IBM Support

Ability to post AppScan Enterprise job results asynchronously to the configured endpoint URL



How AppScan Enterprise post the scan job status asynchronously to endpoint URL?


Note1: Currently, this capability is available only for Content Scan jobs. This will be enhanced further for jobs created through ADAC or AppScan Standard.

Note2: This capability will be available only for new content scan jobs created through REST API.

In the DevOps environment, automation framework (ex: Urban Code Deployment) create and initiate a scan job. AppScan Enterprise performs the scan and once the scan is completed, scan job status is posted to integration/automation framework. Framework need not wait in a loop or ping AppScan Enterprise periodically for scan status.

The scan management REST API in AppScan Enterprise “/services/folders/<folderId>/folderitems?templateid=<id>” ( ) creates a content scan job. This API is modified to accept additional and optional parameter “payload”. Payload would be a structured JSON format having these details.


• Endpoint URL (URL to which AppScan Enterprise posts the data. The URL should have a mechanism to read the HTTP PUT data to retrieve scan job status)
• Username (optional, it is required only if endpoint URL expects)
• Password (encrypted/unencrypted, optional, it is required only if endpoint URL expects)
• Placeholder for job details like job completion code (status) and job name.

"endpointURL": "http(s)://",
"username": "admin",
"password": "admin",
"application": "AppScan Application",
"applicationProcess": "Run Scan",
"description": "Initiatied asynchronously by the completion of $fiid.",
"environment": "Dev",
"properties": {
"fiid": "$fiid",
"completionCode": "$completionCode",
"jobName": "$jobName"
"versions": [{
"component": "ComponentName",
"version": "1.0.0"

- Integration framework would create a job invoking AppScan Enterprise REST API. Additional configuration parameter (payload) in JSON format is passed to this API.
- The framework would start the scan job by calling rest API.
- The framework would not wait for the job to be completed to get the status.
- Once the job is completed in AppScan Enterprise, the job status is posted (HTTP PUT) to endpoint URL. This callback would carry the payload data.
- The payload data is updated with job information like job name and job completion code.

The sample callback data would look as below
"application":"AppScan Application",
"applicationProcess":"Run Scan","description":"Initiatied asynchronously by the completion of 99.","environme


The supported job completion codes are SUCCESS, FATALERROR, SUSPENDED,CANCELLED.


Note 3: The endpoint URL should start with “http://” or “https://”

Document information

More support for: IBM Security AppScan Enterprise

Component: REST API

Software version:

Operating system(s): Windows

Reference #: 2015122

Modified date: 04 July 2018