I am planning to use Bluemix for a ReST API development using Java. I wanted to use Application Security on Cloud for scanning the application to eliminate security concern.
Can I use it? Is there something more appropriate?
You can use the Static analysis feature of Application Security on Cloud to scan Java applications for security vulnerabilities. To accomplish this, a small utility needs to be downloaded to convert the application byte code files into an Intermediate Representation (IRX) of the code. This IRX file is uploaded to the server and scanned using trace analysis to find security vulnerabilities (the IRX file is encrypted to keep your data safe). IRX files can be generated using a small client command-line interface (CLI) that you need only download and extract to your local disk. In addition, you can run a small installer that adds static analysis plug-ins to Eclipse or Maven. Note that the Client Utility and cloud service versions must be compatible.
Take a look at Getting started with Application Security on Cloud for more information.