Deploying AppScan 360° Static Analysis clusters

AppScan 360° Static Analysis can be deployed to any Kubernetes environment. The AppScan 360° SAST deployment-related Helm charts can be accessed from HCL Harbor or from the archive file (tar.gz) downloaded from HCL License and Download Portal. Either bundle contains a script (sast-service.sh) to simplify the deployment steps.

Deploying AppScan 360° Static Analysis using Helm charts from HCL Harbor
Deploying AppScan 360° Static Analysis from an archive file
Integration with ASCP
Configuring the AppScan 360° SAST ingress
Reconfiguring AppScan 360° Static Analysis
Deployment command options
Examples
Accessing AppScan 360° SAST after deployment

Deploying AppScan 360° Static Analysis using Helm charts from HCL Harbor

After downloading the Helm chart from Harbor:

Ensure you are connected to the correct Kubernetes cluster.
Verify you have the right cluster config file in .kube folder.
Get the ASCP server hostname.
For example, ascp.example.com
Retrieve the authentication token, certificate, and private key files from ASCP server to the current machine.
- The authentication token can be specified to the AppScan 360° SAST deployment using the option --auth-token. For example, --auth-token AgentsApiKey.txt.
- The CA certificate can be specified to the AppScan 360° SAST deployment using the option --cert. For example, --cert AppScan360_RootCA.crt.
- The private key can be specified to the AppScan 360° SAST deployment using the option --cert-key. For example, --cert-key AppScan360_RootCA.key.
Get the user authentication token from HCL Harbor > User Profile > CLI secret and save it to a file.
For example, registry-token.txt.
Create a file to store the RabbitMQ password.
For example, rabbitmq-pwd.txt. This password is configured in RabbitMQ when it is installed.
Note: This password cannot be changed once configured.
Identify the storage provider to be used.
Azure supports azurefile, but if any other storage providers are to be used ensure it supports ReadWriteMany.

Run the AppScan 360° SAST script with options to deploy the cluster locally. For example:

> ./sast-service.sh --install 
                  --ingress-host <sast-ingress-fqdn> \
                  --server <ascp-fqdn> \
                  --cert AppScan360_RootCA.crt \
                  --cert-key AppScan360_RootCA.key \
                  --auth-token AgentsApiKey.txt \
                  --rabbitmq-password rabbitmq-pwd.txt \
                  --registry-user <harbor-username> \
                  --registry-token registry-token.txt \
                  --storage-class azurefile \
                  --ingress-class nginx

Note:

Provide execute permissions to the script files. For example, chmod -R +x sast-service.sh scripts/*.
Use the option -f to specify the file path to a yaml file with customized values as described in Deployment configuration parameters. For example, -f values.yaml.

Verify deployment was successful:
```
> kubectl get pods -n <NAMESPACE>
```
Where <NAMESPACE> is the namespace to which AppScan 360° SAST was installed. The default is hcl-appscan-sast.

Verify all the AppScan 360° SAST-related pods are up and running as follows:


Pod name	Ready	Status	Restarts	Age
`analyzer-<pod-id>`	1/1	Running	X	X
`ascp-adapter-<pod-id>`	1/1	Running	X	X
`gateway-<pod-id>`	1/1	Running	X	X
`preparer-<pod-id>`	1/1	Running	X	X
`sast-service-rabbitmq-0`	1/1	Running	X	X
`scan-manager-<pod-id>`	1/1	Running	X	X
`workflow-manager--<pod-id>`	1/1	Running	X	X

Ensure that AppScan 360° SAST is reachable from a browser using the URL https://<sast-ingress-fqdn>.
(For example, https://sast.example.com)

Deploying AppScan 360° Static Analysis from an archive file

After downloading and extracting the tar.gz file:

To upload the container images to ACR or any other registry of choice, provide the registry credentials to the deployment script using the following parameter options:
Note: AppScan 360° SAST container images must be uploaded to a remote OCI-compliant registry.
- --registry <registry> : The registry to push the container images. For example: appscanregistry.azurecr.io, docker.io.
- --registry-user <registry-username> : The registry username for authentication.
- --registry-token <registry-token-file> : The file which contains the registry user authentication token. For example: --registry-token ./registry-token.txt
- --load-images : This option indicates that the container images should be loaded from file system to the registry. The container images can be located in the path sast-service-base/images/*.image.
Ensure you are connected to the correct Kubernetes cluster.
Verify you have the right cluster config file in .kube folder.
Get the ASCP server's hostname.
For example, ascp.example.com
Retrieve the authentication token, certificate, and private key files from ASCP server to the current machine.
- The authentication token can be specified to the AppScan 360° SAST deployment using the option --auth-token. For example, --auth-token AgentsApiKey.txt.
- The CA certificate can be specified to the AppScan 360° SAST deployment using the option --cert. For example, --cert AppScan360_RootCA.crt.
- The private key can be specified to the AppScan 360° SAST deployment using the option --cert-key. For example, --cert-key AppScan360_RootCA.key.
Create a file to store the RabbitMQ password.
For example, rabbitmq-pwd.txt. This password is configured in RabbitMQ when it is installed.
Note: This password cannot be changed once configured.
Identify the storage provider to be used.
Azure supports azurefile, but if any other storage providers are to be used ensure it supports ReadWriteMany.

Run the AppScan 360° SAST script with options to deploy the cluster locally. For example:

> ./sast-service.sh --install 
                    --ingress-host <sast-ingress-fqdn> \
                    --server <ascp-fqdn>
                    --cert AppScan360_RootCA.crt \
                    --cert-key AppScan360_RootCA.key \
                    --auth-token AgentsApiKey.txt \
                    --rabbitmq-password rabbitmq-pwd.txt \
                    --registry <registry-name> \
                    --registry-user <registry-username> \
                    --registry-token <registry-token-file> \
                    --storage-class azurefile \
                    --ingress-class nginx \
                    --load-images

Note: Use the option -f to specify the file path to a yaml file with customized values as described in Deployment configuration parameters. For example, -f values.yaml.

Verify deployment was successful:
```
> kubectl get pods -n <NAMESPACE>
```
Where <NAMESPACE> is the namespace to which AppScan 360° SAST was installed. The default hcl-appscan-sast.

Verify all the AppScan 360° SAST-related pods are up and running as follows:


Pod name	Ready	Status	Restarts	Age
`analyzer-<pod-id>`	1/1	Running	X	X
`ascp-adapter-<pod-id>`	1/1	Running	X	X
`gateway-<pod-id>`	1/1	Running	X	X
`preparer-<pod-id>`	1/1	Running	X	X
`sast-service-rabbitmq-0`	1/1	Running	X	X
`scan-manager-<pod-id>`	1/1	Running	X	X
`workflow-manager--<pod-id>`	1/1	Running	X	X

Ensure that AppScan 360° SAST is reachable from a browser using the URL https://<sast-ingress-fqdn>.
(For example, https://sast.example.com.)

Integration with ASCP

The AppScan 360° Static Analysis ingress URL must be configured in ASCP for successful integration between AppScan 360° components. The URL can be configured while installing or reconfiguring the ASCP server, or as a post-installation step.

Configuring the AppScan 360° SAST ingress

To configure the provided ingress to use https, use nginx.ingress.kubernetes.io/backend-protocol annotation to indicate how NGINX should communicate with the backend service.:

Parameter
```
global.ingress.additionalAnnotations
```
Description
List of annotations to configure in AppScan 360° Static Analysis ingress.

Example

nginx.ingress.kubernetes.io/backend-protocol: HTTPS

Reconfiguring AppScan 360° Static Analysis

After initial deployment of AppScan 360° Static Analysis, subsequent uses of the deployment script reconfigure the Kubernetes clusters using most recently specified deployment options. You do not need to first remove the clusters.

To verify the deployment script is reconfiguring an existing installation, check the script output messages for the following message:

Namespace 'hcl-appscan-sast' already exists. The SAST deployment will be upgraded.

Note: In certain situations, the namespace might persist in a terminating state while no deployment is available on the cluster. In this scenario, reconfiguration fails. Manually delete the namespace and reattempt the deployment.

Deployment command options


Parameter	Description	Default value	Required
`-h`\|`-help`	Displays available commands and appropriate usage.
`-i`\|`--install`	Deploy AppScan 360° SAST. This flag expects no option values.	N/A	Yes
`-s`\|`--server hostname`	Provides the ASCP server's hostname (FQDN). The ASCP server is configured as part of the AppScan 360° platform install, and is the means by which a user can initiate a AppScan 360° Static Analysis scan.		Yes
`-cc`\|`--cert cert-file-path`	For setting up TLS and HTTPS, provide a full qualifying path to a signed certificate file.		Yes
`-ck`\|`--cert-key key-file-path`	Provide the corresponding path to the private key for the specified certificate.		Yes
`-at`\|`--auth-token token`	ASCP connection authorization with SAST services. It also aids the communications and exchanges between the ASCP platform services and AppScan 360° SAST.		Yes
`-p` \|`--rabbitmq-passwords pwd-file-path`	Specifies the file path of RabbitMQ user's password. Note: The RabbitMQ password cannot be changed once configured.		Yes
`-sc`\|`--storage-class name`	Allows user to configure the storage provider to use for all AppScan 360° SAST storage requirements. Examples include `local-path`, `azurefile`, and `longhorn`.		Yes
`-r` \|`--registry registry`	The registry name to load images. Note: For cloud deployments using an archive file containing SAST images, a registry accessible by the cloud K8S registry must be provided to ensure image pull is possible during deployment.		When `-x` is specified for image loading. When an archive deployment is used for deployment.
`-ru`\|`--registry-user username`	Username of the registry provided.		Yes, except when deployed when using an archive file to a local Kubernetes cluster (K3S, for example).
`-rt`, `--registry-token token-file-path`	Path to a file containing the user authentication token for the specified registry. Note: The token can only be provided using a file for security reasons.		Yes, except when deployed when using an archive file to a local Kubernetes cluster (K3S, for example).
`-ro`\|`-repo`\|`--repository repository`	The repository path to locate the images and helm charts.	`appscan360-sast/sast-service`	No
`-v`, `--version`	The version of AppScan 360° SAST to download.	Defaults to the version of the script used for the current deployment.	No
`-t`, `--tag image-tag`	The AppScan 360° SAST version to install. When not specified, the latest version in the repository or archive is used.	Latest available version.	No
`-n`\|`--namespace`	The namespace where AppScan 360° SAST is deployed.	`hcl-appscan-sast`	No
`-f`\|`--config-file yaml-file-path`	Configure or customize container deployment with a `yaml` file specifying configuration details. See Deployment configuration parameters for information on configuring the `yaml` file	N/A	No
`-ih`\|`--ingress-host hostname`	A fully qualified domain name (FQDN) to access AppScan 360° SAST post-deployment. If the provided FQDN is not resolvable in the DNS, then ensure the `‘/etc/hosts`’ file is updated to map the FQDN with the respective IP address.	`sast.example.com`	No
`-ic`\|`--ingress-class name`	The ingress controller is used to expose the AppScan 360° SAST through the gateway service. If not specified, no ingress controller is configured.		No
`-x`, `--load-images`	When downloading an archive from FNO, this parameter instructs the container images to be loaded from the file-system and pushed to the specified container registry.		This option should be used for air-gap mode deployments only.
`-verbose`	Produces complete messages related to deployment in the console.		No

Examples

Cloud (Azure) deployment using Helm charts from HCL Harbor:

> az login ...
> ./sast-service.sh --install \
                    --ingress-host test.sast.example.com \
                    --server test.ascp.example.com \
                    --cert ./AppScan360_RootCA.crt \
                    --cert-key ./AppScan360_RootCA.key \
                    --auth-token ./AgentsApiKey.txt \
                    --rabbitmq-password ./rabbitmq-pwd.txt \
                    --registry-user hcl-harbor-user \
                    --registry-token ./registry-token.txt \
                    --ingress-class nginx \
                    --storage-class azurefile

Cloud (Azure) deployment using archive file:

> az login ...
> ./sast-service.sh --install \
                    --ingress-host test.sast.example.com \
                    --server test.ascp.example.com \
                    --cert ./AppScan360_RootCA.crt \
                    --cert-key ./AppScan360_RootCA.key \
                    --auth-token ./AgentsApiKey.txt \
                    --rabbitmq-password ./rabbitmq-pwd.txt \
                    --registry appscanregistry.azurecr.io \
                    --registry-user azure-user \
                    --registry-token ./registry-token.txt \
                    --ingress-class nginx \
                    --storage-class azurefile \
                    --load-images

Local Kubernetes deployment using Helm charts from HCL Harbor:

> ./sast-service.sh --install \
                    --ingress-host test.sast.example.com \
                    --server test.ascp.example.com \
                    --cert ./AppScan360_RootCA.crt \
                    --cert-key ./AppScan360_RootCA.key \
                    --auth-token ./AgentsApiKey.txt \
                    --rabbitmq-password ./rabbitmq-pwd.txt \
                    --registry-user hcl-harbor-user \
                    --registry-token ./registry-token.txt \
                    --ingress-class nginx \
                    --storage-class local-path

Local Kubernetes deployment using archive file:

> ./sast-service.sh --install \
                    --ingress-host test.sast.example.com \
                    --server test.ascp.example.com \
                    --cert ./AppScan360_RootCA.crt \
                    --cert-key ./AppScan360_RootCA.key \
                    --auth-token ./AgentsApiKey.txt \
                    --rabbitmq-password ./rabbitmq-pwd.txt \
                    --registry docker.io \
                    --ingress-class nginx \
                    --storage-class local-path \
                    --load-images

Accessing AppScan 360° SAST after deployment

After a successful deployment, AppScan 360° SAST REST APIs can be accessed using the swagger-ui:

> https://<appscan sast url>/swagger-ui/index.html

AppScan 360° SAST uses token-based authentication specified during deployment using the option —auth-token. The token can be fetched with the following command:

> kubectl get secrets -n hcl-appscan-sast sast-service-secret -o jsonpath="{.data.SAST_AUTH_TOKEN}" | base64 -d