps and severity scores, allowing for immediate triage.

### Inventory Cleanup
An ops team member suspects an old application is forgotten. They use `list_apps` to verify the existence of the app ID, then run `get_app` to check its details before deciding if it needs to be decommissioned.

## Benefits

- You don't waste time manually exporting vulnerability reports. By using `list_issues` and `get_issue`, your agent compiles all the data you need into a clean summary, saving hours of spreadsheet work.
- Start new audits on demand. Instead of navigating to the web console, just ask your agent to run a DAST scan using `start_dast_scan`. The whole process happens through conversation.
- Get full visibility across all assets. You can use `list_apps` to see every single application ID in your inventory at a glance, ensuring no critical piece of software is forgotten during an audit.
- Check the status without logging in. Need to know if last night's scan finished? Use `get_scan` and `list_scans` to get instant updates on running or completed jobs.
- Manage internal systems easily. The `list_presence` tool shows you which local agents are available, letting you plan scans for apps that don't have a public URL.

## How It Works

The bottom line is that your AI client handles the complex API calls so you just talk to it like normal.

1. First, your AI client uses the account tools to verify connection and retrieve basic user data.
2. Next, you ask it to list all applications or check a specific scan's status. The MCP runs those checks and sends back structured data about the findings.
3. Finally, if you need new data, you tell your agent to start a DAST scan; it executes the request and confirms when the job begins.

## Frequently Asked Questions

**How do I list all applications with HCL AppScan MCP?**
You simply ask your agent to list the apps using `list_apps`. This tool immediately shows you every application ID currently tracked in your security inventory.

**Can I start a scan without knowing the URL? (HCL AppScan MCP)**
No. The `start_dast_scan` tool requires a specific URL to run the dynamic analysis test. You must first find the target URL and pass it to the agent.

**What if I need details on one vulnerability? (HCL AppScan MCP)**
You use `get_issue` and provide the specific ID of the issue you care about. The tool returns detailed context, including severity and how to fix it.

**Does HCL AppScan MCP track old scans? (HCL AppScan MCP)**
Yes. You can use `list_scans` or `list_issues` to view historical data, helping you audit past performance and ensure compliance over time.

**What is the difference between listing apps and getting app details? (HCL AppScan MCP)**
Using `list_apps` gives a simple roster of all IDs. Using `get_app` retrieves deep, detailed information for one specific app ID you've already identified.

**How do I get my AppScan API Key ID and Secret?**
Log in to the AppScan on Cloud console, go to your **User Profile** (top right), and select **API Keys**. You can generate a new Key ID and Key Secret there.

**Does this server support the EU region?**
Yes, you can configure the `APPSCAN_REGION` environment variable to `eu` to connect to the European data center (`eu.cloud.appscan.com`).

**Can I start a scan for an internal application?**
Yes, provided you have an AppScan Presence (local agent) configured. You can use the `list_presence` tool to check their availability before starting a scan.