Update fortify.yml #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Fortify Security Scan | |
| on: | |
| workflow_dispatch: | |
| push: | |
| # # Master or main branch that you want to trigger this workflow for | |
| branches: | |
| - master | |
| - github/* | |
| pull_request: | |
| # The branches below must be a subset of the branches above | |
| jobs: | |
| Fortif-SAST: | |
| runs-on: ubuntu-latest | |
| permissions: write-all | |
| env: | |
| APPLICATION: "WebGoat" | |
| VERSION: "${{ github.ref_name }}" | |
| # Requires GitHub Advanced Security | |
| PUBLISH_SECURITY_ALERTS: false | |
| steps: | |
| # Check out source code | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Set up JDK 11 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '11' | |
| distribution: 'temurin' | |
| # Set up Fortify ScanCentral Client | |
| - name: Download Fortify Clients | |
| uses: fortify-ps/github-action/setup@main | |
| with: | |
| sc-client: latest | |
| # Retrieve FCLI | |
| - name: Install FCLI | |
| run: | | |
| wget -qO- https://github.com/fortify/fcli/releases/download/v2.0.0/fcli-linux.tgz | tar zxf - | |
| # Run SAST Scan | |
| - name: Fortify SAST Scan | |
| uses: agendry-pub/gha-ssc-ast-scan@v1 | |
| env: | |
| FCLI_DEFAULT_TOKEN_EXPIRE: "1h" | |
| FCLI_EXECUTABLE_LOCATION: . | |
| with: | |
| ssc_base_url: ${{ vars.FTFY_SSC_BASE_URL}} | |
| ssc_app: ${{ env.APPLICATION }} | |
| ssc_version: ${{ env.VERSION }} | |
| ssc_source_version: ${{ github.event.repository.default_branch }} | |
| # ssc_ci_token: ${{ secrets.FTFY_CI_TOKEN_ENC }} | |
| ssc_ci_username: ${{ secrets.FTFY_CI_USERNAME }} | |
| ssc_ci_password: ${{ secrets.FTFY_CI_PASSWORD }} | |
| sast_scan: true | |
| sast_client_auth_token: ${{ secrets.FTFY_SAST_CLIENT_TOKEN }} | |
| sast_build_options: "" | |
| security_gate_action: warn | |
| security_gate_filterset: Critical & High | |
| # summary_filterset: Critical & High | |
| gha_token: ${{ secrets.GITHUB_TOKEN }} | |
| copy_vulns: true | |
| - name: Export Fortify vulnerability data | |
| if: ${{ env.PUBLISH_SECURITY_ALERTS == 'true' }} | |
| uses: fortify/[email protected] | |
| with: | |
| ssc_base_url: ${FTFY_SSC_URL} | |
| ssc_auth_token: ${FTFY_CI_TOKEN_DEC} | |
| ssc_version_name: "${APPLICATION}:${VERSION}" | |
| # Import Fortify SAST results to GitHub Security Code Scanning | |
| - name: Import Results | |
| if: ${{ env.PUBLISH_SECURITY_ALERTS == 'true' }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ./gh-fortify-sast.sarif | |
| # # Clean up tokens, session variables, ... | |
| # - name: Cleanup | |
| # if: always() | |
| # run: | | |
| # fcli config var def rm ${SHA}_sastscan | |
| # fcli sc-sast session logout --no-revoke-token | |
| # fcli ssc session logout --no-revoke-token |