Configuring scan automation with Jenkins and containers

The HCL® AppScan® Source command line interface (CLI) container, available from HCL Harbor and My HCLSoftware portal (MHS), can be used to automate static analysis scans with Jenkins, and without installing a full instance of AppScan® Source.

The main steps for scanning using a container are:
  1. Prepare the application
  2. Prepare the runtime environment
  3. Initiate the scan from the container image

Prerequisites

Before you begin, ensure your environment meets these requirements:
  • Jenkins environment, including one more Linux agents/hosts with Podman installed.

    This is the system that is targeted to run a static analysis scan using the CLI container.

  • A valid license for AppScan® Source for Automation and relevant license server information.

  • AppScan® Source CLI container image

    Download the AppScan® Source CLI container image from HCL Harbor or My HCLSoftware portal. With a valid license, your HCL ID grants access to these locations.

  • AppScan® Source CLI script

    A script is required for scanning with the container in a Jenkins pipeline.

  • Access to content on the Jenkins host / agent from the container:

    The application to be scanned must be accessible from the Jenkins host running the scan.

    Note: Volume mapping (mapping path on the container host to a path in the container) is used for this purpose during instantiation of a scan.

Prepare the application to be scanned

Prepare the application for scanning using either:
  • paf/ppf files
  • folder scanning
Prepare the application to be scanned using paf/ppf files
  1. Generate the paf/ppf file using the HCL® AppScan® Source for Analysis client on a Linux system that has AppScan® Source installed.

    Ensure that the paf and ppf files are located at the root of the application to be scanned.

  2. Ensure that the application files and the paf/ppf files are accessible from the Jenkins host/agent.

    For example, if the application is accessible at root path /usr/user1/SampleApp on the Jenkins host/agent, the paf/ppf files are located at /usr/user1/SampleApp/SampleApp.paf and /usr/user1/SampleApp/SampleApp.ppf.

  3. Determine the name of the volume as seen by the container.
    For example, map /usr/user1 on the host to cvol in the container.
    Note: The volume mapping is specified when running the CLI in the container.
  4. Create the CLI script. For example, SampleApp.script in /usr/user1/SampleApp.
    For this example, the script tells the container to access the application content using the cvol path. The commands listed are those used with the AppScan® Source CLI (Scanning without manual intervention).
    login …
oa /cvol/SampleApp/SampleAll.ppf
scan
…
logout
Prepare the application for folder scan:
  1. Ensure that the application files are accessible from the Jenkins host/agent.

    For example, the application is accessible at path /usr/user1/SampleApp on the Jenkins host/agent.

  2. Determine the name of the volume as seen by the container.
    For example, map /usr/user1 on the host to cvol in the container.
    Note: The volume mapping is specified when running the CLI in the container.
  3. Create the CLI script. For example, SampleApp.script in /usr/user1/SampleApp.
    login …
of /cvol/SampleApp/SampleAll
scan
…
logout

Prepare the runtime environment on the Jenkins host/agent

To prepare the runtime environment on the Jenkins host/agent:
  1. Download the AppScan® Source CLI container to the Jenkins host from My HCLSoftware portal or access directly from HCL Harbor.

    Load the CLI container image using the podman load command if downloaded from MHS.

  2. Create a file (for example, env.list) containing a list of environment variables that must be made available to the CLI container during a scan. Some of the required information includes:
    AS_INSTALL_MODE=standalone
AS_LICENSE_URL=<license server url>
    A complete list of parameters can be found here.

Initiate a static analysis scan using the container image

Initiate the scan in one of two ways:

Initiate a scan using container image from HCL Harbor

Run the scan using a Linux shell command or the Podman Linux plugin:
  • Linux
    Incorporate the following shell command into a Jenkins pipeline to scan the SampleApp. Note that /usr/user1 on the Jenkins host/agent is mapped to cvol in the container. Adjust the version string based on the desired version of the CLI container. 
    sh "podman run --rm --volume /usr/user1:/cvol --env-file /cvol/SampleApp/ env.list hclcr.io/appscan/appscan-src-cli:10.10.0 script /cvol/SampleApp/SampleApp.script
  • Podman Jenkins plugin
    Incorporate the following Podman Jenkins plugin API into a Jenkins pipeline to scan the SampleApp. Note that /usr/user1 on the Jenkins host/agent is mapped to cvol in the container. Adjust the version string based on the desired version of the CLI container.
    podman.image('hclcr.io/appscan/appscan-src-cli:10.10.0').run('--name container-SampleApp --rm –-volume /usr/user1:/cvol --env-file /cvol/SampleApp/env.list script /cvol/SampleApp/SampleApp.script')

sh "podman logs --follow container-SampleApp"

Initiate a scan using the container image from My HCLSoftware portal

The AppScan® Source CLI container image is available in My HCLSoftware portal in archive format (tar.gz). The container image must be loaded prior to use to scan.
  1. Download the container image to the Jenkins host/agent. For example, /appscansrc/appscan-src-cli-10.10.0.tar.gz.

    The container image must be loaded prior to use.

  2. Run the scan using a Linux shell command or the Podman Linux plugin:
    • Linux
      Incorporate the following shell command into a Jenkins pipeline to scan the SampleApp. Note that /usr/user1 on the Jenkins host/agent is mapped to cvol in the container. Adjust the version string based on the desired version of the CLI container. 
      podman load -i /appscansrc/appscan-src-cli-10.10.0.tar.gz

sh "podman run --rm --env-file /cvol/SampleApp/env.list --volume /usr/user1:/cvol appscansrc/appscan-src-cli:10.10.0 script /cvol/SampleApp/cli.script"
    • Podman Jenkins plugin
      Incorporate the following Podman Jenkins plugin API into a Jenkins pipeline to scan the SampleApp. Note that /usr/user1 on the Jenkins host/agent is mapped to cvol in the container. Adjust the version string based on the desired version of the CLI container.
      podman.image(‘appscan-src-cli:10.10.0').run('--name container-SampleApp --rm –-volume /usr/user1:/cvol --env-file /cvol/SampleApp/env.list script /cvol/SampleApp/SampleApp.script')

sh "podman logs --follow container-SampleApp"
Note: As of version 10.3.0, AppScan® Source supports containerization using Podman. Since Docker is not supported in Red Hat Enterprise Linux 8 and 9, use Podman if your host is running RHEL 8 or 9. Podman supports all major Docker commands; replace Docker with Podman in the examples in this topic to create containers and scan in the Podman environment.