chore: Doc & tool version updates, fix FoD scan setup

fix: Configure static scan on `DO_SETUP` if needed fix: Improve FoD `SETUP_EXTRA_OPTS` documentation fix: Update fcli to 2.1.0 fix: Update Debricked CLI to 2.4.0
fortify · Nov 21, 2024 · 9d54346 · 9d54346
1 parent c26f716
commit 9d54346
Show file tree

Hide file tree

Showing 14 changed files with 68 additions and 65 deletions.
diff --git a/README.md b/README.md
diff --git a/doc-resources/action/_generic/fod/nocomments.snippet-fod-setup.md b/doc-resources/action/_generic/fod/nocomments.snippet-fod-setup.md
@@ -0,0 +1,3 @@
+          # DO_SETUP: true
+          # SETUP_ACTION: https://scm.my.org/shared-repos/fcli-actions/setup.yaml
+          # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
diff --git a/doc-resources/action/_root/readme.md b/doc-resources/action/_root/readme.md
@@ -25,7 +25,7 @@ The standard workflow provided by this GitHub Action allows for running a Static
         env:
 {{include:action/_generic/fod/nocomments.snippet-fod-login.md}}
 {{include:action/_generic/fod/nocomments.snippet-fod-release.md}}
-{{include:action/_generic/nocomments.snippet-setup.md}}
+{{include:action/_generic/fod/nocomments.snippet-fod-setup.md}}
 {{include:action/package/nocomments.snippet-sc-client-version.md}}
 {{include:action/package/nocomments.snippet-package-extra-opts.md}}
 {{include:action/fod-sast-scan/nocomments.snippet-fod-sast-scan.md}}

diff --git a/doc-resources/action/fod-sast-scan/nocomments.env-setup.md b/doc-resources/action/fod-sast-scan/nocomments.env-setup.md
@@ -1 +1 @@
-|DO_SETUP<br/>SETUP_ACTION<br/>SETUP_EXTRA_OPTS|If `DO_SETUP` is set to `true` (implied if any of the other two `SETUP_*` variables are set), the application and/or release will be automatically created if they do not yet exist and static scan settings will be configured if not configured already, using the fcli-provided [`setup-release`]({{var:fcli-doc-base-url}}fod-actions.html#_setup_release) or, if specified, the custom fcli action specified through `SETUP_ACTION`. Extra options for the fcli action can be passed through the `SETUP_EXTRA_OPTS` environment variable, for example to copy state from an existing release using the `--copy-from` option, or to allow an unsigned custom action to be used. If the application may need to be created and you are authenticating with client credentials, you must configure at least the `--app-owner` option. Note that if setup is enabled, `FOD_RELEASE` must be configured with a qualified release name; you cannot use release id. Please see the [Fcli Actions](#fortify-on-demand-fcli-actions) section below for more details.|
+|DO_SETUP<br/>SETUP_ACTION<br/>SETUP_EXTRA_OPTS|If `DO_SETUP` is set to `true` (implied if any of the other two `SETUP_*` variables are set), the application and/or release will be automatically created if they do not yet exist and static scan settings will be configured if not configured already, using the fcli-provided [`setup-release`]({{var:fcli-doc-base-url}}fod-actions.html#_setup_release) or, if specified, the custom fcli action specified through `SETUP_ACTION`. Extra options for the fcli action can be passed through the `SETUP_EXTRA_OPTS` environment variable. Depending on your Git workflow, it is recommended to have each newly created release copy state from the release representing your default branch by passing `--copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"` through `SETUP_EXTRA_OPTS`. To allow the GitHub Action to create new applications, you must (also) provide the `--app-owner <user>` option through `SETUP_EXTRA_OPTS`. Note that if setup is enabled, `FOD_RELEASE` must be configured with a qualified release name; you cannot use release id. Please see the [Fcli Actions](#fortify-on-demand-fcli-actions) section below for more details.|
diff --git a/doc-resources/action/fod-sast-scan/readme.md b/doc-resources/action/fod-sast-scan/readme.md
@@ -23,7 +23,7 @@ The sample workflow below demonstrates how to configure the action for running a
         env:
 {{include:action/_generic/fod/nocomments.snippet-fod-login.md}}
 {{include:action/_generic/fod/nocomments.snippet-fod-release.md}}
-{{include:action/_generic/nocomments.snippet-setup.md}}
+{{include:action/_generic/fod/nocomments.snippet-fod-setup.md}}
 {{include:action/package/nocomments.snippet-sc-client-version.md}}
 {{include:action/package/nocomments.snippet-package-extra-opts.md}}
 {{include:action/fod-sast-scan/nocomments.snippet-fod-sast-scan.md}}

diff --git a/doc-resources/template-values.md b/doc-resources/template-values.md
@@ -11,7 +11,7 @@ https://github.com/fortify/github-action
 v1
 
 # fcli-doc-base-url
-https://fortify.github.io/fcli/v2.9.1/
+https://fortify.github.io/fcli/v2.10.0/
 
 # sc-client-version
 24.4.0

diff --git a/fod-export/README.md b/fod-export/README.md
@@ -65,9 +65,9 @@ This section lists the environment variables that can be specified in the `env:`
 | **FOD_URL** | Fortify on Demand URL, for example https://ams.fortify.com. Note: Using GitHub Secrets to define this URL may cause links back to Fortify on Demand to be rendered incorrectly, for example in GitHub Action job summaries. It is highly recommended to either hard-code the URL in your workflow, or to use [GitHub Variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables) instead of GitHub Secrets. |
 | **FOD_CLIENT_ID**<br>**FOD_CLIENT_SECRET** | Required when authenticating with an API key: Fortify on Demand Client ID (API key) and Secret (API secret). |
 | **FOD_TENANT**<br/>**FOD_USER**<br/>**FOD_PASSWORD** | Required when authenticating with user credentials: Fortify on Demand tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password. |
-| FOD_LOGIN_EXTRA_OPTS<br/>EXTRA_FOD_LOGIN_OPTS | Extra login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.9.1//manpage/fcli-fod-session-login.html) . Note that `EXTRA_FOD_LOGIN_OPTS` is deprecated; please use `FOD_LOGIN_EXTRA_OPTS`.|
+| FOD_LOGIN_EXTRA_OPTS<br/>EXTRA_FOD_LOGIN_OPTS | Extra login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli fod session login` documentation](https://fortify.github.io/fcli/v2.10.0//manpage/fcli-fod-session-login.html) . Note that `EXTRA_FOD_LOGIN_OPTS` is deprecated; please use `FOD_LOGIN_EXTRA_OPTS`.|
 | FOD_RELEASE | Fortify on Demand release to use with this action. This can be specified either as a numeric release id, `<app-name>:<release-name>` (for non-microservices applications) or `<app-name>:<microservice-name>:<release-name>` (for microservices applications). Default value is based on repository and branch name, for example `myOrg/myRepo:myBranch`. Note that you'll need to explicitly configure `FOD_RELEASE` for microservices applications, as the default value lacks a microservice name. |
-| EXPORT_ACTION<br/>EXPORT_EXTRA_OPTS | This GitHub Action will will export scan results to the GitHub Security Code Scanning dashboard using the fcli-provided [`github-sast-report`](https://fortify.github.io/fcli/v2.9.1/fod-actions.html#_github_sast_report) action or, if specified, the custom fcli action specified through `EXPORT_ACTION`. Extra options for the fcli action can be passed through the `EXPORT_EXTRA_OPTS` environment variable, for example to to allow an unsigned custom action to be used. Please see the [Fcli Actions](#fortify-on-demand-fcli-actions) section below for more details. |
+| EXPORT_ACTION<br/>EXPORT_EXTRA_OPTS | This GitHub Action will will export scan results to the GitHub Security Code Scanning dashboard using the fcli-provided [`github-sast-report`](https://fortify.github.io/fcli/v2.10.0/fod-actions.html#_github_sast_report) action or, if specified, the custom fcli action specified through `EXPORT_ACTION`. Extra options for the fcli action can be passed through the `EXPORT_EXTRA_OPTS` environment variable, for example to to allow an unsigned custom action to be used. Please see the [Fcli Actions](#fortify-on-demand-fcli-actions) section below for more details. |
 | TOOL_DEFINITIONS | Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.<br/><br/>This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs. |
 
 
@@ -82,7 +82,7 @@ This section lists the environment variables that can be specified in the `env:`
 
 As indicated in the [Action environment variable inputs](#action-environment-variable-inputs) section above, this GitHub Action utilizes one or more fcli actions to perform certain activities. These fcli-provided actions are used as building blocks that can be re-used across different CI/CD platforms to provide consistent behavior across those platforms. This GitHub Action also provides the ability to override the default built-in fcli actions with custom fcli actions, allowing for rich customization capabilities. For example, such custom fcli actions could define different default values for some action options, perform some additional activities, and/or provide fully customized behavior.
 
-For more information on fcli actions and custom action development, please see the [fcli action documentation](https://fortify.github.io/fcli/v2.9.1/#_actions). Such custom actions may be hosted either on the local file system (for example stored in your source code repository) or some remote location; the `*_ACTION` environment variables may point to either a local file or URL. To easily share custom actions across multiple pipelines, you may want to consider hosting these in a dedicated source code repository that's accessible by all pipelines. This provides an easy hosting location, and allows for easy maintenance of such custom actions.
+For more information on fcli actions and custom action development, please see the [fcli action documentation](https://fortify.github.io/fcli/v2.10.0/#_actions). Such custom actions may be hosted either on the local file system (for example stored in your source code repository) or some remote location; the `*_ACTION` environment variables may point to either a local file or URL. To easily share custom actions across multiple pipelines, you may want to consider hosting these in a dedicated source code repository that's accessible by all pipelines. This provides an easy hosting location, and allows for easy maintenance of such custom actions.
 
 <!-- END-INCLUDE:action/_generic/fcli-actions.md -->
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		\|DO_SETUP<br/>SETUP_ACTION<br/>SETUP_EXTRA_OPTS\|If `DO_SETUP` is set to `true` (implied if any of the other two `SETUP_*` variables are set), the application and/or release will be automatically created if they do not yet exist and static scan settings will be configured if not configured already, using the fcli-provided [`setup-release`]({{var:fcli-doc-base-url}}fod-actions.html#_setup_release) or, if specified, the custom fcli action specified through `SETUP_ACTION`. Extra options for the fcli action can be passed through the `SETUP_EXTRA_OPTS` environment variable, for example to copy state from an existing release using the `--copy-from` option, or to allow an unsigned custom action to be used. If the application may need to be created and you are authenticating with client credentials, you must configure at least the `--app-owner` option. Note that if setup is enabled, `FOD_RELEASE` must be configured with a qualified release name; you cannot use release id. Please see the [Fcli Actions](#fortify-on-demand-fcli-actions) section below for more details.\|
		\|DO_SETUP<br/>SETUP_ACTION<br/>SETUP_EXTRA_OPTS\|If `DO_SETUP` is set to `true` (implied if any of the other two `SETUP_*` variables are set), the application and/or release will be automatically created if they do not yet exist and static scan settings will be configured if not configured already, using the fcli-provided [`setup-release`]({{var:fcli-doc-base-url}}fod-actions.html#_setup_release) or, if specified, the custom fcli action specified through `SETUP_ACTION`. Extra options for the fcli action can be passed through the `SETUP_EXTRA_OPTS` environment variable. Depending on your Git workflow, it is recommended to have each newly created release copy state from the release representing your default branch by passing `--copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"` through `SETUP_EXTRA_OPTS`. To allow the GitHub Action to create new applications, you must (also) provide the `--app-owner <user>` option through `SETUP_EXTRA_OPTS`. Note that if setup is enabled, `FOD_RELEASE` must be configured with a qualified release name; you cannot use release id. Please see the [Fcli Actions](#fortify-on-demand-fcli-actions) section below for more details.\|