Test internal DAST projects with Polaris Secure Tunnel

Use Polaris Secure Tunnel, a feature of the Black Duck Bridge, to securely access web applications and APIs in your private network. This allows you to run DAST tests on internal targets from the Polaris web UI, API, or Bridge CLI (where Secure Tunnel is started automatically in version 3.7.0 or later). If you plan to run DAST tests directly from Bridge (v3.7.0 or later), skip this task and see DAST configuration requirements in the Bridge CLI documentation.

Tip: When you start DAST tests on internal targets using the Bridge CLI (version 3.7.0 or later), the Bridge establishes a Secure Tunnel connection automatically. See DAST configuration requirements in the Bridge CLI documentation for more information.

About Secure Tunnel

With Secure Tunnel, you can establish a secure TLS connection directly to a target web application or API in your private network, without the need to open any ports or allowlist IP ranges for Polaris.

Secure Tunnel uses the Teleport Access Platform for secure and self-service connectivity to private applications. Teleport functionality is integrated with the Bridge CLI and requires no account setup or local installation.

Note: Secure Tunnel is available in the Bridge CLI version 3.1.0 or later. This feature currently works on Mac and Linux only. For a full list of prerequisites, see Connect to an internal DAST target from the Bridge CLI in the Bridge CLI documentation.

Prerequisites

Before you begin, make sure that you have:

Created an access token or service account token. See Make an access token and Service Accounts for Polaris for more information.
Created a DAST project configured as internal (select the Entry Point URL is in a private network option). See Create and test DAST projects for web applications and APIs.
Downloaded and installed the Bridge CLI. See Download the Bridge CLI.
Reviewed the Secure Tunnel system requirements. See Connect to an internal DAST target from the Bridge CLI.

Connect to an internal DAST project with Secure Tunnel

Use the Bridge CLI to open a secure tunnel between Polaris and an internal target in your private network. You can skip this task if you plan to run DAST tests on the target directly from Bridge; see DAST configuration requirements for details. Note that Bridge does not create DAST projects in Polaris.

Sign in to Polaris.
Open your terminal.
Pass your access token or service account token to the Bridge CLI using an environment variable:
```
export BRIDGE_POLARIS_ACCESSTOKEN=YOUR_TOKEN
```
Note: You can use either an access token created in the Polaris UI or a service account token.
In your terminal, run the Bridge CLI with the options shown in the following example:
```
bridge-cli --stage polaris-secure-tunnel polaris.application.name="My Application" polaris.project.name="Internal DAST project"
```
- Set the --stage argument to polaris-secure-tunnel.
- For polaris.application.name, specify an application that is associated with a DAST entitlement.
- For polaris.project.name, specify an internal DAST project.
Teleport establishes a secure tunnel on port 443 between Polaris and your private network.

Important: Leave the Secure Tunnel session running in your terminal until your testing is compete.
(Optional) Go to Profiles > Edit Profile to run a connection test.

Now the secure tunnel is open, you can run a DAST test on the project, either from the Polaris web UI or API. When the test is complete, stop the Secure Tunnel session in your terminal, or leave the connection open for further DAST tests on the same internal project.

Note: Each project can have only one active secure tunnel connection at a time. While you leave a Secure Tunnel session open, other tests for the configured project will be routed through that same secure tunnel.

Test a DAST project

Follow these steps to run a DAST test from the Polaris user interface:

There's more than one way to start this procedure:
- Go to Portfolio, select an application, click the three-dot icon at the end of the project's row, and select New Test.
- Go to Tests and select New Test.
Select the DAST profile to scan with the Application and Project dropdown menus.

Note: Depending on how you start a test, the Application, Project, and Profile values may already be filled in.
(Optional) Select Test Connection.
This test can take a few minutes to complete and ensures:
- The Entry Point URL is valid.
- Polaris can connect to the web application.
- Polaris can authenticate with the web application.
Select Begin Test.

Monitor test progress on the Tests page (accessible from the left-hand navbar). Newer tests appear near the top of the page. Filter tests by date, type, mode, status, and the application, project, or branch/profile tested.