Setting up the AppScan 360° Static Analysis environment

Before installing AppScan 360° Static Analysis, setup your environment for optimal deployment.

The environment in which you install and deploy AppScan 360° Static Analysis requires setup of some prerequisite tools for optimal performance:


Your HCL ID associates your account with valid licenses and access to software and support. It is required for access to HCL License and Download Portal and HCL Harbor.

For complete information about creating an HCL ID and accessing licenses and software, see this document.

Linux system

An Ubuntu or a Red Hat Enterprise Linux system is required to initiate deployment. The actual deployment can be in a remote Kubernetes cluster (for example, a cluster in Azure Kubernetes Service), but the deployment is initiated from this Linux machine.

AppScan Central Platform

AppScan Central Platform is the foundation for the AppScan 360° experience. It brings together the user interface, APIs, and core server components.

Complete instructions for installing an configuring AppScan Central Platform can be found here.

Important: Install AppScan Central Platform before downloading and deploying AppScan 360° Static Analysis.
Once installed, gather the following information from ASCP, saving the information to a local file where appropriate:
  • ASCP service hostname

    Hostname (FQDN) of the ASCP server. For example,

  • Authentication token

    The authentication token is located at <ascp-install-path>\Keys\AgentsApiKey.txt.

  • CA certificate

    The certificate file is located at <ascp-install-path>\Certs\AppScan360_RootCA.crt.

  • Private key

    The private key file is located at <ascp-install-path>\Certs\AppScan360_RootCA.key.

Local container service

A local container service that can push images to a remote registry is required when installing AppScan 360° Static Analysis from an archive file downloaded from HCL License and Download Portal. You can user either docker, a persistent process that manages containers, or containerd, is a runtime that manages the life cycle of a container on a physical or virtual machine.


Kubectl is used to communicate with remote Kubernetes clusters.

Complete instructions for installing and configuring Kubectl can be found here.

Kubernetes cluster

The cluster is where AppScan 360° Static Analysis agent containers reside and are put to use.

For example, to deploy an Azure Kubernetes cluster, the user must have a resource group to manage the resources consumed by the cluster.

Cluster setup notes:
  • AppScan 360° SAST preparer and analyzer pods require a minimum of 16GB memory by default.
  • A storage provider that supports ReadWriteMany is required. AKS provides azurefile as the storage provider, which supports ReadWriteMany. If a custom storage provider like longhorn is to be used, then ensure that it supports `ReadWriteMany.

Verify communication between the VM and the Kubernetes cluster

For example, if you are using an Azure Kubernetes cluster:
  1. Log in to your Azure account:
    > azure login
  2. To connect to the Kubernetes cluster on Azure:
    > az aks get-credentials --resource-group <resource-group-name> --name <cluster-name>

    --resource-group is the Azure resource group with your cluster. --name is the name of the cluster to connect to your CLI.

    Connecting to the cluster merges your installation token to a .kube/config file in your home folder. This configuration file will be created if it does not exist.


Install and configure Keda:
> helm repo add kedacore
> helm repo update
> helm install keda kedacore/keda --namespace keda --create-namespace  

Ingress controller

Deploy an ingress controller.

The recommended ingress controller is NGINX (latest version). However, if an ingress controller is already present in the cluster, then no need to install a new one.

An IP address linked to the DNS name is required. This IP address must exist in default Kubernetes resource group for AKS deployment.

Note: The service annotation here is for Azure load balancer health check and should be used only when installing ingress to an AKS cluster.
> helm repo add ingress-nginx 
> helm repo update 
> helm install ingress-nginx ingress-nginx/ingress-nginx \ 
    --namespace ingress-nginx \ 
    --create-namespace \ 
    --set controller.service.loadBalancerIP=<ip-address> \ 
    --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz

NGINX ingress install can be configured for tolerance, nodeSelector, and so on. These configurations can be passed to the ingress helm deployment command using the -f option. Configurable parameters include:

Parameter Description
controller.config.proxy-body-size Maximum allowed size in the request body. The value should be greater than the size of data that you are trying to push.
controller.config.proxy-connect-timeout The timeout max for establishing a connection with a proxied server.
controller.config.proxy-read-timeout Sets a timeout for reading a request to the proxied server.
controller.config.proxy-send-timeout Sets a timeout for transmitting a request to the proxied server
controller.config.enable-access-log-for-default-backend Enables logging access to default backend. Disabled by default.
controller.config.ssl-redirect Sets the global value of redirects (301) to HTTPS if the server has a TLS certificate. The default value is true.
controller.config.use-http2 Enables or disables HTTP/2 support in secure connections. The os type on nodes to run ingress.
tolerations.key Fault tolerance.


Install and configure Cert-manager:
> helm repo add jetstack
> helm repo update
> helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true


Helm is a set of resources that makes it easier to configure and use Kubernetes applications.

Complete instructions for installing the Helm CLI can be found here.

Azure CLI

The Azure CLI is a set of commands used to create and manage Azure resources.

Complete instructions for installing the Azure CLI can be found here.