Skip to content
Fortify AST Scan

Create fortify.yml #2

Sign in to view logs

Create fortify.yml

Create fortify.yml #2

Workflow file for this run

.github/workflows/fortify.yml at f12e9e6
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
################################################################################################################################################
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
# #
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
# documentation. If you need additional assistance, please contact Fortify support. #
################################################################################################################################################
name: Fortify AST Scan
# Customize trigger events based on your DevSecOps process and/or policy
on:
pull_request:
branches: [ "master", "flex", "next", "release.*" ]
workflow_dispatch:
jobs:
Fortify-AST-Scan:
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
# pull-requests: write # Required if DO_PR_COMMENT is set to true
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
# documentation at https://github.com/fortify/github-action#readme for more information on the various
# configuration options and available sub-actions.
- name: Run Fortify Scan
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
with:
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
FOD_PASSWORD: ${{secrets.FOD_PAT}}
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
FOD_RELEASE: 25.03 # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# Pass extra options to setup action:
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions