Test internal DAST projects with Polaris Secure Tunnel

With Polaris Secure Tunnel, you can securely connect to web applications and APIs inside your private network through the Black Duck Bridge CLI. After creating an internal DAST project in Polaris, use Secure Tunnel to connect to the project and open a secure connection. Then, you can run DAST tests on the project from the Polaris user interface or API.

About Secure Tunnel

Dynamic testing of internal web applications or APIs requires a secure connection between Polaris and your private network. With the Polaris Secure Tunnel feature of the Bridge CLI, you can establish a secure TLS connection directly to the target application or API in your internal environment, without the need to open any ports or allowlist our IP ranges.

Secure Tunnel uses the Teleport Access Platform for secure, self-serve internal app connectivity. Teleport functionality is integrated with the Bridge CLI and requires no account setup or local installation.

Note: Secure Tunnel is available in the Bridge CLI version 3.1.0 and later. This feature currently works on Mac and Linux only. For a full list of prerequisites, see Connect to an internal DAST target from the Bridge CLI in the Bridge CLI documentation.

Prerequisites

Before you begin, make sure that you have:

Created an access token. See Make an access token.
Created a DAST project, selecting the Entry Point URL is in a private network option. See Create and test DAST projects for web applications and APIs.
Downloaded and installed the Bridge CLI; see Download the Bridge CLI.
Reviewed the Secure Tunnel system requirements; see Connect to an internal DAST target from the Bridge CLI.

Connect to an internal DAST project with Secure Tunnel

Sign in to Polaris.
Open your terminal.
Pass your access token to the Bridge CLI using an environment variable:
```
export BRIDGE_POLARIS_ACCESSTOKEN=POLARIS_ACCESS_TOKEN
```
In your terminal, run the Bridge CLI with the options shown in the following example:
```
bridge-cli --stage polaris-secure-tunnel polaris.application.name="My Application" polaris.project.name="Internal DAST project"
```
- Set the --stage argument to polaris-secure-tunnel.
- For polaris.application.name, specify an application that is associated with a DAST entitlement.
- For polaris.project.name, specify an internal DAST project.
Teleport establishes a secure tunnel on port 443 between Polaris and your private network.

Important: Leave the Secure Tunnel session running in your terminal until your testing is compete.
(Optional) Go to Profiles > Edit Profile to run a connection test.

Now the secure tunnel is open, you can run a DAST test on the project, either from the Polaris user interface or via the API. When the test is complete, stop the Secure Tunnel session in your terminal, or leave the connection open for further DAST tests on the same internal project.

Note: Only one secure tunnel will be used for a project at a time. While you leave a Secure Tunnel session open, other tests for the configured project will be routed through that same secure tunnel.

Test a DAST project

Follow these steps to run a DAST test from the Polaris user interface:

There's more than one way to start this procedure:
- Go to Portfolio, select an application, click the icon at the end of the project's row, and select New Test.
- Go to Tests and select New Test.
Select the DAST profile to scan with the Application and Project dropdown menus.

Note: Depending on how you start a test, the Application, Project, and Profile values may already be filled in.
(Optional) Select Test Connection.
This test can take a few minutes to complete and ensures:
- The Entry Point URL is valid.
- Polaris can connect to the web application.
- Polaris can authenticate with the web application.
Select Begin Test.

Monitor test progress on the Tests page (accessible from the left-hand navbar). Newer tests appear near the top of the page. Filter tests by date, type, mode, status, and the application, project, or branch/profile tested.