Fortify ScanCentral DAST: how to scan customer internal sites

A Fortify ScanCentral DAST scan of external sites can be be achieved by directly connecting over internet.

A Fortify ScanCentral DAST scan of customer internal sites can be be achieved by using of the following options:

1. AWS Site-to-Site VPN
2. Whitelist Fortify Hosted IP address
3. Locally hosted Fortify DAST Scan Sensor
   • Websites only (not Web APIs)
   • Installed and managed by customer or Professional Services

     • A Linux image of Fortify DAST Scan Sensor/Fortify WebInspect on Docker are available for download in the Fortify Hosted Support Hub (DAST-sensor_xx.x.tar.gz) or pulling from the Fortify Docker repository: Using Fortify WebInspect on Docker .

       For information on how to use the launch artifacts to pull one of these images and start the container as a DAST sensor, see the Micro Focus Fortify WebInspect and OAST on Docker User Guide at https://www.microfocus.com/documentation/fortify-webinspect/2220/WI_Docker_Guide_22.2.0.pdf . 

       • Linux Docker scripts sample (DAST_API_ROOT_URL and DAST_SERVICE_TOKEN are provided by the Fortify Hosted team as "Fortify ScanCentral DAST API URL" and "scDastServiceToken" respectively. The DAST_API_ROOT_URL needs to be accessible by the customer without proxy):

• • • Prerequisites & Script steps:
      - Prerequisites:
          - Docker with docker compose. Linux preferred. If on Windows make sure that docker can run Linux containers and that Docker Desktop for Windows has enough resources to assign the scanner its recommended resources.
          - Local DAST scanner docker image.
          - Fortify Scancentral DAST API URL
          - scDastServiceToken
      
      - Steps for Linux:
          - Run:                                                                                                                       
      • • docker load -i <DAST-sensor_xx.x.tar.gz>                                                                             
        • docker run --rm -it -e WI_MODE="0" -v "$PWD/widocker:/etc/wi/docker-configs <SCANNER_DOCKER_IMAGE>

This will create a widocker dir in the current dir containing all necessary files to run the scanner. 
    - Change directory to widocker.
    - Edit widocker/.env
        - Change FORTIFY_SCANNER_IMAGE to <SCANNER_DOCKER_IMAGE>
        - Change DAST_API_ROOT_URL to the provided Fortify Scancentral DAST API URL.
        - Change DAST_SERVICE_TOKEN to the provided scDastServiceToken.
        - Change DAST_INSECURE to false .
    - Run: docker compose -f docker-compose.yaml -f docker-compose.mode3.yaml up -d
    - You can track the logs with: docker compose logs scanner

• • • • License
        • Utilise on-prem license - to be added to the Fortify Hosted LIM pool
        • Share Fortify Hosted DAST sensor license - from the Fortify Hosted LIM pool