Create fortify.yml

.github/workflows/fortify.yml

@@ -0,0 +1,49 @@
+name: Fortify Security Scan
+on:
+  workflow_dispatch:
+  push:
+#    # Master or main branch that you want to trigger this workflow for
+   branches:
+     - master
+     - github/*
+  pull_request:
+    # The branches below must be a subset of the branches above
+
+jobs:
+  Fortif-SAST:
+    runs-on: self-hosted
+    container:
+      image: maven
+    permissions: write-all
+    env:
+      APPLICATION: "${{ github.event.repository.name }}"
+      VERSION: "${{ github.ref_name }}"
+
+    steps:
+      # Check out source code
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+
+      - name: Run ScanCentral SAST Scan
+        uses: fortify/github-action@v1
+        with:
+          sast-scan: true
+        env:
+          SSC_URL: ${{vars.FTFY_SSC_BASE_URL}}
+          SSC_TOKEN: ${{secrets.FTFY_CI_TOKEN_ENC}}
+          SC_SAST_TOKEN : ${{secrets.FTFY_SAST_CLIENT_TOKEN}}
+          SC_SAST_SENSOR_VERSION: 23.1
+          # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s
+          SSC_APPVERSION: WebGoat:${{ github.ref_name }}
+          EXTRA_PACKAGE_OPTS: -bt mvn -q
+          DO_WAIT: true
+          DO_EXPORT: true
+
+
+