Configuring scan automation with Azure and containers
The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal (MHS), can be used to automate static analysis scans with Azure, and without installing a full instance of AppScan® Source.
Prerequisites
- Azure environment, including one more Linux agents/hosts with Podman
installed.
This is the system that is targeted to run a static analysis scan using the CLI container.
-
A valid license for AppScan® Source for Automation and relevant license server information.
-
AppScan® Source CLI container image
Download the AppScan® Source CLI container image from HCL Harbor or My HCLSoftware portal. With a valid license, your HCL ID grants access to these locations.
-
AppScan® Source CLI script
A script is required for scanning with the container in a Azure pipeline.
-
Access to content on the Azure host / agent from the container:
The application to be scanned must be accessible from the Azure host running the scan.
Note: Volume mapping (mapping path on the container host to a path in the container) is used for this purpose during instantiation of a scan.
Prepare the application to be scanned
paf/ppffiles- folder scanning
paf/ppf files- Generate the
paf/ppffile using the HCL® AppScan® Source for Analysis client on a Linux system that has AppScan® Source installed.Ensure that the
pafandppffiles are located at the root of the application to be scanned. - Ensure that the application files and the
paf/ppffiles are accessible from the Azure host/agent.For example, if the application is accessible at root path
/usr/user1/SampleAppon the Azure host/agent, thepaf/ppffiles are located at/usr/user1/SampleApp/SampleApp.pafand/usr/user1/SampleApp/SampleApp.ppf. - Determine the name of the volume as seen by the container. For example, map
/usr/user1on the host tocvolin the container.Note: The volume mapping is specified when running the CLI in the container. - Create the CLI script. For example,
SampleApp.scriptin /usr/user1/SampleApp.For this example, the script tells the container to access the application content using thecvolpath. The commands listed are those used with the AppScan® Source CLI (Scanning without manual intervention).login … oa /cvol/SampleApp/SampleAll.ppf scan … logout
- Ensure that the application files are accessible from the Azure host/agent.
For example, the application is accessible at path /
usr/user1/SampleAppon the Azure host/agent. - Determine the name of the volume as seen by the container.For example, map
/usr/user1on the host tocvolin the container.Note: The volume mapping is specified when running the CLI in the container. - Create the CLI script. For example,
SampleApp.scriptin/usr/user1/SampleApp.login … of /cvol/SampleApp/SampleAll scan … logout
Prepare the Azure DevOps pipeline environment
- Using the container image from My HCLSoftware portal using the classic editor.
- Using the container image from HCL Harbor using the classic editor.
- Using the container image from HCL Harbor using a YAML configuration file.
- Download the AppScan® Source CLI container to the Azure VM from My HCLSoftware portal.
- Load the CLI container image using the
podman loadcommand. - Inside Azure DevOps organization, create a new pipeline using classic editor. Click Use the classic editor.
- Select repository and branch where project to be scanned and CLI script is
stored, and click Continue.
- Select Azure Repos Git as the source.
- Select Team project.
- Select the Repository.
- Select the Azure Agent pool where Azure VM configured with AppScan® Source CLI container is present.
- Add a new Podman task to load an image. Include these specifications:
- Task Version: 0
- Display Name: Specify a name or use the default.
- Container Registry Type: Specify the registry type or use the default.
- Podman Registry Service Connection: Specify a connection or use the default.
- Action: Run a Podman command
- Command:
load -i /usr/user1/appscan-src-cli-10.2.0.tar.gz
- Add a new Podman task to run an image with these specifications:
- Task Version: 1
- Display Name: Specify a name or use the default.
- Container Registry Type: Specify the registry type or use the default.
- Podman Registry Service Connection: Specify a connection or use the default.
- Command:
run - Arguments:
--rm - Image name:
appscan/appscan-src-cli:10.10.0 - Volumes:
/usr/user1:/wa - Environment variables:
-
AS_INSTALL_MODE=standalone AS_LICENSE_URL=<license_server_url>
-
- Container command:
script /wa/cli.script
- Add a new Podman task for clean-up with these specifications:
- Task Version: 0
- Display Name: Specify a name or use the default.
- Container Registry Type: Specify the registry type or use the default.
- Podman Registry Service Connection: Specify a connection or use the default.
- Action: Run a Podman command
- Command:
rmi appscan/appscan-src-cli:10.10.0
- Create a file (for example,
env.list) containing the environment variables that must be made available to the CLI container during a scan. Include the following required information:-
AS_INSTALL_MODE=standalone AS_LICENSE_URL=<license server url>
A complete list of parameters can be found here.
-
- Inside Azure DevOps organization, create a new pipeline using classic editor. Click Use the classic editor.
- Select repository and branch where project to be scanned and CLI script is
stored, and click Continue.
- Select Azure Repos Git as the source.
- Select Team project.
- Select the Repository.
- Select the Azure Agent pool where Azure VM configured with AppScan® Source CLI container is present.
- Add a new Podman task to run an image with these specifications:
- Task Version: 2
- Display Name: Specify a name or use the default.
- Container Registry: Specify the registry type or use the default.
- Action: Run a Podman command
- Command:
run - Arguments:
--rm --env-file /usr/user1/env.list -v $(Agent.BuildDirectory)/s:/wa hclcr.io/appscan/appscan-src-cli:10.10.0 script /wa/cli.script
- Add a new Podman task for clean-up with these specifications:
- Task Version: 0
- Display Name: Specify a name or use the default.
- Container Registry Type: Specify the registry type or use the default.
- Podman Registry Service Connection: Specify the registry type or use the default.
- Action: Run a Podman command
- Command:
rmi appscan/appscan-src-cli:10.10.0
To prepare the Azure DevOps Pipeline using the container image from HCL Harbor using YAML
Use the following sample script as a guide to run a static analysis scan using a AppScan Source CLI container from HCL Harbor.
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- main
pool:
name: Ubuntu-VM-pool
#vmImage: ubuntu-latest
#steps:
#- script: echo Hello, world!
# displayName: 'Run a one-line script'
steps:
- task: CmdLine@2
inputs:
script: |
- task: Podman@1
displayName: 'Run an image'
inputs:
containerregistrytype: 'Container Registry'
podmanRegistryEndpoint: 'MyConnection’
command: 'Run an image'
arguments: '--rm'
imageName: 'hclcr.io/appscan/appscan-src-cli:10.10.0 '
volumes: '$(Agent.WorkFolder)<path to downloaded source files>:/wa'
envVars: |
AS_INSTALL_MODE=standalone
AS_LICENSE_TYPE=CLS
AS_LICENSE_SERVER_ID=<specify the license server ID>
AS_LICENSE_SERVER=<specify the license server name>
containerCommand: 'script /wa/cli.script'
runInBackground: false
- task: Podman@0
displayName: Clean
inputs:
containerregistrytype: 'Container Registry'
podmanRegistryConnection: 'MyConnection'
action: 'Run a Podman command'
customCommand: ' rmi hclcr.io/appscan/appscan-src-cli:10.10.0'
Initiate a static analysis scan using the container image
To initiate the scan using the pipeline:
- In Azure, make sure Azure VM in Azure Agent pool is online.
- From Pipelines page, select the pipeline to run.
- Select Run pipeline to start the static analysis scan.