System requirements for AppScan 360° Static Analysis

This section describes required operating systems and supporting technology for downloading and deploying AppScan 360° Static Analysis. Additional information on setting up required components can be found here.

The AppScan 360° Static Analysis package contains these elements:

The AppScan 360° SAST gateway: The main entry point for a scan.
The workflow-manager: Orchestrates the AppScan 360° SAST scan-related requests.
The scan-manager.: Fetches scan artifacts and details, and gathers troubleshooting information.
The preparer service: Prepares source code and builds artifacts for analysis.
The analyzer service: Evaluates the IRX to identify vulnerabilities.

The ascp-adapter: Interface to AppScan Central Platform for monitoring scan status and progress, and working with results and logs.
RabbitMQ: Add on service used as a messaging broker for communication between the AppScan 360° SAST components.

Note: The number and configuration of systems used to host the containers depend on the required level of concurrency (the number of parallel scans) and the size of the applications to be scanned.

System requirements and prerequisites

AppScan 360° Static Analysis is downloaded and deployed using a bash script and thus requires a Linux environment. AppScan 360° Static Analysis agents are deployed locally or in the cloud.

Note: Install the AppScan Central Platform before downloading and deploying AppScan 360° Static Analysis

Downloading AppScan 360° SAST

Linux system:

RedHat 7.9 or newer, or Ubuntu
Docker or containerd runtime
Kubectl
Helm

SAST base charts are required for driving the deployment process. Current AppScan 360° SAST charts can be downloaded to a local system in two ways:.

HCL Harbor
- HCL ID with access to the HCL License and Download Portal.
- HCL Harbor account with read access and access to the AppScan 360° SAST project area.
Archive installation
- HCL ID with access to the HCL License and Download Portal.

Cluster setup

Deploy AppScan 360° SAST to Kubernetes clusters using the deployment script. Pre-configure the following add-on services in the Kubernetes cluster before deploying AppScan 360° SAST:

Ingress controller (for example, NGINX)
Keda
CertManager
kubectl for communicating with the Kubernetes cluster.

Resource requirements

Containers

For each container at rest the following resources are required per pod:


Service	CPU (min/max)	RAM (min/max)	Disk space (min/max)
Preparer	2/4	16GB/28GB
Analyzer	2/4	16GB/28GB
Workflow manager	1/2	2GB/4GB
Scan Manager	1/2	2GB/4GB
ASCP Adapter	1/2	2GB/4GB
Gateway	1/2	2GB/4GB
RabbitMQ	1/2	2GB/4GB
Scan data (shared)			200GB
Logs (shared)			10GB

Resource requirements are highly variable based on specific scanning needs, configurations, application demands, and so on. See Configuring concurrent scans for additional information.

Autoscaling

The preparer, analyzer, and ascp-adapter services scale up and down to achieve concurrency. By default, AppScan 360° SAST starts one instance of each service. When concurrent scan requests are detected, additional instances of preparer, analyzer, or ascp-adapter services are created to address the load. Once the load is reduced, the auto-scaled instances are down-scaled automatically.

Minimum and maximum instances that can get created for each SAST service component are as follows:


Service	Instance (min/max)
`preparer`	1/25
`analyzer`	1/25
`ascp-adapter`	1/3
`workflow-manager`	1/1
`scan-manager`	1/1
`gateway`	1/1

Note: The resource configuration in the cluster must be customized to support the desired level of concurrent scans.

Storage

AppScan 360° SAST uses storage for:

Scan cache
Scan data
Logs

AppScan 360° SAST requires a storage provider that supports ReadWriteMany. Azure supports azurefile storage provider, which can be used when AppScan 360° SAST is deployed in Azure.

The storage provider class-name, size and other properties can be customized using configuration parameters.