Installing AppScan 360° with Helm

💡 Best Practice: It is recommended to run AppScan 360 Setup Assistant before every new installation or major upgrade to ensure environmental readiness and prevent installation failures.

A Helm installation of AppScan 360° requires a persistent, reliable Internet connection in addition the requirements for setting up the AppScan 360° environment. The system must be able in download Helm charts from HCL Harbor regularly.

Before installing AppScan 360° with Helm:
  • Verify that you have a stable and persistent Internet connection for downloading Helm charts from GitHub, and for fetching Docker images and Helm packages from HCL Harbor.
  • The configuration file is available and named properly.

Install helmfile

To install helmfile:
  1. Download the helmfile binary file:
    wget -O helmfile.tar.gz $(curl -s https://api.github.com/repos/helmfile/helmfile/releases/latest | grep browser_download_url | grep linux_amd64.tar.gz | cut -d '"' -f 4)
  2. Extract the archive:
    tar -xvzf helmfile.tar.gz
  3. Move the helmfile binary to an appropriate local directory.
    For example, usr/local/bin/.
    sudo mv helmfile /usr/local/bin/
  4. Give executable permission to the file:
    sudo chmod +x /usr/local/bin/
sudo chmod +x /usr/local/bin/helmfile
  5. Verify the installation:
    helmfile --version
    Note: Always verify you are using the intended version to ensure consistency across deployments. If the Helm version is upgraded to 4, the Helmfile binary must also be updated to the latest version.

Setup the Harbor connection

To setup the connection to Harbor, either:
  • Use the Docker login with your username and password as defined in cli-secret:
    docker login hclcr.io
  • Set environment variables for the docker/config.json file:
    export HCLCR_USERNAME=<harbor-username>
export HCLCR_PASSWORD=<harbor-password/cli-secret>
  • Set environment variables for base64 encoding:
    export AS360_KNI_JSON_CONFIG_AS_BASE64="<base64-value-of-docker-config.json>"

Setup the GitHub repository

The repository for AppScan 360° Helm is hosted on a private GitHub server. Clone the appropriate repository at https://github.com/HCL-TECH-SOFTWARE/ to populate the local repository properly:
git clone https://github.com/HCL-TECH-SOFTWARE/AppScan-360-Helm-Files
After cloning, verify the local repository has the following structure:
AppScan-360-Helm-Files
├── Copy Artifacts
│   ├── artifactList.txt        # List of images/charts to sync
│   ├── copy-artifacts.sh       # The synchronization script
├── Helm.d
│   ├── helmfile-ASCP.yaml.gotmpl
│   ├── helmfile-ASRA.yaml.gotmpl
│   ├── helmfile-SCA.yaml.gotmpl
│   ├── helmfile-DTCS.yaml.gotmpl
│   └── helmFileCustomization
│       └── singular-singular.clusterKit-Sample.yaml  # Main config file
├── helmfile.yaml.gotmpl
└── README.md

Install AppScan 360°

From the cloned repository (AppScan-360-Helm-Files), run:
helmfile sync

Include Software Composition Analysis (SCA)

Software Composition Analysis (SCA) is included when you install AppScan 360° with a parameter.
Note: Software Composition Analysis (SCA) is not included in the AppScan 360° by default; you must enable it.
To include SCA:
includeSCA=true helmfile sync
To disable SCA, you must uninstall AppScan 360° completely:
includeSCA=true helmfile destroy
To enable automatic updates of the Software Composition Analysis (SCA) vulnerability database, set the following environment variables that point to the HCL Harbor registry with the correct credentials.
export SCA_AUTOUPDATER_REGISTRY_USERNAME=<HCL_HARBOR_USERNAME>
export SCA_AUTOUPDATER_REGISTRY_PASSWORD=<HCL_HARBOR_PASSWORD>
Important: If you do not set up automatic updates, you must update the vulnerability database manually.

Dast Template Converter Service (DTCS)

By default DTCS is installed along with AppScan360 other components.

In case customer doesn’t want to have Dast technology installed, they can skip this component by following command.

To exclude Dast Template Converter Service:
excludeDTCS=true helmfile sync
To disable DAST, you must uninstall AppScan 360° completely:
excludeDTCS=true helmfile destroy

Unified namespace support

To install to a common namespace for all modules:
helmfile -n hcl-appscan-as360 sync
To uninstall from a unified namespace
helmfile -n hcl-appscan-as360 destroy

Version support using Git tags and archives

AppScan 360° supports version-controlled installation using Git tags and archives.
To clone the latest version of AppScan 360° using Git:
git clone 
https://github.com/HCL-TECH-SOFTWARE/AppScan-360-Helm-Files.git
To clone a specific version of AppScan 360° using Git, where X.X.X is the specific version number:
git clone --branch vX.X.X 
https://github.com/HCL-TECH-SOFTWARE/AppScan-360-Helm-Files.git
To download an archive directly, where X.X.X is the specific version number:
wget https://github.com/HCL-TECH-SOFTWARE/AppScan-360-Helm-Files/archive/refs/tags/vX.X.X.zip
To extract a specific archive, where X.X.X is the specific version number:
unzip AppScan-360-Helm-Files-vX.X.X.zip
or
tar -xvzf AppScan-360-Helm-Files-vX.X.X.tar.gz
Note: If you download archives, upgrades must be performed manually by re-downloading new versions. In-place upgrades using Git pull is not available.

Troubleshooting Helm installation

  • Release names:
    Component Release name Namespace
    AppScan 360° platform appscan360-ascp hcl-appscan-ascp
    AppScan Remediation Advisories asra hcl-appscan-asra
    Software Composition Analysis (SCA) (Optional) scaservices hcl-appscan-sca

  • No state file found

    The state file must be named helmfile.d/*.
    1. Navigate to AppScan-360-Helm-Files -> helm.d
    2. Run run helmfile sync

  • ./helmfile.yaml: in .helmfiles[0]: in helm.d/helmfile-ASCP.yaml: failed processing release appscan360-ascp: values file matching "helmFileCustomizations/singular-singular.clusterKit.yaml" does not exist in "."

    The properties file (singular-singular.clusterKit.yaml) is missing. Verify the file is in the correct location and try again.

  • Failed to pull helm-packages or docker images

    The Docker login is missing, or HCLCR_USERNAME and HCLCR_PASSWORD environment variable is missing. Verify the login information and try again.

  • Failed to get pull secret

    The .docker/config.json file is missing or AS360_KNI_JSON_CONFIG_AS_BASE64 with appropriate value is not defined. Verify the login information and try again.