Scan Your App

Stay organized with collections Save and categorize content based on your preferences.
tier 2 customize
start sign

Scan Options

Application scan results from a(n) accepted AST tool(s) are required to test functional CASA requirements in your application.

There are three options for app scanning:

  1. Use CASA-approved tools (highly recommended) 

  2. Use custom or alternative tools (*restrictions apply)

  3. A hybrid combination CASA-approved + custom / alternative tools

Refer to the tooling matrix to understand what scans are in scope for your application, and follow the steps below based on your selected option.


start sign

Pre-built configuration files and Docker images are provided to quickly perform approved scans and outputs. This option is highly recommended and greatly reduces the likelihood of a CASA submission being returned for nonconformance.

Simply follow the CASA AST guidance based on which scans are required for your application. 

To qualify for Tier 2 verification, results must show:

  • No findings linked to common weakness enumerations (CWEs) with high likelihood of exploit

  • No findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)

OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.


start sign

Using Custom or Alternative AST Tools

3P developers are permitted to use any CWE-compatible app scanning tool(s), provided the tool(s) satisfy the CASA AST requirements for testing and results below. A list of options (not comprehensive) are provided here

Custom or alternative AST tools must:

  • Meet OWASP Benchmark standard

  • Be configured to scan all CWEs required for your application

  • Provide a pass/fail CWE output in machine readable (e.g., XML, CSV) or PDF format


A full mapping of required CWEs and AST tool combinations can be found in the CASA Tier 2 mapping template.

To qualify for Tier 2 verification, results must show:

  • no findings linked to common weakness enumerations (CWEs) with high likelihood of exploit

  • no findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)

OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.

Next Step