Skip to content

Commit

Permalink
Update Fortify starter workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@rsenden
rsenden committed Nov 8, 2024
1 parent 1394e47 commit 4cbe535
Showing 1 changed file with 82 additions and 38 deletions.
120 changes: 82 additions & 38 deletions code-scanning/fortify.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,51 +34,95 @@ jobs:
actions: read
contents: read
security-events: write
# pull-requests: write # Required if DO_PR_COMMENT is set to true

steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4

# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
- name: Setup Java
uses: actions/setup-java@v4
with:
java-version: 17
distribution: 'temurin'

# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
# details.
- name: Run FoD SAST Scan
uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
# documentation at https://github.com/fortify/github-action#readme for more information on the various
# configuration options and available sub-actions.
- name: Run Fortify Scan
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
# uses the commit id corresponding to version 1.5.2. It is recommended to check whether any later releases
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
uses: fortify/github-action@afb2d9e467caf7c6ad273799fc1b65ac492b0de2
with:
sast-scan: true
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
### Required configuration when integrating with Fortify on Demand
FOD_URL: https://ams.fortify.com
FOD_TENANT: ${{secrets.FOD_TENANT}}
FOD_USER: ${{secrets.FOD_USER}}
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
FOD_PASSWORD: ${{secrets.FOD_PAT}}
### Optional configuration when integrating with Fortify on Demand
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
# Debricked SCA scan is enabled on Fortify on Demand
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
# replace app+release name with numeric release ID
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
# usually defined as organization or repo variable
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions

#############################################################
##### Fortify Hosted / Software Security Center & ScanCentral
##### Remove this section if you're integrating with Fortify on Demand (see above)
### Required configuration
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
### Optional configuration
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Set up SSC application & version
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions

0 comments on commit 4cbe535

Please sign in to comment.