Deploying AppScan 360° Static Analysis clusters

AppScan 360° Static Analysis clusters can be deployed Azure. Charts can be accessed from Harbor or from a local installation from the tar.gz archive file. Either bundle contains a script (sast-service.sh) to simplify the deployment steps.

Deploying AppScan 360° Static Analysis from Helm charts

After downloading the Helm chart from Harbor:
  1. Ensure you are connected to the correct Kubernetes cluster.

    Verify you have the right cluster config file in .kube folder.

  2. Get the ASCP server's agents-api service URL.

    For example, https://ascp.appscan.com:5000

  3. Retrieve the authentication token, certificate, and private key files from ASCP server to the current machine.
    • The authentication token can be specified to the AppScan 360° SAST deployment using the option --auth-token. For example, --auth-token AgentsApiKey.txt.
    • The CA certificate can be specified to the AppScan 360° SAST deployment using the option --cert. For example, --cert AppScan360_RootCA.crt.
    • The private key can be specified to the AppScan 360° SAST deployment using the option --cert-key. For example, --cert-key AppScan360_RootCA.key.
  4. Get the CLI token from HCL Harbor for the user account and save it to a file.

    For example, registry-token.txt.

  5. Create a file to store the RabbitMQ password.
    For example, rabbitmq-pwd.txt. This password is configured in RabbitMQ when it is installed.
    Note: This password cannot be changed once configured.
  6. Run the AppScan 360° SAST script with options to deploy the cluster locally or to Azure:
    > ./sast-service.sh --install 
                  --cloud azure \
                  --ingress-host <sast-ingress-fqdn> \
                  --cert AppScan360_RootCA.crt \
                  --cert-key AppScan360_RootCA.key \
                  --server-url https://<ascp-fqdn>:<agents-api-port> \
                  --auth-token AgentsApiKey.txt \
                  --rabbitmq-password rabbitmq-pwd.txt \
                  --registry-user <harbor-username> \
                  --registry-token registry-token.txt \
                  --storage-class azurefile \
                  --ingress-class nginx
    Note:
    • Provide execute permissions to the script files. For example, chmod -R +x sast-service.sh scripts/*.
    • Use the option -f to specify the file path to a yaml file with customized as described in Deployment configuration parameters. For example, -f values.yaml.
  7. Verify deployment was successful:
    > kubectl get pods -n <NAMESPACE>
    Where <NAMESPACE> is the namespace to which AppScan 360° SAST was installed. The default is hcl-appscan-sast.
  8. Verify all the AppScan 360° SAST-related pods are up and running as follows:
    Pod name Ready Status Restarts Age
    analyzer-<pod-id> 1/1 Running X X
    ascp-adapter-<pod-id> 1/1 Running X X
    gateway-<pod-id> 1/1 Running X X
    preparer-<pod-id> 1/1 Running X X
    sast-service-rabbitmq-0 1/1 Running X X
    scan-manager-<pod-id> 1/1 Running X X
    workflow-manager--<pod-id> 1/1 Running X X
  9. Ensure that AppScan 360° SAST is reachable from a browser using the URL https://<sast-ingress-fqdn>.

    (For example, https://sast.appscan.com)

Deploying AppScan 360° Static Analysis from an archive file

After downloading and extracting the tar.gz file:
  1. To upload the container images to ACR or any other registry of choice, provide the registry credentials to the deployment script using the following parameter options:
    Note: AppScan 360° SAST container images must be uploaded to a remote OCI-compliant registry.
    • --registry <registry> : The registry to push the container images. For example: appscanregistry.azurecr.io, docker.io.
    • --registry-user <registry-username> : The registry username for authentication.
    • --registry-token <registry-password-file> : The file which contains the registry user password. For example: --registry-token ./registry-.txt
    • --load-images : This option indicates that the container images should be loaded from file system to the registry. The container images can be located in the path sast-service-base/images/*.image.
  2. Ensure you are connected to the correct Kubernetes cluster.

    Verify you have the right cluster config file in .kube folder.

  3. Get the ASCP server's agents-api service URL.

    For example, https://ascp.appscan.com:5000

  4. Retrieve the authentication token, certificate ,and private key files from ASCP server to the current machine.
    • The authentication token can be specified to the AppScan 360° SAST deployment using the option --auth-token. For example, --auth-token AgentsApiKey.txt.
    • The CA certificate can be specified to the AppScan 360° SAST deployment using the option --cert. For example, --cert AppScan360_RootCA.crt.
    • The private key can be specified to the AppScan 360° SAST deployment using the option --cert-key. For example, --cert-key AppScan360_RootCA.key.
  5. Create a file to store the RabbitMQ password.
    For example, rabbitmq-pwd.txt. This password is configured in RabbitMQ when it is installed.
    Note: This password cannot be changed once configured.
  6. Run the AppScan 360° SAST script with options to deploy the cluster locally or to Azure:
    > ./sast-service.sh --install 
                  --cloud azure \
                  --ingress-host <sast-ingress-fqdn> \
                  --cert AppScan360_RootCA.crt \
                  --cert-key AppScan360_RootCA.key \
                  --server-url https://<ascp-fqdn>:<agents-api-port> \
                  --auth-token AgentsApiKey.txt \
                  --rabbitmq-password rabbitmq-pwd.txt \
                  --registry-user <harbor-username> \
                  --registry-token registry-token.txt \
                  --storage-class azurefile \
                  --ingress-class nginx
    Note: Use the option -f to specify the file path to a yaml file with customized as described in Deployment configuration parameters. For example, -f values.yaml.
  7. Verify deployment was successful:
    > kubectl get pods -n <NAMESPACE>
    Where <NAMESPACE> is the namespace to which AppScan 360° SAST was installed. The default hcl-appscan-sast.
  8. Verify all the AppScan 360° SAST-related pods are up and running as follows:
    Pod name Ready Status Restarts Age
    analyzer-<pod-id> 1/1 Running X X
    ascp-adapter-<pod-id> 1/1 Running X X
    gateway-<pod-id> 1/1 Running X X
    preparer-<pod-id> 1/1 Running X X
    sast-service-rabbitmq-0 1/1 Running X X
    scan-manager-<pod-id> 1/1 Running X X
    workflow-manager--<pod-id> 1/1 Running X X
  9. Ensure that AppScan 360° SAST is reachable from a browser using the URL https://<sast-ingress-fqdn>.

    (For example, https://sast.appscan.com)

Configuring the AppScan 360° SAST ingress

To configure the provided ingress to use https, use nginx.ingress.kubernetes.io/backend-protocol annotation to indicate how NGINX should communicate with the backend service.:

  • Parameter
    global.ingress.additionalAnnotations
  • Description

    List of annotations to configure in AppScan 360° Static Analysisingress.

  • Example
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS

Reconfiguring AppScan 360° Static Analysis

After initial deployment of AppScan 360° Static Analysis, subsequent uses of the deployment script reconfigure the Kubernetes clusters using most recently specified deployment options. You do not need to first remove the clusters.

To verify the deployment script is reconfiguring an existing installation, check the script output messages for the following message:
Namespace 'hcl-appscan-sast' already exists. The SAST deployment will be upgraded.
Note: In certain situations, the namespace might persist in a terminating state while no deployment is available on the cluster. In this scenario, reconfiguration fails. Manually delete the namespace and reattempt the deployment.

Deployment options

Deployment notes:
  • Local installation uses local-path as the storage provider, where the scan artifacts are stored.
  • The deployment script accepts confidential information through text files. For example, for a registry token or RabbitMQ password.
  • To customize the installation, provide a configuration file in yaml file format.
Parameter Description Default value Required
-i, --install Deploy AppScan 360° SAST. This flag expects no option values. N/A Yes
-l ,--local, -c, --cloud Specify local Kubernetes instance or cloud install.
  • -l, --local: Deploy to a local cluster
  • -c, --cloud: Deploy to a cloud Kubernetes cluster. Specify the cloud platform in the parameter. For example, azure.
 -l Yes
-n, --namespace The namespace for the container. hcl-appscan-sast Yes
-f, --config-file yaml-file-path Configure or customize container deployment with a yaml file specifying configuration details. See Deployment configuration parameters for information on configuring the yaml file N/A No
-ih|--ingress-host hostname An accessible host name for ingress. AppScan 360° SAST requires an ingress controller running on the cluster. For cloud clusters, a publicly accessible host name configured on the cloud providers host zone.

For local deployment, any dns qualifying name can be used. Note: For local install, add dns name to /etc/hosts file.
-cc, --cert cert-file-path For setting up TLS and HTTPS, provide a full qualifying path to a signed certificate file. When left empty, TLS is disabled and HTTP is used. HTTP
-ck, --cert-key key-file-path Provide the corresponding path to the private key for the specified certificate. If a signed certificate is provided.
-su, --server-url url The ASCP server's API service URL and port number. The ASCP server is configured as part of the AppScan 360 platform install, and is the means by which a user can initiate a SAST scan.
-at|--auth-token token ASCP connection authorization with SAST services. It also aids the communications and exchanges between the ASCP platform services and AppScan 360° SAST. Yes
-p |--rabbitmq-passwords pwd-file-path Specifies the file path of RabbitMQ user's password. Note: The RabbitMQ password cannot be changed once configured. Yes
-r , --registry registry The registry name to load images.
Note: For cloud deployments using archive zip files containing SAST images, a registry accessible by the cloud K8S registry must be provided to ensure image pull is possible during deployment.
  • When -x is specified for image loading.
  • When an archive deployment is used for deployment.
-ru, --registry-user username Username of the registry provided.
-rt, --registry-token token-file-path Path to a file containing the user CLI token for the specified registry.
Note: The token can only be provided using a file for security reasons.
-ro|-repo|--repository repository The repository path to locate the images and helm charts. appscan360-sast/sast-service
-v, --version The version of AppScan 360° SAST to download. Defaults to the version of the script used for the current deployment. Required when downloading from Harbor.
-t, --tag image-tag The AppScan 360° SAST version to install. When not specified, the latest version in the repository or archive is used. Latest available version Yes
-ic|--ingress-class name The ingress controller is used to expose the AppScan 360° SAST through the gateway service. You must provide the name of the ingress controller installed in the cluster. Yes
-sc|--storage-class Configure the storage provider to use for all AppScan 360° SAST storage requirements.

azurefile for Azure deployments.
-x, --load-images When downloading an archive from FNO, this parameter instructs the container images to be loaded from the file-system and pushed to the specified container registry. This option should be used for air-gap mode deployments only. No
-verbose Produces complete messages related to deployment in the console.

Examples

Local Kubernetes deployment:
> ./sast-service.sh -i -l -ih sast.appscan.com \
                 -cc ./config/appscan.crt -ck ./config/appscan.key \
                    -su https://asop.appscan.com:1234 -st ./config/server.token \
                    -ru appscan-user@hcl.com -rt ./config/registry.token \
                    -pwd ./config/sast.pwd --rabbitmq-password ./config/rabbitmq.pwd
Cloud (Azure) deployment:
> az login ...
> ./sast-service.sh --install \
                    --cloud azure \
                    --ingress-host test.sast.appscan.com \
                    --cert ./AppScan360_RootCA.crt \
                    --cert-key ./AppScan360_RootCA.key \
                    --server-url https://test.asop.appscan.com:5000 \
                    --auth-token ./AgentsApiKey.txt \
                    --rabbitmq-password ./rabbitmq-pwd.txt \
                    --registry appscanregistry.azurecr.io
                    --registry-user registryuser \
                    --registry-token ./registry-token.txt \
                    --ingress-class nginx \
                    --storage-class azurefile

Accessing containers after deployment

After a successful deployment, AppScan 360° SAST REST APIs can be accessed using the swagger-ui:
> https://<appscan sast url>/swagger-ui/index.html
AppScan 360° SAST uses token-based authentication specified when auth-token is deployed. The token can be fetched with the following command:
> kubectl get secrets -n hcl-appscan-sast sast-service-secret -o jsonpath="{.data.SAST_AUTH_TOKEN}" | base64 -d