This document describes how to configure and use the scancentral-dast-scanner 25.4 Helm charts for complete ScanCentral DAST scanner container orchestration in Kubernetes. You can find the ScanCentral DAST Scanner Helm charts at https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-scanner.
OpenText recommends running Fortify on the tested platforms described in the product system requirements documentation. However, customers running on other platforms or with untested configurations will be supported until the point OpenText determines that the root cause is the untested platform or configuration. Issues that can be reproduced on the tested platforms will be prioritized and fixed according to standard defect-handling policies.
These charts have been tested using the following Kubernetes versions:
These instructions were written and tested using the following tool versions. It is recommended that the same tool versions be used in order to avoid unpredictable results.
The following instructions are for example purposes and are based on a default Kubernetes environment running under Linux, using the default namespace. Windows systems may require different syntax for certain commands and other Kubernetes Cluster providers may require additional/different configurations. Your Kubernetes administrator may require the use of specific namespaces and/or other configuration adjustments.
Ensure that the ScanCentral DAST core components have been installed and are at the same Helm chart revision as the ScanCentral DAST scanner chart.
Obtain the following information to populate core services values in the ScanCentral DAST scanner helm chart:
DAST API service URL
DAST API service account token secret name, previously created during the ScanCentral DAST core components Helm deployment
You can obtain this information by running the following command:
helm get notes <name_of_scancentral-dast-core_helm_release>Ensure that mTLS settings were configured for DAST API Service
Generate and sign with CA a client certificate that will be used by WI scanner to access DAST API service. See scancentral-dast-core installation guide for getting CA certificate.
openssl genrsa -out /tmp/dast-scanner-api-client-key.pem 2048
openssl req -new -key /tmp/dast-scanner-api-client-key.pem -out /tmp/dast-scanner-api-client.csr -subj "/C=CA/ST=Ontario/L=Waterloo/O=YourCompany/OU=IT/CN=dast-scanner-client"
openssl x509 -req -in /tmp/dast-scanner-api-client.csr -CA /tmp/ca-cert.pem -CAkey /tmp/ca-key.pem -CAcreateserial -out /tmp/dast-scanner-api-client-cert.pem -days 3650 -sha256
openssl pkcs12 -export -out /tmp/dast-scanner-api-client-cert.pfx -inkey /tmp/dast-scanner-api-client-key.pem -in /tmp/dast-scanner-api-client-cert.pem -certfile /tmp/ca-cert.pem -passout pass:123456
kubectl create secret generic dast-scanner-api-client-certificate --type=Opaque --from-file=dast-scanner-api-client-cert.pfx=/tmp/dast-scanner-api-client-cert.pfx
kubectl create secret generic dast-scanner-api-client-certificate-password --type=Opaque --from-literal=password=123456
rm /tmp/dast-scanner-api-client-cert.pem /tmp/dast-scanner-api-client-cert.pfx /tmp/dast-scanner-api-client.csr /tmp/dast-scanner-api-client-key.pemIf you are using Docker images directly from DockerHub, ensure that you have the name of your image pull secret ready to add to the Helm configuration. It should be the same configuration created to install the ScanCentral DAST core components Helm chart.
kubectl create secret generic dast-scanner-db-password --type=Opaque --from-literal=password="$(openssl rand -base64 32)"The following command installs the Fortify ScanCentral DAST scanner using the recommended defaults for all services. In some cases, you might need to customize these values using the Helm --set parameter or by creating a values.yaml override file and passing it to the command line with the Helm -f flag. For more information about Helm overrides, refer to the Helm documentation.
For more information about the values that can be overridden, see the Fortify ScanCentral DAST scanner Helm chart values.
Tip: To find other available versions, go to https://hub.docker.com/r/fortifydocker/helm-scancentral-dast-scanner/tags.
Note: These example values presume the default naming referenced in both the helm-scancentral-dast-scanner and the helm-scancentral-dast-core charts. If these values are different, then you must update the following command line accordingly.
helm install <Installation release name> oci://registry-1.docker.io/fortifydocker/helm-scancentral-dast-scanner --version <chart_version> --timeout 60m \
--set dastApiServiceURL=<SC_DAST_API_service_URL> \
--set serviceTokenSecretName=scdast-service-token \
--set datastore.dbPasswordSecretName=dast-scanner-db-password \
--set dast.tls.clientCertificate.secretName=dast-scanner-api-client-certificate \
--set dast.tls.clientCertificate.passwordSecretName=dast-scanner-api-client-certificate-passwordBy default, the Helm chart defines the container resources and
requests based on recommended best-practice values intended to prevent
performance issues and unexpected Kubernetes evictions of containers and
pods. These values are often too large for a small test environment that
does not require the same level of resources. To disable these settings,
paste the following values into a file named 'resource_override.yaml'
and add it to the install command line with the -f flag, for example
$ helm install -f resource_override.yaml
Caution: Using the following settings in production is not supported and will lead to unstable behavior.
# Set all Kubernetes resources except for the datastores to best-effort mode (no resource requirements)
# DO NOT null out the resource configuration for the 'datastore' containers, this will result in unexpected evictions due to how that service allocates memory.
resources:
requests:
cpu: null
memory: null
limits:
cpu: null
memory: null
wise:
resources: nullThe following values are exposed by the Helm Chart. Unless specified
as Required, values should only be overridden as made
necessary by your specific environment.
| Key | Type | Default | Description |
|---|---|---|---|
| additionalEnvironmentVariables | list |
[]
|
Defines any additional environment variables to add to the resulting pod. |
| affinity | pod.affinity |
{}
|
Defines Node Affinity configurations to add to the Pod(s). |
| allowNonTrustedServerCertificate | bool |
false
|
Indicates whether to allow non-trusted server certificates. NOTE: If Fortify Connect is in use, this must be set to `true` |
| containerSecurityContext | pod.containers[*].securityContext |
{}
|
Defines security context configurations to add to the API container. |
| customResources | object |
{
"enabled": false,
"resources": {}
}
|
Defines Kubernetes resources to be installed and configured as part of the Helm chart. If you provide any resources, you must provide them as quoted using '|', and set customResources.enabled to true. |
| customResources.enabled | bool |
false
|
Indicates whether to enable custom resource creation. |
| customResources.resources | Kubernetes YAML |
{}
|
Defines custom resources to generate. |
| dast.additionalEnvironmentVariables | list |
[]
|
Defines any additional environment variables to add to the resulting pod. |
| dast.healthCheckPort | int |
8080
|
container port used for health checks |
| dast.image.digest | string |
null
|
Version of the docker image to pull in digest format. Takes precedence over image.tag, if both declared. |
| dast.image.pullPolicy | string |
"IfNotPresent"
|
Image pull behavior. |
| dast.image.repository | string |
"fortifydocker/scancentral-dast-scannerservice"
|
Repository where to pull docker image from. |
| dast.image.tag | string |
"25.4.ubi.9"
|
Version of the docker image to pull. |
| dast.proxySettingsBypassOnLocal | bool |
true
|
Set to true to bypass the proxy server for local addresses |
| dast.proxySettingsProxyAddress | string |
""
|
Required if proxySettingsUseProxy = true. Proxy server and port. Example: my-proxy-server:8080 |
| dast.proxySettingsProxyBypassList | string |
""
|
Optional comma separated list of addresses to exclude from the proxy server. Example: server1,server2 |
| dast.proxySettingsProxyPassword | string |
""
|
Optional proxy server password. |
| dast.proxySettingsProxyUserName | string |
""
|
Optional proxy server username. |
| dast.proxySettingsUseProxy | bool |
false
|
Set to true to use a proxy server, otherwise set to false. |
| dast.resources.limits.cpu | string |
"1"
|
Maximum compute of pod. MUST match value used for request. |
| dast.resources.limits.memory | string |
"4Gi"
|
Maximum memory that can be consumed prior to pod eviction. |
| dast.resources.requests.cpu | string |
"1"
|
Compute that K8s sets aside and guarantees availability |
| dast.resources.requests.memory | string |
"2Gi"
|
Memory that K8s sets aside and guarantees availability |
| dast.tls.clientCertificate | object |
{
"keyPathSecretKey": "",
"passwordSecretKey": "password",
"passwordSecretName": "",
"pathSecretKey": "dast-scanner-api-client-cert.pfx",
"secretName": ""
}
|
Any .pfx, .p12, .pem, .cer, .crt certificate file can be used. |
| dast.tls.clientCertificate.keyPathSecretKey | string |
""
|
Optional name of the key in the secret hosting the client certificate key. |
| dast.tls.clientCertificate.passwordSecretKey | string |
"password"
|
The name of the key in the secret hosting the client certificate password. |
| dast.tls.clientCertificate.passwordSecretName | string |
""
|
The password for the client certificate. |
| dast.tls.clientCertificate.pathSecretKey | string |
"dast-scanner-api-client-cert.pfx"
|
The name of the key in the secret hosting the client certificate. |
| dast.tls.clientCertificate.secretName | string |
""
|
The name of the secret hosting the client certificate. |
| dast.webInspectRestApiRootUrl | string |
"https://127.0.0.1:8089"
|
Web Inspect Rest Api Root Url |
| dastApiServiceURL | string |
""
|
Specifies the URL of the Fortify ScanCentral DAST API service. This setting is used to reach Fortify ScanCentral DAST API over HTTP/HTTPS. |
| datastore.additionalEnvironmentVariables | list |
[]
|
Defines any additional environment variables to add to the Pod. |
| datastore.dbMode | SQLExpress | SQLServer | PostgreSQL |
"SQLExpress"
|
Defines the database mode to use. |
| datastore.image.digest | string |
null
|
Version of the docker image to pull in digest format. Takes precedence over image.tag, if both declared. |
| datastore.image.pullPolicy | string |
"IfNotPresent"
|
Image pull behavior. |
| datastore.image.repository | string |
"mcr.microsoft.com/mssql/server"
|
Specifies the location from which to pull the SQL Server Docker image. |
| datastore.image.tag | string |
"2022-latest"
|
Specifies the version of the SQL Server image to pull. |
| datastore.maxPoolSize | int |
15
|
Maximum number of database connections allowed. Applicable only for PostgreSQL. |
| datastore.mssqlStorage.sizeLimit | String |
"1500Mi"
|
Sets the maximum internal storage size for SQL Server. |
| datastore.resources.limits.cpu | string |
"1"
|
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request. |
| datastore.resources.limits.ephemeral-storage | string |
"1500Gi"
|
Specifies the maximum amount of storage space available to datastore before pod is evicted. |
| datastore.resources.limits.memory | string |
"4Gi"
|
|
| datastore.resources.requests.cpu | string |
"1"
|
Specifies the minimum amount of compute that the pod is guaranteed to receive |
| datastore.resources.requests.ephemeral-storage | string |
"1500Mi"
|
Specifies the guaranteed amount of storage space allocated to datastore. |
| datastore.resources.requests.memory | string |
"4Gi"
|
Specifies the minimum amount of memory that the pod is guaranteed to receive |
| disableAdvancedScanPrioritization | bool |
false
|
Whether to disable advanced scan prioritization. |
| enableApiTls | bool |
true
|
|
| enableRestrictedScanSettings | bool |
false
|
Whether to enable restricted scan settings. |
| fullnameOverride | string |
null
|
Overrides the fully qualified app name of the release. |
| image.digest | string |
null
|
Specifies the version of the DAST scanner Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared. |
| image.pullPolicy | string |
"IfNotPresent"
|
Specifies the image pull behavior for the DAST scanner Docker image. |
| image.repository | string |
"fortifydocker/dast-scanner"
|
Specifies the Docker repository from which to pull the DAST scanner image. |
| image.tag | string |
"25.4.ubi.9"
|
Specifies the version of the DAST scanner image to pull. |
| imagePullSecrets | list |
[]
|
Specifies a list of references to secrets in the same namespace to use for pulling any of the images used by the current release. |
| nameOverride | string |
null
|
Overrides the name of this chart. |
| nodeSelector | pod.nodeSelector |
null
|
Defines Node selection constraint configurations to add to the Pods. |
| podAnnotations | pod.annotations |
{}
|
Defines annotations to add to the Pods. |
| podLabels | pod.labels |
{}
|
Defines labels to add to the Pods. |
| podSecurityContext | pod.securityContext |
{}
|
Defines security context configurations to add to Pods. |
| replicas | int |
1
|
Specifies the number of Pods to deploy. |
| resources.limits.cpu | string |
"6"
|
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request. |
| resources.limits.ephemeral-storage | string |
"30Gi"
|
Specifies the maximum amount of storage space available to datastore before pod is evicted. |
| resources.limits.memory | string |
"30Gi"
|
Specifies the maximum memory that can be consumed prior to pod eviction. |
| resources.requests.cpu | string |
"6"
|
Specifies the minimum amount of compute that the pod is guaranteed to receive. |
| resources.requests.ephemeral-storage | string |
"30Gi"
|
Specifies the guaranteed amount of storage space allocated to datastore. |
| resources.requests.memory | string |
"15Gi"
|
Specifies the minimum amount of memory that the pod is guaranteed to receive |
| retainCompletedScans | bool |
false
|
WIndicates whether to retain completed scans |
| scandataStorage.sizeLimit | String |
"15Gi"
|
Sets the maximum amount of temporary data that can be stored for a scan. This setting must be less than or equal to the amount of ephemeral storage defined in resources.requests.ephemeral-storage. |
| scannerDescription | string |
""
|
Provides a scanner description to add to the scanner container environment. |
| scannerPoolID | string |
"0"
|
Specifies the scanner pool ID. |
| scannerType | string |
"Fixed"
|
ScannerType to add to Scanner container environment. |
| serviceTokenSecretKey | string |
"service-token"
|
Specifies the name of the key in the secret hosting the service token. |
| serviceTokenSecretName | Opaque |
""
|
Specifies the name of the secret hosting the service token. |
| tolerations | pod.tolerations |
[]
|
Defines Toleration configurations to add to the Pods. |
| topologySpreadConstraints | pod.topologySpreadConstraints |
{}
|
Defines how the Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. |
| wise.additionalEnvironmentVariables | list |
[]
|
Defines any additional environment variables to add to the Pod. |
| wise.image.digest | string |
null
|
Specifies the version of the WebInspect script engine (WISE) Docker image to pull in digest format. This setting takes precedence over image.tag, if both are declared. |
| wise.image.pullPolicy | string |
"IfNotPresent"
|
Specifies the image pull behavior for the WISE Docker image. |
| wise.image.repository | string |
"fortifydocker/wise"
|
Specifies the Docker repository from which to pull the WISE image. |
| wise.image.tag | string |
"25.4.ubi.9"
|
Specifies the version of the WISE image to pull. |
| wise.resources.limits.cpu | string |
"8"
|
Specifies the maximum amount of compute that can be consumed by pod. MUST match value used for request. |
| wise.resources.limits.memory | string |
"64Gi"
|
Specifies the maximum memory that can be consumed prior to pod eviction. |
| wise.resources.requests.cpu | string |
"8"
|
Specifies the minimum amount of compute that the pod is guaranteed to receive. |
| wise.resources.requests.memory | string |
"16Gi"
|
Specifies the minimum amount of memory that the pod is guaranteed to receive. |