Deploying a Node.js IAST agent

This topic explains how to create a Node.js IAST agent on your web server.

About this task

Create the Node.js agent using one of the following options:
Note: The Node.js agent is not available for the FIPS-enabled download of AppScan 360°.
  • Node.js (agent from npm): Retrieve the agent from the public npm registry using the key obtained from ASoC. Recommended for environments with an internet connection that can access the npm registry.
  • Node.js (download agent): Download the Node.js agent from ASoC as a self-contained tarball, allowing installation without npm access. Recommended for air-gapped or restricted environments without access to the public npm registry.

Installing the agent from npm

About this task

Create an IAST agent using the Node.js (agent from npm) option.

Procedure

  1. Generate a key for the Node.js agent (through the user interface or API).
    Displaying the Node.js option to generate the key
  2. On your web server:
    1. Install the agent from the public npm repository:
      npm install @hclsoftware/secagent
    2. Add the following environment variables:
  3. Edit package.json by locating this line: 
    "start": "node index.js",
    then replace it with this:
    "start": "node -r @hclsoftware/secagent/src/Iast.js index.js",
    Note: Alternatively, you can add the key to the package.json command as follows:
    • Windows: "start": "set IAST_ACCESS_TOKEN=12345 && node -r @hclsoftware/secagent/src/Iast.js index.js"
    • Linux: "start": "IAST_ACCESS_TOKEN=12354 node -r @hclsoftware/secagent/src/Iast.js index.js"
    Tip: If you use Next to run your applications, the IAST agent can be run with the NODE_OPTIONS environment variable before the original command, for example: NODE_OPTIONS='-r @hclsoftware/secagent/src/Iast.js' next app.js
  4. Start your application using npm start.

Results

The IAST agent monitors requests and reports security issues as you use or test your application (for example, run functional tests, run a Dynamic Scan, or explore the app manually).

Installing from a self-contained package

About this task

Create an IAST agent using the Node.js (download agent) option.

Procedure

  1. On your web server, install the agent from the downloaded file: 
    npm install hclsoftware-secagent.tgz
  2. Edit package.json by locating this line: 
    "start": "node index.js",
    then replace it with this:
    "start": "node -r @hclsoftware/secagent/src/Iast.js index.js",
    Tip: If you use Next to run your applications, the IAST agent can be run with the NODE_OPTIONS environment variable before the original command, for example: NODE_OPTIONS='-r @hclsoftware/secagent/src/Iast.js' next app.js
  3. Start your application using npm start.

Results

The IAST agent monitors requests and reports security issues as you use or test your application (for example, run functional tests, run a Dynamic Scan, or explore the app manually).