Deploying AppScan 360° Static Analysis clusters
tar.gz
) downloaded from HCL License and Download Portal. Either
bundle contains a script (sast-service.sh
) to simplify the deployment
steps.- Deploying AppScan 360° Static Analysis using Helm charts from HCL Harbor
- Deploying AppScan 360° Static Analysis from an archive file
- Integration with ASCP
- Configuring the AppScan 360° SAST ingress
- Reconfiguring AppScan 360° Static Analysis
- Deployment command options
- Examples
- Accessing AppScan 360° SAST after deployment
Deploying AppScan 360° Static Analysis using Helm charts from HCL Harbor
- Ensure you are connected to the correct Kubernetes cluster.
Verify you have the right cluster config file in
.kube
folder. - Get the ASCP server hostname.
For example,
ascp.example.com
- Retrieve the authentication token, certificate, and private key files from
ASCP
server to the current machine.
- The authentication token can be specified to the AppScan 360° SAST deployment
using the option
--auth-token
. For example,--auth-token AgentsApiKey.txt
. - The CA certificate can be specified to the AppScan 360° SAST deployment
using the option
--cert
. For example,--cert AppScan360_RootCA.crt
. - The private key can be specified to the AppScan 360° SAST deployment
using the option
--cert-key
. For example,--cert-key AppScan360_RootCA.key
.
- The authentication token can be specified to the AppScan 360° SAST deployment
using the option
- Get the user authentication token from
For example,
registry-token.txt
.
and save it to a file. - Create a file to store the RabbitMQ password. For example,
rabbitmq-pwd.txt
. This password is configured in RabbitMQ when it is installed.Note: This password cannot be changed once configured. - Identify the storage provider to be used.
Azure supports
azurefile
, but if any other storage providers are to be used ensure it supportsReadWriteMany
. - Run the AppScan 360° SAST script
with options to deploy the cluster locally. For example:
> ./sast-service.sh --install --ingress-host <sast-ingress-fqdn> \ --server <ascp-fqdn> \ --cert AppScan360_RootCA.crt \ --cert-key AppScan360_RootCA.key \ --auth-token AgentsApiKey.txt \ --rabbitmq-password rabbitmq-pwd.txt \ --registry-user <harbor-username> \ --registry-token registry-token.txt \ --storage-class azurefile \ --ingress-class nginx
Note:- Provide execute permissions to the script files. For example,
chmod -R +x sast-service.sh scripts/*
. - Use the option
-f
to specify the file path to a yaml file with customized values as described in Deployment configuration parameters. For example,-f values.yaml
.
- Provide execute permissions to the script files. For example,
- Verify deployment was successful:Where
> kubectl get pods -n <NAMESPACE>
<NAMESPACE>
is the namespace to which AppScan 360° SAST was installed. The default ishcl-appscan-sast
. - Verify all the AppScan 360° SAST-related pods are up and running as follows:
Pod name Ready Status Restarts Age analyzer-<pod-id>
1/1 Running X X ascp-adapter-<pod-id>
1/1 Running X X gateway-<pod-id>
1/1 Running X X preparer-<pod-id>
1/1 Running X X sast-service-rabbitmq-0
1/1 Running X X scan-manager-<pod-id>
1/1 Running X X workflow-manager--<pod-id>
1/1 Running X X - Ensure that AppScan 360° SAST is
reachable from a browser using the URL
https://<sast-ingress-fqdn>
.(For example,
https://sast.example.com
)
Deploying AppScan 360° Static Analysis from an archive file
tar.gz
file:- To upload the container images to ACR or any other registry of choice,
provide the registry credentials to the deployment script using the
following parameter options:Note: AppScan 360° SAST container images must be uploaded to a remote OCI-compliant registry.
--registry <registry>
: The registry to push the container images. For example:appscanregistry.azurecr.io, docker.io
.--registry-user <registry-username>
: The registry username for authentication.--registry-token <registry-token-file>
: The file which contains the registry user authentication token. For example:--registry-token ./registry-token.txt
--load-images
: This option indicates that the container images should be loaded from file system to the registry. The container images can be located in the pathsast-service-base/images/*.image
.
- Ensure you are connected to the correct Kubernetes cluster.
Verify you have the right cluster config file in
.kube
folder. - Get the ASCP server's hostname.
For example,
ascp.example.com
- Retrieve the authentication token, certificate, and private key files from
ASCP server to the current
machine.
- The authentication token can be specified to the AppScan 360° SAST deployment
using the option
--auth-token
. For example,--auth-token AgentsApiKey.txt
. - The CA certificate can be specified to the AppScan 360° SAST deployment
using the option
--cert
. For example,--cert AppScan360_RootCA.crt
. - The private key can be specified to the AppScan 360° SAST deployment
using the option
--cert-key
. For example,--cert-key AppScan360_RootCA.key
.
- The authentication token can be specified to the AppScan 360° SAST deployment
using the option
- Create a file to store the RabbitMQ password. For example,
rabbitmq-pwd.txt
. This password is configured in RabbitMQ when it is installed.Note: This password cannot be changed once configured. - Identify the storage provider to be used.
Azure supports
azurefile
, but if any other storage providers are to be used ensure it supportsReadWriteMany
. - Run the AppScan 360° SAST script
with options to deploy the cluster locally. For example:
> ./sast-service.sh --install --ingress-host <sast-ingress-fqdn> \ --server <ascp-fqdn> --cert AppScan360_RootCA.crt \ --cert-key AppScan360_RootCA.key \ --auth-token AgentsApiKey.txt \ --rabbitmq-password rabbitmq-pwd.txt \ --registry <registry-name> \ --registry-user <registry-username> \ --registry-token <registry-token-file> \ --storage-class azurefile \ --ingress-class nginx \ --load-images
Note: Use the option-f
to specify the file path to a yaml file with customized values as described in Deployment configuration parameters. For example,-f values.yaml
. - Verify deployment was successful:Where
> kubectl get pods -n <NAMESPACE>
<NAMESPACE>
is the namespace to which AppScan 360° SAST was installed. The defaulthcl-appscan-sast
. - Verify all the AppScan 360° SAST-related pods are up and running as follows:
Pod name Ready Status Restarts Age analyzer-<pod-id>
1/1 Running X X ascp-adapter-<pod-id>
1/1 Running X X gateway-<pod-id>
1/1 Running X X preparer-<pod-id>
1/1 Running X X sast-service-rabbitmq-0
1/1 Running X X scan-manager-<pod-id>
1/1 Running X X workflow-manager--<pod-id>
1/1 Running X X - Ensure that AppScan 360° SAST is
reachable from a browser using the URL
https://<sast-ingress-fqdn>
.(For example,
https://sast.example.com
.)
Integration with ASCP
The AppScan 360° Static Analysis ingress URL must be configured in ASCP for successful integration between AppScan 360° components. The URL can be configured while installing or reconfiguring the ASCP server, or as a post-installation step.
Configuring the AppScan 360° SAST ingress
To configure the provided ingress to use https
, use
nginx.ingress.kubernetes.io/backend-protocol
annotation to
indicate how NGINX should communicate with the backend service.:
- Parameter
global.ingress.additionalAnnotations
- Description
List of annotations to configure in AppScan 360° Static Analysis ingress.
- Example
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Reconfiguring AppScan 360° Static Analysis
After initial deployment of AppScan 360° Static Analysis, subsequent uses of the deployment script reconfigure the Kubernetes clusters using most recently specified deployment options. You do not need to first remove the clusters.
Namespace 'hcl-appscan-sast' already exists. The SAST deployment will be upgraded.
Deployment command options
Parameter | Description | Default value | Required |
---|---|---|---|
-h |-help |
Displays available commands and appropriate usage. | ||
-i |--install |
Deploy AppScan 360° SAST. This flag expects no option values. | N/A | Yes |
-s |--server
hostname |
Provides the ASCP server's hostname (FQDN). The ASCP server is configured as part of the AppScan 360° platform install, and is the means by which a user can initiate a AppScan 360° Static Analysis scan. | Yes | |
-cc |--cert
cert-file-path |
For setting up TLS and HTTPS, provide a full qualifying path to a signed certificate file. | Yes | |
-ck |--cert-key
key-file-path |
Provide the corresponding path to the private key for the specified certificate. | Yes | |
-at |--auth-token
token |
ASCP connection authorization with SAST services. It also aids the communications and exchanges between the ASCP platform services and AppScan 360° SAST. | Yes | |
-p |--rabbitmq-passwords
pwd-file-path
|
Specifies the file path of RabbitMQ user's password. Note: The RabbitMQ password cannot be changed once configured. | Yes | |
-sc |--storage-class
name |
Allows user to configure the storage provider to use for all
AppScan 360° SAST
storage requirements. Examples include
local-path , azurefile , and
longhorn . |
Yes | |
-r |--registry
registry |
The registry name to load images. Note: For cloud deployments using an archive file containing SAST
images, a registry accessible by the cloud K8S registry must
be provided to ensure image pull is possible during
deployment. |
|
|
-ru |--registry-user
username |
Username of the registry provided. | Yes, except when deployed when using an archive file to a local Kubernetes cluster (K3S, for example). | |
-rt , --registry-token
token-file-path |
Path to a file containing the user authentication token for
the specified registry. Note: The token
can only be provided using a file for security
reasons. |
Yes, except when deployed when using an archive file to a local Kubernetes cluster (K3S, for example). | |
-ro |-repo |--repository
repository |
The repository path to locate the images and helm charts. | appscan360-sast/sast-service |
No |
-v , --version |
The version of AppScan 360° SAST to download. | Defaults to the version of the script used for the current deployment. | No |
-t , --tag image-tag |
The AppScan 360° SAST version to install. When not specified, the latest version in the repository or archive is used. | Latest available version. | No |
-n |--namespace |
The namespace where AppScan 360° SAST is deployed. | hcl-appscan-sast |
No |
-f |--config-file
yaml-file-path |
Configure or customize container deployment with a
yaml file specifying configuration details.
See Deployment configuration parameters for information on configuring the yaml
file |
N/A | No |
-ih |--ingress-host hostname
|
A fully qualified domain name (FQDN) to access AppScan 360° SAST post-deployment. If the provided FQDN is not resolvable in the DNS, then
ensure the |
sast.example.com |
No |
-ic |--ingress-class name
|
The ingress controller is used to expose the AppScan 360° SAST through the gateway service. If not specified, no ingress controller is configured. | No | |
-x , --load-images |
When downloading an archive from FNO, this parameter instructs the container images to be loaded from the file-system and pushed to the specified container registry. | This option should be used for air-gap mode deployments only. | |
-verbose |
Produces complete messages related to deployment in the console. | No |
Examples
> az login ...
> ./sast-service.sh --install \
--ingress-host test.sast.example.com \
--server test.ascp.example.com \
--cert ./AppScan360_RootCA.crt \
--cert-key ./AppScan360_RootCA.key \
--auth-token ./AgentsApiKey.txt \
--rabbitmq-password ./rabbitmq-pwd.txt \
--registry-user hcl-harbor-user \
--registry-token ./registry-token.txt \
--ingress-class nginx \
--storage-class azurefile
> az login ...
> ./sast-service.sh --install \
--ingress-host test.sast.example.com \
--server test.ascp.example.com \
--cert ./AppScan360_RootCA.crt \
--cert-key ./AppScan360_RootCA.key \
--auth-token ./AgentsApiKey.txt \
--rabbitmq-password ./rabbitmq-pwd.txt \
--registry appscanregistry.azurecr.io \
--registry-user azure-user \
--registry-token ./registry-token.txt \
--ingress-class nginx \
--storage-class azurefile \
--load-images
> ./sast-service.sh --install \
--ingress-host test.sast.example.com \
--server test.ascp.example.com \
--cert ./AppScan360_RootCA.crt \
--cert-key ./AppScan360_RootCA.key \
--auth-token ./AgentsApiKey.txt \
--rabbitmq-password ./rabbitmq-pwd.txt \
--registry-user hcl-harbor-user \
--registry-token ./registry-token.txt \
--ingress-class nginx \
--storage-class local-path
> ./sast-service.sh --install \
--ingress-host test.sast.example.com \
--server test.ascp.example.com \
--cert ./AppScan360_RootCA.crt \
--cert-key ./AppScan360_RootCA.key \
--auth-token ./AgentsApiKey.txt \
--rabbitmq-password ./rabbitmq-pwd.txt \
--registry docker.io \
--ingress-class nginx \
--storage-class local-path \
--load-images
Accessing AppScan 360° SAST after deployment
> https://<appscan sast url>/swagger-ui/index.html
—auth-token
. The token can be fetched with the following
command:> kubectl get secrets -n hcl-appscan-sast sast-service-secret -o jsonpath="{.data.SAST_AUTH_TOKEN}" | base64 -d