Deploying DAST Scanner in Kubernetes

This document describes how to configure and use the scancentral-dast-scanner 24.4 Helm charts for complete ScanCentral DAST scanner container orchestration in Kubernetes. You can find the ScanCentral DAST Scanner Helm charts at https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-scanner

Kubernetes Versions
Tool Prerequisites
Installation

Kubernetes Versions

These charts have been tested using the following Kubernetes versions:

Kubernetes 1.28
Kubernetes 1.29
Kubernetes 1.30

Tool Prerequisites

These instructions were written and tested using the following tool versions. It is recommended that the same tool versions be used in order to avoid unpredictable results.

Installation

The following instructions are for example purposes and are based on a default Kubernetes environment running under Linux, using the default namespace. Windows systems may require different syntax for certain commands and other Kubernetes Cluster providers may require additional/different configurations. Your Kubernetes administrator may require the use of specific namespaces and/or other configuration adjustments.

Installation Prerequisites

A working Kubernetes Cluster
Installed ScanCentral DAST Core Services
DockerHub image pull secret

Installation Steps

Ensure ScanCentral DAST Core Services are installed
Retrieve core configuration properties
Ensure image pull secret
Installing ScanCentral DAST scanner
Special Considerations for testing environments

Ensure ScanCentral DAST Core Services are installed

Ensure that the ScanCentral DAST core components have been installed and are at the same Helm chart revision as the ScanCentral DAST scanner chart.

Retrieve core configuration properties

Obtain the following information to populate core services values in the ScanCentral DAST scanner helm chart:

DAST API service URL
DAST API service account token secret name, previously created during the ScanCentral DAST core components Helm deployment

You can obtain this information by running the following command:

helm  get notes  <name_of_scancentral-dast-core_helm_release>

Ensure image pull secret

If you are using Docker images directly from DockerHub, ensure that you have the name of your image pull secret ready to add to the Helm configuration. It should be the same configuration created to install the ScanCentral DAST core components Helm chart.

Installing ScanCentral DAST scanner

The following command installs the Fortify ScanCentral DAST scanner using the recommended defaults for all services. In some cases, you might need to customize these values using the Helm --set parameter or by creating a values.yaml override file and passing it to the command line with the Helm -f flag. For more information about Helm overrides, refer to the Helm documentation.

For more information about the values that can be overridden, see the Fortify ScanCentral DAST scanner Helm chart values.

Tip: To find other available versions, go to https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-scanner/tags.

Note: These example values presume the default naming referenced in both the helm-scancentral-dast-scanner and the helm-scancentral-dast-core charts. If these values are different, then you must update the following command line accordingly.

helm install <Installation release name> -i oci://registry-1.docker.io/fortifydocker/helm-scancentral-dast-scanner --version <chart_version> --timeout 60m \
 --set dastApiServiceURL=<SC_DAST_API_service_URL> \
 --set serviceTokenSecretName=scdast-service-token

Special Considerations for testing environments

By default, the Helm chart defines the container resources and requests based on recommended best-practice values intended to prevent performance issues and unexpected Kubernetes evictions of containers and pods. These values are often too large for a small test environment that does not require the same level of resources. To disable these settings, paste the following values into a file named 'resource_override.yaml' and add it to the install command line with the -f flag, for example $ helm install -f resource_override.yaml

Caution: Using the following settings in production is not supported and will lead to unstable behavior.

# Set all Kubernetes resources except for the datastores to best-effort mode (no resource requirements)
# DO NOT null out the resource configuration for the 'datastore' containers, this will result in unexpected evictions due to how that service allocates memory.
resources:
  requests:
    cpu: null
    memory: null
  limits:
    cpu: null
    memory: null
wise:
  resources: nul

Values

The following values are exposed by the Helm Chart. Unless specified as Required, values should only be overridden as made necessary by your specific environment.

Key	Type	Default	Description
additionalEnvironmentVariables	list	[]	Defines any additional environment variables to add to the resulting pod.
affinity	pod.affinity	{}	Defines Node Affinity configurations to add to the Pod(s).
allowNonTrustedServerCertificate	bool	false	Indicates whether to allow non-trusted server certificates. NOTE: If Fortify Connect is in use, this must be set to `true`
containerSecurityContext	pod.containers[*].securityContext	{}	Defines security context configurations to add to the API container.
customResources	object	{ "enabled": false, "resources": {} }	Defines Kubernetes resources to be installed and configured as part of the Helm chart. If you provide any resources, you must provide them as quoted using '\|', and set customResources.enabled to true.
customResources.enabled	bool	false	Indicates whether to enable custom resource creation.
customResources.resources	Kubernetes YAML	{}	Defines custom resources to generate.
dastApiServiceURL	string	""	Specifies the URL of the Fortify ScanCentral DAST API service. This setting is used to reach Fortify ScanCentral DAST API over HTTP/HTTPS.
datastore.additionalEnvironmentVariables	list	[]	Defines any additional environment variables to add to the Pod.
datastore.image.digest	string	null	Version of the docker image to pull in digest format. Takes precedence over image.tag, if both declared.
datastore.image.pullPolicy	string	"IfNotPresent"	Image pull behavior.
datastore.image.repository	string	"mcr.microsoft.com/mssql/server"	Specifies the location from which to pull the SQL Server Docker image.
datastore.image.tag	string	"2022-latest"	Specifies the version of the SQL Server image to pull.
datastore.mssqlStorage.sizeLimit	String	"1500Mi"	Sets the maximum internal storage size for SQL Server.
datastore.resources.limits.cpu	string	"1"	Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
datastore.resources.limits.ephemeral-storage	string	"1500Gi"	Specifies the maximum amount of storage space available to datastore before pod is evicted.
datastore.resources.limits.memory	string	"4Gi"
datastore.resources.requests.cpu	string	"1"	Specifies the minimum amount of compute that the pod is guaranteed to receive
datastore.resources.requests.ephemeral-storage	string	"1500Mi"	Specifies the guaranteed amount of storage space allocated to datastore.
datastore.resources.requests.memory	string	"4Gi"	Specifies the minimum amount of memory that the pod is guaranteed to receive
disableAdvancedScanPrioritization	bool	false	Whether to disable advanced scan prioritization.
enableRestrictedScanSettings	bool	false	Whether to enable restricted scan settings.
fullnameOverride	string	null	Overrides the fully qualified app name of the release.
healthCheckPort	int	8080	container port used for health checks
image.digest	string	null	Specifies the version of the DAST scanner Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
image.pullPolicy	string	"IfNotPresent"	Specifies the image pull behavior for the DAST scanner Docker image.
image.repository	string	"fortifydocker/dast-scanner"	Specifies the Docker repository from which to pull the DAST scanner image.
image.tag	string	"24.4.ubi.9"	Specifies the version of the DAST scanner image to pull.
imagePullSecrets	list	[]	Specifies a list of references to secrets in the same namespace to use for pulling any of the images used by the current release.
nameOverride	string	null	Overrides the name of this chart.
nodeSelector	pod.nodeSelector	null	Defines Node selection constraint configurations to add to the Pods.
podAnnotations	pod.annotations	{}	Defines annotations to add to the Pods.
podLabels	pod.labels	{}	Defines labels to add to the Pods.
podSecurityContext	pod.securityContext	{}	Defines security context configurations to add to Pods.
replicas	int	1	Specifies the number of Pods to deploy.
resources.limits.cpu	string	"7"	Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
resources.limits.ephemeral-storage	string	"30Gi"	Specifies the maximum amount of storage space available to datastore before pod is evicted.
resources.limits.memory	string	"32Gi"	Specifies the maximum memory that can be consumed prior to pod eviction.
resources.requests.cpu	string	"7"	Specifies the minimum amount of compute that the pod is guaranteed to receive.
resources.requests.ephemeral-storage	string	"30Gi"	Specifies the guaranteed amount of storage space allocated to datastore.
resources.requests.memory	string	"16Gi"	Specifies the minimum amount of memory that the pod is guaranteed to receive
retainCompletedScans	bool	false	WIndicates whether to retain completed scans
scandataStorage.sizeLimit	String	"15Gi"	Sets the maximum amount of temporary data that can be stored for a scan. This setting must be less than or equal to the amount of ephemeral storage defined in resources.requests.ephemeral-storage.
scannerDescription	string	""	Provides a scanner description to add to the scanner container environment.
scannerPoolID	string	"0"	Specifies the scanner pool ID.
scannerType	string	"Fixed"	ScannerType to add to Scanner container environment.
serviceTokenSecretKey	string	"service-token"	Specifies the name of the key in the secret hosting the service token.
serviceTokenSecretName	Opaque	""	Specifies the name of the secret hosting the service token.
tolerations	pod.tolerations	[]	Defines Toleration configurations to add to the Pods.
topologySpreadConstraints	pod.topologySpreadConstraints	{}	Defines how the Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains.
wise.additionalEnvironmentVariables	list	[]	Defines any additional environment variables to add to the Pod.
wise.image.digest	string	null	Specifies the version of the WebInspect script engine (WISE) Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared.
wise.image.pullPolicy	string	"IfNotPresent"	Specifies the image pull behavior for the WISE Docker image.
wise.image.repository	string	"fortifydocker/wise"	Specifies the Docker repository from which to pull the WISE image.
wise.image.tag	string	"24.4.ubi.9"	Specifies the version of the WISE image to pull.
wise.resources.limits.cpu	string	"8"	Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request.
wise.resources.limits.memory	string	"64Gi"	Specifies the maximum memory that can be consumed prior to pod eviction.
wise.resources.requests.cpu	string	"8"	Specifies the minimum amount of compute that the pod is guaranteed to receive.
wise.resources.requests.memory	string	"16Gi"	Specifies the minimum amount of memory that the pod is guaranteed to receive.

Table of Contents