-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
77 changed files
with
356 additions
and
2,046 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
This GitHub Action allows for easy integration of Fortify Application Security Testing (AST) into your GitHub Action workflows. It provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future. Apart from utilizing the standard scan workflows provided by this GitHub Action, you may also choose to utilize the various building blocks to implement custom workflows, which can be either customized SAST or SCA workflows, or your own DAST or MAST workflows. | ||
|
||
The following sections describe these topics in more detail: | ||
|
||
* [Prerequisites](#prerequisites) | ||
* [Application Security Testing with Fortify on Demand](#application-security-testing-with-fortify-on-demand) | ||
* [Application Security Testing with SSC/ScanCentral](#application-security-testing-with-ssc-scancentral) | ||
* [Building blocks for custom workflows](#building-blocks-for-custom-workflows) | ||
|
||
## Prerequisites | ||
|
||
{{include:action/prerequisites.md}} | ||
|
||
## Application Security Testing with Fortify on Demand | ||
|
||
The standard workflow provided by this GitHub Action allows for running a Static scan and optional open-source scan (software composition analysis) on Fortify on Demand. The following sample snippet demonstrates how to invoke this GitHub Action from a GitHub Actions workflow: | ||
|
||
```yaml | ||
steps: | ||
- name: Check out source code | ||
uses: actions/checkout@v4 | ||
- name: Run FoD SAST Scan | ||
uses: fortify/github-action@{{var:action-major-version}} | ||
with: | ||
sast-scan: true | ||
debricked-sca-scan: true | ||
env: | ||
{x{include:nocomments.env-fod-sast-scan-sample.md}} | ||
``` | ||
|
||
In this example, the `with` clause specifies what scans to run: | ||
|
||
{{include:action/generic/nocomments.input-table-header.md}} | ||
| `sast-scan` | If set to `true`, run a static scan. If not specified or set to `false`, the action will run neither static or open-source scan (independent of `debricked-sca-scan` setting), as open-source scans are currently only run in combination with a static scan. | | ||
| `debricked-sca-scan` | Configure the static scan to also run an open-source scan. Depending on FoD configuration, this may be either a Debricked or a Sonatype scan. Effectively, this adds dependency data to the scan payload, and enables the open-source scan setting in the FoD scan configuration. Note that any existing FoD scan configuration will not be updated, so if the scan has already been configured in FoD, an open-source scan will only be performed if previously enabled in the existing scan configuration. | | ||
|
||
The `env` clause specifies environment variables to configure those scans. The following environment variables are currently supported: | ||
|
||
{x{include:env-fod-sast-scan.md}} | ||
|
||
{x{include:env-setup.md}} | ||
|
||
|
||
## Application Security Testing with SSC/ScanCentral | ||
|
||
The standard workflow provided by this GitHub Action allows for running a static scan on ScanCentral SAST and/or running software composition analysis on Debricked. The following sample snippet demonstrates how to invoke this GitHub Action from a GitHub Actions workflow: | ||
|
||
```yaml | ||
steps: | ||
- name: Check out source code | ||
uses: actions/checkout@v4 | ||
- name: Run FoD SAST Scan | ||
uses: fortify/github-action@{{var:action-major-version}} | ||
with: | ||
sast-scan: true | ||
debricked-sca-scan: true | ||
env: | ||
{x{include:nocomments.env-sc-sast-scan-sample.md}} | ||
``` | ||
|
||
In this example, the `with` clause specifies what scans to run: | ||
|
||
{{include:action/generic/nocomments.input-table-header.md}} | ||
| `sast-scan` | If set to `true`, run a static scan. If not specified or set to `false`, no static scan will be run. | | ||
| `debricked-sca-scan` | If set to `true`, run Debricked Software Composition Analysis. If not specified or set to `false`, no software composition analysis will be performed. | | ||
|
||
The `env` clause specifies environment variables to configure these scans. The following environment variables are currently supported: | ||
|
||
{x{include:env-sc-sast-scan.md}} | ||
|
||
{x{include:env-setup.md}} | ||
|
||
## Building blocks for custom workflows | ||
|
1 change: 1 addition & 0 deletions
1
doc-resources/action/fod-export/nocomments.env-export-optional.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
| `DO_EXPORT`<br/>`EXPORT_ACTION`<br/>`EXPORT_EXTRA_OPTS` | If `DO_EXPORT` is set to `true` (implied if any of the other two `EXPORT_*` variables are set, and implies `DO_WAIT`), this action will will export scan results to the GitHub Security Code Scanning dashboard using the fcli-provided [FoD `github-sast-report`]({{var:fcli-doc-base-url}}fod-actions.html#_github_sast_report) action or, if specified, the custom fcli action specified through `EXPORT_ACTION`. `EXPORT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `EXPORT_EXTRA_OPTS` environment variable, for example to to allow an unsigned custom action to be used.<br/><br/>Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. GitHub only supports importing SAST results; other results will not exported to GitHub. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
| `EXPORT_ACTION`<br/>`EXPORT_EXTRA_OPTS` | This action will will export scan results to the GitHub Security Code Scanning dashboard using the fcli-provided [FoD `github-sast-report`]({{var:fcli-doc-base-url}}fod-actions.html#_github_sast_report) action or, if specified, the custom fcli action specified through `EXPORT_ACTION`. `EXPORT_ACTION` may point to a local file or URL; this custom fcli action must support (at least) the exact same action parameters (including any environment variable based default values for those parameters) as the built-in fcli action. Any extra options for the fcli action can be passed through the `EXPORT_EXTRA_OPTS` environment variable, for example to to allow an unsigned custom action to be used.<br/><br/>Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. GitHub only supports importing SAST results; other results will not exported to GitHub. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
| **`FOD_URL`** | Fortify on Demand URL, for example https://ams.fortify.com. Note: Using GitHub Secrets to define this URL may cause links back to FoD to be rendered incorrectly, for example in GitHub Action workflow summaries. It is highly recommended to either hard-code the URL in your workflow, or to use [GitHub Variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables) instead of GitHub Secrets. | | ||
| **`FOD_CLIENT_ID`**<br>**`FOD_CLIENT_SECRET`** | Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret). | | ||
| **`FOD_TENANT`**<br/>**`FOD_USER`**<br/>**`FOD_PASSWORD`** | Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. | | ||
| `FOD_LOGIN_EXTRA_OPTS` | Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-fod-session-login.html) | | ||
| `EXTRA_FOD_LOGIN_OPTS` | Deprecated; please use `FOD_LOGIN_EXTRA_OPTS` | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
| `FOD_RELEASE` | Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `<app-name>:<release-name>` (for non-microservices applications) or `<app-name>:<microservice-name>:<release-name>` (for microservices applications). Default value is [`<github.repository>:<github.head_ref || github.ref_name>`](https://docs.github.com/en/actions/learn-github-actions/contexts#github-context), for example `myOrg/myRepo:myBranch`. Note that you'll need to explicitly configure `FOD_RELEASE` for microservices applications, as the default value lacks a microservice name. | |
3 changes: 2 additions & 1 deletion
3
...s/nocomments.env-fod-connection-sample.md → ...neric/fod/nocomments.snippet-fod-login.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
FOD_URL: https://ams.fortify.com | ||
FOD_TENANT: ${{secrets.FOD_TENANT}} | ||
FOD_USER: ${{secrets.FOD_USER}} | ||
FOD_PASSWORD: ${{secrets.FOD_PAT}} | ||
FOD_PASSWORD: ${{secrets.FOD_PAT}} | ||
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
| Environment variable | Description | | ||
| :--- | :--- | |
2 changes: 2 additions & 0 deletions
2
doc-resources/action/generic/nocomments.input-table-header.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
| Action input | Description | | ||
| :--- | :--- | |
2 changes: 2 additions & 0 deletions
2
doc-resources/action/package/nocomments.env-package-extra-opts.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
|`PACKAGE_EXTRA_OPTS`| By default, this action runs `scancentral package -o package.zip` to package application source code. Use `PACKAGE_EXTRA_OPTS` to specify additional packaging options, for example `PACKAGE_EXTRA_OPTS: -bt mvn -bf <custom build file>`. See [Command-line options for the package command]({{var:sc-client-doc-base-url}}#cli/package-cmd.htm) for more information on available options. | | ||
|`EXTRA_PACKAGE_OPTS`| Deprecated; please use `PACKAGE_EXTRA_OPTS` | |
1 change: 1 addition & 0 deletions
1
doc-resources/action/package/nocomments.snippet-package-extra-opts.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# PACKAGE_EXTRA_OPTS: -oss -bt mvn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
| `TOOL_DEFINITIONS` | Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.<br/><br/>This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs. | |
File renamed without changes.
Oops, something went wrong.