feat: Add ability to run and import Debricked scans into SSC (closes #41

)

action.yml

@@ -6,13 +6,21 @@ inputs:
     description: 'Run a SAST scan, takes either true or false (default)'
     default: 'false'
     required: false
+  debricked-sca-scan:
+    description: 'Run a Debricked Software Composition Analysis, takes either true or false (default)'
+    default: 'false'
+    required: false
 runs:
   using: composite
   steps:
     - uses: fortify/github-action/[email protected]
-      if: inputs['sast-scan']=='true' && env.FOD_URL
+      if: inputs['sast-scan']=='true' && env.FOD_URL 
     - uses: fortify/github-action/[email protected]
-      if: inputs['sast-scan']=='true' && env.SSC_URL  
+      if: inputs['sast-scan']=='true' && env.SSC_URL 
+      env:
+        DO_DEBRICKED_SCAN: ${{ inputs['debricked-sca-scan'] }}
+    - uses: fortify/github-action/[email protected]
+      if: inputs['sast-scan']=='false' && inputs['debricked-sca-scan']=='true' && env.SSC_URL 
 
 branding:
   icon: 'shield'

doc-resources/action-fod-sast-scan.md

@@ -8,10 +8,13 @@ The SAST and optional open source scan performed by this action consists of the
 * Optionally wait for the scan to complete
 * Optionally export scan results to the GitHub Code Scanning dashboard
 
-Before running this action, please ensure that the appropriate release has been created on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.
-
 {{include:action-prerequisites.md}}
 
+Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:
+
+* The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup.
+* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.
+
 ### Action environment variable inputs
 
 {{include:env-fod-sast-scan.md}}

doc-resources/action-sc-sast-scan.md

@@ -3,13 +3,17 @@ This action performs a SAST scan on ScanCentral SAST, consisting of the followin
 * Login to ScanCentral SAST Controller
 * Package application source code using ScanCentral Client
 * Submit the source code package to be scanned to ScanCentral SAST Controller
-* Optionally wait for the scan to complete
+* Optionally run a Debricked Software Composition Analysis scan
+* Optionally wait for all scans to complete and results having been processed by SSC
 * Optionally export scan results to the GitHub Code Scanning dashboard
 
-Before running this action, please ensure that the appropriate application version has been created on SSC. Future versions of this action may add support for automating application version creation.
-
 {{include:action-prerequisites.md}}
 
+Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:
+
+* The appropriate application version must exist on SSC. Future versions of this action may add support for automating application version creation.
+* If Debricked scanning is enabled, the [Fortify SSC Parser Plugin for Debricked results](https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx) must be installed on Fortify SSC, to allow for SSC to accept and process the Debricked scan results submitted by this action.
+
 ### Action environment variable inputs
 
 {{include:env-sc-sast-scan.md}}

doc-resources/action-ssc-debricked-scan.md

@@ -0,0 +1,36 @@
+This action performs a Debricked Software Composition Analysis (SCA) scan, consisting of the following steps:
+
+* Login to Fortify SSC
+* Run Debricked scan
+* Publish Debricked scan results to Fortify SSC
+* Optionally wait for SSC artifact processing to complete
+
+Note that this action is explicitly meant for Debricked/SSC integration. If you wish to run a Debricked scan without publishing the results to SSC, please see the [Debricked GitHub Integration documentation](https://portal.debricked.com/integrations-48/integration-with-github-214#github-actions)
+
+{{include:action-prerequisites.md}}
+
+Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:
+
+* The appropriate application version must exist on SSC. Future versions of this action may add support for automating application version creation.
+* The [Fortify SSC Parser Plugin for Debricked results](https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx) must be installed on Fortify SSC, to allow for SSC to accept and process the Debricked scan results submitted by this action.
+
+### Action environment variable inputs
+
+{{include:env-ssc-debricked-scan.md}}
+
+{{include:env-setup.md}}
+
+### Sample usage
+
+The sample workflow below demonstrates how to configure the action for running a Debricked scan and publishing the results to Fortify SSC.
+
+```yaml
+    steps:    
+      - name: Check out source code
+        uses: actions/checkout@v4  
+      - name: Run Debricked Scan
+        uses: fortify/github-action/ssc-debricked-scan@{{var:action-major-version}}
+        env:
+{{include:nocomments.env-ssc-debricked-scan-sample.md}}
+{{include:nocomments.env-setup-sample.md}}
+```

doc-resources/env-sc-sast-login.md

@@ -1,5 +1,3 @@
-{{include:env-ssc-connection.md}}
-
 **`SC_SAST_TOKEN`** - REQUIRED    
 Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.
 

doc-resources/env-sc-sast-scan.md

@@ -1,6 +1,15 @@
+{{include:env-ssc-connection.md}}
+
+{{include:env-ssc-login.md}}
 
 {{include:env-sc-sast-login.md}}
 
+**`DO_DEBRICKED_SCAN`** - OPTIONAL    
+If set to `true`, this action will run both ScanCentral SAST and Debricked Software Composition Analysis (SCA) scans and publish both results to SSC. This is equivalent to setting the `debricked-sca-scan` input on the top-level `fortify/github-action` action. Note that this requires the [Fortify SSC Parser Plugin for Debricked results](https://github.com/fortify/fortify-ssc-parser-debricked-cyclonedx) to be installed on Fortify SSC, to allow for SSC to accept and process the Debricked scan results submitted by this action.
+
+**`DEBRICKED_TOKEN`** - REQUIRED*       
+Required when performing a Debricked Software Composition Analysis scan; see the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.
+
 {{include:env-ssc-appversion.md}}
 
 {{include:env-package.md}}

doc-resources/env-ssc-debricked-scan.md

@@ -0,0 +1,13 @@
+{{include:env-ssc-connection.md}}
+
+{{include:env-ssc-login.md}}
+
+**`DEBRICKED_TOKEN`** - REQUIRED          
+See the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.
+
+{{include:env-ssc-appversion.md}}
+
+**`DO_WAIT`** - OPTIONAL    
+By default, this action will complete immediately after Debricked scan results have been uploaded to SSC. To have the workflow wait until the Debricked results have been processed by SSC (potentially failing if the results cannot be successfully processed), set the `DO_WAIT` environment variable to `true`.
+
+For consistency with other actions, `DO_WAIT` is implied if `DO_EXPORT` is set to `true`, but since GitHub doesn't support importing Software Composition Analysis results, Debricked results will not be published to GitHub even if `DO_EXPORT` is set to `true`.

doc-resources/env-ssc-login.md

@@ -1,4 +1,2 @@
-{{include:env-ssc-connection.md}}
-
 **`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL    
 Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-ssc-session-login.html).

doc-resources/env-wait-export.md

@@ -2,4 +2,4 @@
 By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below.
 
 **`DO_EXPORT`** - OPTIONAL    
-If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository.
+If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. Note that GitHub only supports importing SAST results; other results will not exported to GitHub.

doc-resources/nocomments.env-sc-sast-login-sample.md

@@ -1,3 +1,2 @@
-{{include:nocomments.env-ssc-connection-sample.md}}
           SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}}
           # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s

doc-resources/nocomments.env-sc-sast-scan-sample.md

@@ -1,6 +1,10 @@
+{{include:nocomments.env-ssc-connection-sample.md}}
+{{include:nocomments.env-ssc-login-sample.md}}
 {{include:nocomments.env-sc-sast-login-sample.md}}
 {{include:nocomments.env-ssc-appversion-sample.md}}
 {{include:nocomments.env-package-sample.md}}
           SC_SAST_SENSOR_VERSION: 23.2
+          # DO_DEBRICKED_SCAN: true  # Or debricked-sca-scan input on top-level action
+          # DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}}
           # DO_WAIT: true
           # DO_EXPORT: true

doc-resources/nocomments.env-ssc-debricked-scan-sample.md

@@ -0,0 +1,5 @@
+{{include:nocomments.env-ssc-connection-sample.md}}
+{{include:nocomments.env-ssc-login-sample.md}}
+{{include:nocomments.env-ssc-appversion-sample.md}}
+          DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}}
+          # DO_WAIT: true

doc-resources/nocomments.env-ssc-login-sample.md

@@ -0,0 +1 @@
+          # EXTRA_SSC_LOGIN_OPTS: --socket-timeout=60s

doc-resources/repo-readme.md

@@ -3,7 +3,7 @@ The [Fortify github-action repository]({{var:repo-url}}) hosts various Fortify-r
 **Fortify on Demand**
 
 * [`fortify/github-action`](#fortify-github-action)  
-  For now, this action provides the same functionality as the `fod-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other FoD actions.
+  For now, this action provides the same functionality as the `fod-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other FoD operations.
 * [`fortify/github-action/fod-sast-scan`](#fortify-github-action-fod-sast-scan)  
   Package source code, submit static application security testing (SAST) scan request to Fortify on Demand, optionally wait for completion and export results back to the GitHub Security dashboard.
 * [`fortify/github-action/package`](#fortify-github-action-package)  
@@ -13,12 +13,14 @@ The [Fortify github-action repository]({{var:repo-url}}) hosts various Fortify-r
 * [`fortify/github-action/setup`](#fortify-github-action-setup)  
   Install various Fortify tools like [fcli](https://github.com/fortify/fcli), [ScanCentral Client]({{var:sc-client-doc-base-url}}#A_Clients.htm), [FortifyVulnerabilityExporter](https://github.com/fortify/FortifyVulnerabilityExporter) and [FortifyBugTrackerUtility](https://github.com/fortify-ps/FortifyBugTrackerUtility) for use in your pipeline
 
-**Fortify Sofware Security Center (SSC) / ScanCentral SAST**
+**Fortify Sofware Security Center (SSC) / ScanCentral SAST / Debricked**
 
 * [`fortify/github-action`](#fortify-github-action)  
-  For now, this action provides the same functionality as the `sc-sast-scan` action listed below. Future versions may add support for running other types of scans or performing other SSC / ScanCentral actions.
+  Depending on inputs, this action will run either or both a ScanCentral SAST and Debricked Software Composition Analysis (SCA) scan and publish scan results to SSC. Future versions may add support for running other types of scans or performing other SSC / ScanCentral operations.
 * [`fortify/github-action/sc-sast-scan`](#fortify-github-action-sc-sast-scan)  
-  Package source code, submit SAST scan request to ScanCentral SAST, optionally wait for completion and export results back to the GitHub Security dashboard.
+  Run a ScanCentral SAST and optionally Debricked Software Composition Analysis scan by packaging source code, submitting ScanCentral SAST scan and optional Debricked scan request, and optionally waiting for completion and exporting SAST results back to the GitHub Security dashboard.
+* [`fortify/github-action/ssc-debricked-scan`](#fortify-github-action-ssc-debricked-scan)  
+  Run a Debricked Software Composition Analysis scan and publish scan results to SSC, optionally waiting for scan results to be fully processed on SSC.
 * [`fortify/github-action/package`](#fortify-github-action-package)  
   Package source code for running a SAST scan, using the latest version of ScanCentral Client.
 * [`fortify/github-action/ssc-export`](#fortify-github-action-ssc-export)  
@@ -39,7 +41,10 @@ The primary `fortify/github-action` action currently allows for running SAST sca
 **`sast-scan`** - OPTIONAL    
 When set to true, the action will run a SAST scan on either Fortify on Demand (if the `FOD_URL` environment variable has been specified), or on ScanCentral SAST (if the `SSC_URL` environment variable has been specified). This includes packaging the source code, running the scan, and optionally reporting SAST scan results back into GitHub. 
 
-If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan.
+If not specified or when set to false, no SAST scan will be performed. For FoD, this means that the action will complete without doing any work. For SSC, the action could still run a Debricked-only scan based on the `debricked-sca-scan` input as listed below. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of (or in combination with) a SAST scan.
+
+**`debricked-sca-scan`** - OPTIONAL    
+(Not applicable to Fortify on Demand) When set to true, the action will run a Debricked Software Composition Analysis (SCA) scan and publish the results to Fortify SSC. You can either run a Debricked-only scan (`sast-scan` set to `false`), or both SAST and Debricked SCA scan if both inputs are set to `true`.
 
 ### Action environment variable inputs
 
@@ -49,12 +54,18 @@ If not specified or when set to false, no SAST scan will be performed. For now,
 
 {{include:env-setup.md}}
 
-#### ScanCentral SAST
+#### ScanCentral SAST with optional Debricked scan
 
 {{include:env-sc-sast-scan.md}}
 
 {{include:env-setup.md}}
 
+#### Debricked-only scan and publish to SSC
+
+{{include:env-ssc-debricked-scan.md}}
+
+{{include:env-setup.md}}
+
 ### Sample workflows
 
 The sample workflows below demonstrate how to configure the action for running a SAST scan on either Fortify on Demand or ScanCentral SAST.
@@ -74,7 +85,7 @@ The sample workflows below demonstrate how to configure the action for running a
 {{include:nocomments.env-setup-sample.md}}
 ```
 
-#### ScanCentral SAST
+#### ScanCentral SAST with optional Debricked scan
 
 ```yaml
     steps:    
@@ -84,11 +95,28 @@ The sample workflows below demonstrate how to configure the action for running a
         uses: fortify/github-action@{{var:action-major-version}}
         with:
           sast-scan: true
+          # debricked-sca-scan: true
         env:
 {{include:nocomments.env-sc-sast-scan-sample.md}}
 {{include:nocomments.env-setup-sample.md}}
 ```
 
+#### Debricked-only scan and publish to SSC
+
+```yaml
+    steps:    
+      - name: Check out source code
+        uses: actions/checkout@v4  
+      - name: Run Debricked Scan
+        uses: fortify/github-action@{{var:action-major-version}}
+        with:
+          sast-scan: false
+          debricked-sca-scan: true
+        env:
+{{include:nocomments.env-ssc-debricked-scan-sample.md}}
+{{include:nocomments.env-setup-sample.md}}
+```
+
 ### More information
 
 Depending on input, this action delegates to the appropriate sub-action(s). Please refer to the documentation of these actions for a more detailed description of action behavior & requirements:
@@ -132,6 +160,13 @@ Depending on input, this action delegates to the appropriate sub-action(s). Plea
 {{include:action-sc-sast-scan.md}}
 
 
+<a name="fortify-github-action-ssc-debricked-scan"></a>
+
+## fortify/github-action/ssc-debricked-scan
+
+{{include:action-ssc-debricked-scan.md}}
+
+
 <a name="fortify-github-action-ssc-export"></a>
 
 ## fortify/github-action/ssc-export

doc-resources/templates/ssc-debricked-scan/README.template.md

@@ -0,0 +1,11 @@
+# fortify/github-action/ssc-debricked-scan@{{var:action-major-version}} 
+
+{{include:p.marketing-intro.md}}
+
+{{include:action-ssc-debricked-scan.md}}
+
+{{include:h2.support.md}}
+
+---
+
+*[This document was auto-generated; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*

fod-sast-scan/README.md

@@ -21,8 +21,6 @@ The SAST and optional open source scan performed by this action consists of the
 * Optionally wait for the scan to complete
 * Optionally export scan results to the GitHub Code Scanning dashboard
 
-Before running this action, please ensure that the appropriate release has been created on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.
-
 
 <!-- START-INCLUDE:action-prerequisites.md -->
 
@@ -38,6 +36,11 @@ This action assumes the standard software packages as provided by GitHub-hosted
 <!-- END-INCLUDE:action-prerequisites.md -->
 
 
+Apart from the generic action prerequisites listed above, the following prerequisites apply to this specific action:
+
+* The appropriate application release exists on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup.
+* If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the `-oss` option through the `EXTRA_PACKAGE_OPTS` environment variable.
+
 ### Action environment variable inputs
 
 
@@ -102,7 +105,7 @@ Extra FoD SAST scan options; see [`fcli fod sast-scan start` documentation](http
 By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the `DO_WAIT` environment variable to `true`. Note that `DO_WAIT` is implied if `DO_EXPORT` is set to `true`; see below.
 
 **`DO_EXPORT`** - OPTIONAL    
-If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository.
+If set to `true`, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) subscription, unless you're running this action on a public github.com repository. Note that GitHub only supports importing SAST results; other results will not exported to GitHub.
 
 <!-- END-INCLUDE:env-wait-export.md -->
 

internal/fod-login/action.yml

@@ -10,9 +10,8 @@ runs:
     - uses: fortify/github-action/internal/[email protected]
       if: ${{ !env._FOD_LOGGED_IN }}
       with:
-        cwd: ${{ github.action_path }}
-        script: ./fod-login.sh
-        post: ./fod-logout.sh
+        script: fod-login.sh
+        post: fod-logout.sh
 
 branding:
   icon: 'shield'