From 54988e9e75848d92c2354f1cf0153ed55e2c70ed Mon Sep 17 00:00:00 2001
From: Alex Gendry <alex.gendry@microfocus.com>
Date: Tue, 7 Nov 2023 11:35:19 +0100
Subject: [PATCH] Update fortify.yml

---
 .github/workflows/fortify.yml | 75 +++++++++++++++++++++++++++--------
 1 file changed, 59 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml
index b29adc8..ef8c328 100644
--- a/.github/workflows/fortify.yml
+++ b/.github/workflows/fortify.yml
@@ -11,12 +11,17 @@ on:
 
 jobs:
   Fortif-SAST:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted
+    container:
+      image: maven
     permissions: write-all
     env:
-      APPLICATION: "${{ github.event.repository.name }}"
+      APPLICATION: "WebGoat"
       VERSION: "${{ github.ref_name }}"
 
+      # Requires GitHub Advanced Security
+      PUBLISH_SECURITY_ALERTS: false
+
     steps:
       # Check out source code
       - name: Checkout repository
@@ -28,22 +33,60 @@ jobs:
           java-version: '11'
           distribution: 'temurin'
 
-      - name: Run ScanCentral SAST Scan
-        uses: fortify/github-action@v1
+
+      # Set up Fortify ScanCentral Client
+      - name: Download Fortify Clients
+        uses: fortify-ps/github-action/setup@main
         with:
-          sast-scan: true
+          sc-client: latest
+
+      # Retrieve FCLI
+      - name: Install FCLI
+        run: |
+          wget -qO- https://github.com/fortify/fcli/releases/download/v2.0.0/fcli-linux.tgz | tar zxf -
+
+      # Run SAST Scan
+      - name: Fortify SAST Scan
+        uses: agendry-pub/gha-ssc-ast-scan@v1
         env:
-          SSC_URL: ${{vars.FTFY_SSC_BASE_URL}}
-          SSC_TOKEN: ${{secrets.FTFY_CI_TOKEN_ENC}}
-          SSC_USER: ${{secrets.FTFY_CI_USERNAME}}
-          SSC_PASSWORD: ${{secrets.FTFY_CI_PASSWORD}}
-          SC_SAST_TOKEN : ${{secrets.FTFY_SAST_CLIENT_TOKEN}}
-          SC_SAST_SENSOR_VERSION: 23.1
-          # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s
-          SSC_APPVERSION: WebGoat:${{ github.ref_name }}
-          #EXTRA_PACKAGE_OPTS: -bt mvn -q
-          DO_WAIT: true
-          DO_EXPORT: true
+          FCLI_DEFAULT_TOKEN_EXPIRE: "1h"
+          FCLI_EXECUTABLE_LOCATION: .
+        with:
+          ssc_base_url: ${{ vars.FTFY_SSC_BASE_URL}}
+          ssc_app: ${{ env.APPLICATION }}
+          ssc_version: ${{ env.VERSION }}
+          ssc_source_version: ${{ github.event.repository.default_branch }}
+          # ssc_ci_token: ${{ secrets.FTFY_CI_TOKEN_ENC }}
+          ssc_ci_username: ${{ secrets.FTFY_CI_USERNAME }}
+          ssc_ci_password:  ${{ secrets.FTFY_CI_PASSWORD }}
+          sast_scan: true
+          sast_client_auth_token: ${{ secrets.FTFY_SAST_CLIENT_TOKEN }}
+          sast_build_options: ""
+          security_gate_action: warn
+          security_gate_filterset: Critical & High
+            #          summary_filterset: Critical & High
+          gha_token: ${{ secrets.GITHUB_TOKEN }}
+          copy_vulns: true
 
+      - name: Export Fortify vulnerability data
+        if: ${{ env.PUBLISH_SECURITY_ALERTS == 'true' }}
+        uses: fortify/gha-export-vulnerabilities@v1.0.0
+        with:
+          ssc_base_url: ${FTFY_SSC_URL}
+          ssc_auth_token: ${FTFY_CI_TOKEN_DEC}
+          ssc_version_name: "${APPLICATION}:${VERSION}"
 
+      # Import Fortify SAST results to GitHub Security Code Scanning
+      - name: Import Results
+        if: ${{ env.PUBLISH_SECURITY_ALERTS == 'true' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ./gh-fortify-sast.sarif
 
+        #      # Clean up tokens, session variables, ...
+        #      - name: Cleanup
+        #        if: always()
+        #        run: |
+        #          fcli config var def rm ${SHA}_sastscan
+        #          fcli sc-sast session logout --no-revoke-token
+        #          fcli ssc session logout --no-revoke-token