General purpose vulnerability scanners often perform poorly against custom web applications and Application Programming Interfaces (APIs). BHIS has two HCL AppScan instances available for automated scanning of custom web applications during testing. Typically, HCL AppScan does a better job of comprehensively discovering web-based vulnerabilities. The scanner is likekly to generate some false positives, so all results should be investigated thoroughly.
Reference the AppScan Usage and Setup documentation for full details on use of the scanner.
Details for accessing the available HCL AppScan instances can be found in LastPass under the AppScan on Azure (Testers) entry.