Configuring scan automation with GitLab CI/CD and containers

The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal), can be used to automate static analysis scans with GitLab, and without installing a full instance of AppScan® Source.

The main steps for scanning using a container are:
  1. Prepare the application.
  2. Prepare the GitLab CI/CD using the container image from My HCLSoftware portal.
  3. Initiate the scan using GitLab CI/CD runners.

Prerequisites

Before you begin, ensure your environment meets these requirements:
  • GitLab CI/CD environment: One or more Linux RHEL 7.9-based GitLab CI/CD runners with Podman installed.

    This is the system that is targeted to run a static analysis scan using the CLI container.

  • A valid license for AppScan® Source for Automation and relevant license server information.

  • AppScan® Source CLI container image

    Download the AppScan® Source CLI container image from HCL Harbor or My HCLSoftware portal. With a valid license, your HCL ID grants access to these locations.

  • AppScan® Source CLI script

    A script is required for scanning with the container using GitLab CI/CD.

  • AppScan® Source project (.ppf) and application (.paf) files: Use AppScan® Source for Analysis to generate the configuration files (requires an AppScan® Source installation on a Linux system that has access to the scan target).
  • Access to content on the GitLab CI/CD runners from the container:
    • The application to be scanned should be present in GitLab and accessible from the GitLab CI/CD runners running the scan.
    • The .paf/.ppf files
    Note: Volume mapping (mapping path on the container host to a path in the container) is used for this purpose during instantiation of a scan.

Prepare the application to be scanned

Prepare the application for scanning using either:
  • paf/ppf files
  • folder scanning
Prepare the application to be scanned using paf/ppf files
  1. Generate the paf/ppf file using the HCL® AppScan® Source for Analysis client on a Linux system that has AppScan® Source installed.

    Ensure that the paf and ppf files are located at the root of the application to be scanned.

  2. Ensure that the application files and the paf/ppf files are accessible from the GitLab CI/CD runners.

    For example, if the application is accessible at root path /usr/user1/SampleApp on the GitLab CI/CD runners, the paf/ppf files are located at /usr/user1/SampleApp/SampleApp.paf and /usr/user1/SampleApp/SampleApp.ppf.

  3. Determine the name of the volume as seen by the container.
    For example, map /usr/user1 on the host to cvol in the container.
    Note: The volume mapping is specified when running the CLI in the container.
  4. Create the CLI script. For example, SampleApp.script in /usr/user1/SampleApp.
    For this example, the script tells the container to access the application content using the cvol path. The commands listed are those used with the AppScan® Source CLI (Scanning without manual intervention).
    login …
oa /cvol/SampleApp/SampleAll.ppf
scan
…
logout
Prepare the application for folder scan:
  1. Ensure that the application files are accessible from the GitLab CI/CD runners.

    For example, the application is accessible at path /usr/user1/SampleApp on the GitLab CI/CD runners.

  2. Determine the name of the volume as seen by the container.
    For example, map /usr/user1 on the host to cvol in the container.
    Note: The volume mapping is specified when running the CLI in the container.
  3. Create the CLI script. For example, SampleApp.script in /usr/user1/SampleApp.
    login …
oa /cvol/SampleApp/SampleAll.ppf
scan
…
logout

Prepare the runtime environment on the GitLab CI/CD runners

To prepare the runtime environment on the GitLab CI/CD runners:
  1. Download the AppScan® Source CLI container to the GitLab host from My HCLSoftware portal or access directly from HCL Harbor.

    Load the CLI container image using the podman load command if downloaded from My HCLSoftware portal.

  2. Create a yaml script file to run static analysis scan using AppScan® Source CLI container from HCL Harbor. For example:
    # This is a basic workflow to help you get started with GitLab CI/CD 

variables: 
    GIT_STRATEGY: clone 

build-job: 
    stage: build 
    script: 
        - echo "Hello, $GITLAB_USER_LOGIN!" 
        - chmod -R 777 $CI_PROJECT_DIR 
        - podman run --rm --env-file $CI_PROJECT_DIR/env.list -v $CI_PROJECT_DIR/:/wa hclcr.io/appscan/appscan-src-cli:10.3.0 script /wa/CLI_jspWIKI.script 
        - echo "Success, Scan complete" 
        - rm -vrf $CI_PROJECT_DIR 
        - echo "Clean up done"

Initiate a static analysis scan using the GitLab CI/CD runner

To initiate the static analysis scan:
  1. Make sure GitLab CI/CD runner is online. In GitLab, select Admin > >Runners to verify status.
  2. Select Admin > Jobs to start a static analysis scan using the .yaml script present in the branch.
Note: As of version 10.3.0, AppScan® Source supports containerization using Podman. Since Docker is not supported in Red Hat Enterprise Linux 8 and 9, use Podman if your host is running RHEL 8 or 9. Podman supports all major Docker commands; replace Docker with Podman in the examples in this topic to create containers and scan in the Podman environment.