docs: Fix ScanCentral Client URLs

doc-resources/action-package.md

@@ -1,4 +1,4 @@
-This action packages application source code using [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm). The output package is saved as `package.zip`.
+This action packages application source code using [ScanCentral Client]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm). The output package is saved as `package.zip`.
 
 {{include:action-prerequisites.md}}
 

doc-resources/action-setup.md

@@ -2,7 +2,7 @@ This action allows for setting up the Fortify tools listed below. Which tools an
 
 * [fcli](https://github.com/fortify/fcli)
 * [Debricked CLI](https://github.com/debricked/cli)
-* [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm)
+* [ScanCentral Client]({{var:sc-client-doc-base-url}}#cli/intro.htm)
 * [FoDUploader](https://github.com/fod-dev/fod-uploader-java)
 * [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter)
 * [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility)

doc-resources/env-fod-package.md

@@ -5,4 +5,4 @@ If FoD Software Composition Analysis has been purchased and configured on the ap
 
 Based on the  automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. 
 
-As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url#CLI.htm#Package}}) for more information on available options.
+As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options.

doc-resources/env-fod-sast-scan.md

@@ -8,11 +8,11 @@
 **`EXTRA_FOD_SAST_SCAN_OPTS`** - OPTIONAL    
 Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-sast-scan-start.html)
 
+{{include:env-do-wait.md}}
+
 {{include:env-do-job-summary.md}}
 
 {{include:env-do-export.md}}
 
 {{include:env-do-pr-comment.md}}
 
-{{include:env-do-wait.md}}
-

doc-resources/env-package.md

@@ -1,4 +1,4 @@
 **`EXTRA_PACKAGE_OPTS`** - OPTIONAL   
 By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the  automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. 
 
-As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url#CLI.htm#Package}}) for more information on available options.
+As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options.

doc-resources/env-sc-sast-scan.md

@@ -20,11 +20,11 @@ Version of the ScanCentral SAST sensor on which the scan should be performed. Se
 **`EXTRA_SC_SAST_SCAN_OPTS`** - OPTIONAL    
 Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-sc-sast-scan-start.html)
 
+{{include:env-do-wait.md}}
+
 {{include:env-do-job-summary.md}}
 
 {{include:env-do-export.md}}
 
 {{include:env-do-pr-comment.md}}
 
-{{include:env-do-wait.md}}
-

doc-resources/env-ssc-debricked-scan.md

@@ -7,6 +7,8 @@ See the [Generate access token](https://docs.debricked.com/product/administratio
 
 {{include:env-ssc-appversion.md}}
 
+{{include:env-do-wait.md}}
+
 {{include:env-do-job-summary.md}}
 
-{{include:env-do-wait.md}}
+{{include:env-do-pr-comment.md}}

doc-resources/repo-readme.md

@@ -11,7 +11,7 @@ The [Fortify github-action repository]({{var:repo-url}}) hosts various Fortify-r
 * [`fortify/github-action/fod-export`](#fortify-github-action-fod-export)  
   Export SAST vulnerability data from Fortify on Demand to the GitHub Security dashboard.
 * [`fortify/github-action/setup`](#fortify-github-action-setup)  
-  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
+  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client]({{var:sc-client-doc-base-url}}#cli/intro.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
 
 **Fortify Sofware Security Center (SSC) / ScanCentral SAST / Debricked**
 
@@ -26,7 +26,7 @@ The [Fortify github-action repository]({{var:repo-url}}) hosts various Fortify-r
 * [`fortify/github-action/ssc-export`](#fortify-github-action-ssc-export)  
   Export SAST vulnerability data from Fortify SSC to the GitHub Security dashboard.
 * [`fortify/github-action/setup`](#fortify-github-action-setup)  
-  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
+  Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client]({{var:sc-client-doc-base-url}}#cli/intro.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
 
 <a name="fortify-github-action"></a>
 

fod-sast-scan/README.md

@@ -90,7 +90,7 @@ If FoD Software Composition Analysis has been purchased and configured on the ap
 
 Based on the  automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. 
 
-As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url#CLI.htm#Package}}) for more information on available options.
+As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options.
 
 <!-- END-INCLUDE:env-fod-package.md -->
 
@@ -99,6 +99,15 @@ As an example, if the build file that you want to use for packaging doesn't adhe
 Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-fod-sast-scan-start.html)
 
 
+<!-- START-INCLUDE:env-do-wait.md -->
+
+**`DO_WAIT`** - OPTIONAL    
+By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating workflow summaries. This behavior is documented in the applicable environment variable descriptions.
+
+<!-- END-INCLUDE:env-do-wait.md -->
+
+
+
 <!-- START-INCLUDE:env-do-job-summary.md -->
 
 **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL    
@@ -135,15 +144,6 @@ PR comments are generated by comparing scan results from the current GitHub Acti
 <!-- END-INCLUDE:env-do-pr-comment.md -->
 
 
-
-<!-- START-INCLUDE:env-do-wait.md -->
-
-**`DO_WAIT`** - OPTIONAL    
-By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating workflow summaries. This behavior is documented in the applicable environment variable descriptions.
-
-<!-- END-INCLUDE:env-do-wait.md -->
-
-
 <!-- END-INCLUDE:env-fod-sast-scan.md -->
 
 

package/README.md

@@ -11,7 +11,7 @@
 
 <!-- START-INCLUDE:action-package.md -->
 
-This action packages application source code using [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#A_Clients.htm). The output package is saved as `package.zip`.
+This action packages application source code using [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm). The output package is saved as `package.zip`.
 
 
 <!-- START-INCLUDE:action-prerequisites.md -->
@@ -36,7 +36,7 @@ This action assumes the standard software packages as provided by GitHub-hosted
 **`EXTRA_PACKAGE_OPTS`** - OPTIONAL   
 By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the  automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. 
 
-As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url#CLI.htm#Package}}) for more information on available options.
+As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options.
 
 <!-- END-INCLUDE:env-package.md -->
 

sc-sast-scan/README.md

@@ -102,7 +102,7 @@ Fortify SSC application version to use with this action. This can be specified e
 **`EXTRA_PACKAGE_OPTS`** - OPTIONAL   
 By default, this action runs `scancentral package -o package.zip` to package application source code. Based on the  automated build tool detection feature provided by ScanCentral Client, this default `scancentral` command is often sufficient. Depending on your build setup, you may however need to configure the `EXTRA_PACKAGE_OPTS` environment variable to specify additional packaging options. 
 
-As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command]({{var:sc-client-doc-base-url#CLI.htm#Package}}) for more information on available options.
+As an example, if the build file that you want to use for packaging doesn't adhere  to common naming conventions, you can configure the `-bf <custom build file>` option using the `EXTRA_PACKAGE_OPTS` environment variable. See [Command-line options for the package command](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/package-cmd.htm) for more information on available options.
 
 <!-- END-INCLUDE:env-package.md -->
 
@@ -114,6 +114,15 @@ Version of the ScanCentral SAST sensor on which the scan should be performed. Se
 Extra ScanCentral SAST scan options; see [`fcli sc-sast scan start` documentation](https://fortify.github.io/fcli/v2.6.0//manpage/fcli-sc-sast-scan-start.html)
 
 
+<!-- START-INCLUDE:env-do-wait.md -->
+
+**`DO_WAIT`** - OPTIONAL    
+By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating workflow summaries. This behavior is documented in the applicable environment variable descriptions.
+
+<!-- END-INCLUDE:env-do-wait.md -->
+
+
+
 <!-- START-INCLUDE:env-do-job-summary.md -->
 
 **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL    
@@ -150,15 +159,6 @@ PR comments are generated by comparing scan results from the current GitHub Acti
 <!-- END-INCLUDE:env-do-pr-comment.md -->
 
 
-
-<!-- START-INCLUDE:env-do-wait.md -->
-
-**`DO_WAIT`** - OPTIONAL    
-By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating workflow summaries. This behavior is documented in the applicable environment variable descriptions.
-
-<!-- END-INCLUDE:env-do-wait.md -->
-
-
 <!-- END-INCLUDE:env-sc-sast-scan.md -->
 
 

setup/README.md

@@ -15,7 +15,7 @@ This action allows for setting up the Fortify tools listed below. Which tools an
 
 * [fcli](https://github.com/fortify/fcli)
 * [Debricked CLI](https://github.com/debricked/cli)
-* [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#A_Clients.htm)
+* [ScanCentral Client](https://www.microfocus.com/documentation/fortify-software-security-center/2420/SC_SAST_Help_24.2.0/index.htm#cli/intro.htm)
 * [FoDUploader](https://github.com/fod-dev/fod-uploader-java)
 * [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter)
 * [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility)

ssc-debricked-scan/README.md

@@ -82,6 +82,15 @@ Fortify SSC application version to use with this action. This can be specified e
 
 
 
+<!-- START-INCLUDE:env-do-wait.md -->
+
+**`DO_WAIT`** - OPTIONAL    
+By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating workflow summaries. This behavior is documented in the applicable environment variable descriptions.
+
+<!-- END-INCLUDE:env-do-wait.md -->
+
+
+
 <!-- START-INCLUDE:env-do-job-summary.md -->
 
 **`DO_JOB_SUMMARY`, `JOB_SUMMARY_ACTION`, `JOB_SUMMARY_EXTRA_OPTS`** - OPTIONAL    
@@ -91,12 +100,20 @@ If `DO_JOB_SUMMARY` is set to `true` (which implies `DO_WAIT`), this action will
 
 
 
-<!-- START-INCLUDE:env-do-wait.md -->
+<!-- START-INCLUDE:env-do-pr-comment.md -->
 
-**`DO_WAIT`** - OPTIONAL    
-By default, this action will not wait until scans have been completed. To have the workflow wait until all scans have been completed, set the `DO_WAIT` environment variable to `true`. Note that some other environment variables imply `DO_WAIT`, for example when exporting vulnerability data or generating workflow summaries. This behavior is documented in the applicable environment variable descriptions.
+**`DO_PR_COMMENT`, `PR_COMMENT_ACTION`, `PR_COMMENT_EXTRA_OPTS`** - OPTIONAL    
+If `DO_PR_COMMENT` is set to `true` (which implies `DO_WAIT`), this action will generate a pull request comment listing new, re-introduced and removed issues using the fcli-provided `github-pr-comment` action or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. `PR_COMMENT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `PR_COMMENT_EXTRA_OPTS` environment variable, for example to specify the SSC filter set from which to load issue data, or to allow an unsigned custom action to be used. Please see https://fortify.github.io/fcli/v2.6.0/#_actions for more information. 
 
-<!-- END-INCLUDE:env-do-wait.md -->
+Note that pull request comments will only be generated under the following conditions:
+
+* `GITHUB_TOKEN` environment variable needs to be set to a valid GitHub token, for example from `{{ secrets.GITHUB_TOKEN }}`.
+* Standard `GITHUB_REF_NAME` environment variable points to a pull request.
+* All other standard GitHub environment variables like `GITHUB_REPOSITORY` and `GITHUB_SHA` are set.
+
+PR comments are generated by comparing scan results from the current GitHub Action run against the previous scan in the same application version/release; it won't detect any new/removed issues from older scans. For best results, you should configure the GitHub Action to run only on pull request creation (not on every commit) and optionally allow for manual runs (if you want to re-run the scan after a PR is updated). You should also configure the action to automatically create a dedicated application version/release for the current branch/PR, copying state from the main/parent branch version/release. This will allow the action to compare scan results for the current GitHub Action run against the last scan results of the main/parent branch.
+
+<!-- END-INCLUDE:env-do-pr-comment.md -->
 
 
 <!-- END-INCLUDE:env-ssc-debricked-scan.md -->