Setting up the AppScan 360° Static Analysis environment
Before installing AppScan 360° Static Analysis, setup your environment for optimal deployment.
- All Kubernetes environments:
- If you are downloading AppScan 360° Static Analysis from Harbor
- If you are downloading AppScan 360° Static Analysis from an archive file via the HCL License and Download Portal:
- If you are using a cloud-based Azure cluster:
HCL ID
Your HCL ID associates your account with valid licenses and access to software and support. It is required for access to HCL License and Download Portal and HCL Harbor.
For complete information about creating an HCL ID and accessing licenses and software, see this document.
Linux system
An Ubuntu or a Red Hat Enterprise Linux system is required to initiate deployment. The actual deployment can be in a remote Kubernetes cluster (for example, a cluster in Azure Kubernetes Service), but the deployment is initiated from this Linux machine.
AppScan Central Platform
AppScan Central Platform is the foundation for the AppScan 360° experience. It brings together the user interface, APIs, and core server components.
Complete instructions for installing an configuring AppScan Central Platform can be found here.
- ASCP service hostname
Hostname (FQDN) of the ASCP server. For example,
ascp.example.com. - Authentication token
The authentication token is located at
<ascp-install-path>\Keys\AgentsApiKey.txt. - CA certificate
The certificate file is located at
<ascp-install-path>\Certs\AppScan360_RootCA.crt. - Private key
The private key file is located at
<ascp-install-path>\Certs\AppScan360_RootCA.key.
Local container service
A local container service that can push images to a remote registry is required when installing AppScan 360° Static Analysis from an archive file downloaded from HCL License and Download Portal. You can user either docker, a persistent process that manages containers, or containerd, is a runtime that manages the life cycle of a container on a physical or virtual machine.
Kubectl
Kubectl is used to communicate with remote Kubernetes clusters.
Complete instructions for installing and configuring Kubectl can be found here.
Kubernetes cluster
The cluster is where AppScan 360° Static Analysis agent containers reside and are put to use.
For example, to deploy an Azure Kubernetes cluster, the user must have a resource group to manage the resources consumed by the cluster.
- AppScan 360° SAST
preparerandanalyzerpods require a minimum of 16GB memory by default. - A storage provider that supports
ReadWriteManyis required. AKS providesazurefileas the storage provider, which supportsReadWriteMany. If a custom storage provider likelonghornis to be used, then ensure that it supports `ReadWriteMany.
Verify communication between the VM and the Kubernetes cluster
- Log in to your Azure
account:
> azure login - To connect to the Kubernetes cluster on
Azure:
> az aks get-credentials --resource-group <resource-group-name> --name <cluster-name>--resource-groupis the Azure resource group with your cluster.--nameis the name of the cluster to connect to your CLI.Connecting to the cluster merges your installation token to a .kube/config file in your home folder. This configuration file will be created if it does not exist.
Keda
> helm repo add kedacore https://kedacore.github.io/charts
> helm repo update
> helm install keda kedacore/keda --namespace keda --create-namespace Ingress controller
Deploy an ingress controller.
The recommended ingress controller is NGINX (latest version). However, if an ingress controller is already present in the cluster, then no need to install a new one.
An IP address linked to the DNS name is required. This IP address must exist in default Kubernetes resource group for AKS deployment.
> helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
> helm repo update
> helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.loadBalancerIP=<ip-address> \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthzNGINX ingress install can be configured for tolerance, nodeSelector, and so on. These
configurations can be passed to the ingress helm deployment command using the
-f option. Configurable parameters include:
| Parameter | Description |
|---|---|
controller.config.proxy-body-size |
Maximum allowed size in the request body. The value should be greater than the size of data that you are trying to push. |
controller.config.proxy-connect-timeout |
The timeout max for establishing a connection with a proxied server. |
controller.config.proxy-read-timeout |
Sets a timeout for reading a request to the proxied server. |
controller.config.proxy-send-timeout |
Sets a timeout for transmitting a request to the proxied server |
controller.config.enable-access-log-for-default-backend |
Enables logging access to default backend. Disabled by default. |
controller.config.ssl-redirect |
Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate. The default value is true. |
controller.config.use-http2 |
Enables or disables HTTP/2 support in secure connections. |
nodeSelector.kubernetes.io/os |
The os type on nodes to run ingress. |
tolerations.key |
Fault tolerance. |
Cert-manager
> helm repo add jetstack https://charts.jetstack.io
> helm repo update
> helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=trueHelm
Helm is a set of resources that makes it easier to configure and use Kubernetes applications.
Complete instructions for installing the Helm CLI can be found here.
Azure CLI
The Azure CLI is a set of commands used to create and manage Azure resources.
Complete instructions for installing the Azure CLI can be found here.