Polaris fAST Static

Invicti ASPM supports Polaris fAST Static (formerly Black Duck fAST) as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the Polaris fAST Static integration.

Polaris fAST Static is a fast, cloud-native static application security testing solution by Synopsys (now Black Duck). It provides rapid SAST scanning with low false-positive rates.

Prerequisites

Before starting the integration, ensure you have the following information from your Polaris account:

Field	Description	Required
Token	API access token generated from your Polaris account	Yes
URL	Your Polaris instance URL (e.g., `https://<your-org>.polaris.blackduck.com`)	Yes

How to Get a Token (on Polaris Side)

Log in to your Polaris instance.
Go to your profile by clicking on your username (upper left-hand corner).
Click on Access Tokens.
Click on Create New Token.
Enter a token name and save.
Copy the generated token immediately (it won't be shown again).

Step 1: Navigate to Integrations

From the left sidebar menu, click on Integrations.

Step 2: Select the SAST Tab

On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).

Step 3: Find and Activate Polaris fAST Static

Scroll through the list of SAST scanners to find Polaris fAST Static.

If Polaris fAST Static is not activated, you will see an "Activate" button. Click it to enable the integration.
If Polaris fAST Static is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.

Note: The scan method badge on the Polaris fAST Static card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).

Step 4: Configure Connection Settings

Click on the gear icon on the Polaris fAST Static card to open the configuration panel. Fill in the required fields:

Token: Paste the API access token you generated from Polaris.
URL: Enter your Polaris instance URL (e.g., https://<your-org>.polaris.blackduck.com).

Step 5: Test the Connection

Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.

If the connection is successful, the integration is ready to use.
If the connection fails, verify your Token and URL values.
For existing integrations, you can use the "Retest Connection" button at the top of the panel.

Step 6: Advanced Settings (Optional)

Click on "Advanced Settings" to expand additional options:

Setting	Description	Default
Allow team leads to scan this instance	Permits team leads to trigger scans using this Polaris fAST Static instance	Off
Allow team leads to create new instances	Permits team leads to create additional Polaris fAST Static instances	Off

After modifying advanced settings, click "Save Advanced Settings" to apply changes.

Summary

Step	Action
1	Navigate to Integrations from the sidebar
2	Select the SAST tab under Scanners
3	Find Polaris fAST Static and click Activate (if not already active)
4	Click the gear icon and fill in Token, URL, and optionally Instance
5	Click Test Connection to verify
6	(Optional) Configure Advanced Settings for team lead permissions

How to Create a Scan

After activating and configuring Polaris fAST Static, you can create scans from your project's scanner settings.

Navigate to Project Scanners

Go to your Project page.
Click on the Settings tab.
Select Scanners from the left sidebar.

Add Polaris fAST Static Scanner

In the scanner type dropdown, select SAST.
In the scanner dropdown, search for and select Polaris fAST Static.
Click the Add button to open the scan configuration drawer.

Scan Configuration Fields

Field	Description	Required
Application	Select the Polaris application portfolio	Yes
Project	Select the Polaris project to bind to	Yes
Polaris fAST Static Branch	Select the Polaris branch for the scan	No
Branch	Specify the branch to scan	No
Meta Data	Additional metadata for the scan (optional)	No
Scan Tag	Tag to identify the scan (optional)	No
Fork Default Branch	Enable to fork the default branch before scanning	No

Scheduler

Now: Run the scan immediately after saving.
Custom Date: Schedule the scan for a specific date and time.

Webhook (Optional)

Enable webhook to trigger scans via actions taken on your application lifecycle management tool:

Check the Trigger scans via actions checkbox.
Select the Platform (e.g., GitHub, GitLab, Bitbucket).
Click Generate to create a Secret Key for webhook authentication.

KDT Command

You can also trigger Polaris fAST Static scans from your CI/CD pipeline using KDT:

kdt scan -p <project_name> -t fast -b <branch_name>

Click Save to create the scan configuration.

Troubleshooting

Connection Fails

Invalid Token: Ensure the Polaris access token is correct and has not expired. Generate a new token from the Polaris portal.
Incorrect URL: Verify the URL matches your Polaris instance (e.g., https://<your-org>.polaris.blackduck.com).
Network/Firewall: Ensure the Invicti ASPM instance can reach the Polaris API endpoint.

Scan Issues

No Applications Found: Verify the token has sufficient permissions to list applications in Polaris.
No Projects Found: Ensure the application has projects configured in Polaris.
Branch Not Found: Verify the specified branch has been analyzed in Polaris fAST Static.
Empty Results: Confirm that the fAST Static analysis has completed successfully on the Polaris side.

Best Practices

Use Dedicated Access Tokens: Create a dedicated Polaris access token for the Invicti ASPM integration.
Rotate Tokens Regularly: Regenerate access tokens periodically as part of your security practices.
Application Binding: Ensure the correct Polaris application and project are selected for accurate result mapping.
Use HTTPS: Always use HTTPS for the Polaris URL.

Limitations

Cloud-Based: Polaris fAST Static is a cloud-native service. An active Polaris subscription is required.
Token Expiration: Polaris access tokens may have expiration policies. Check your organization's token management settings.
Application/Project Binding: Each scan configuration is bound to a specific Polaris application and project.