2021-09-14 09:06:33 +02:00
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
2021-09-13 10:13:58 +02:00
################################################################################################################################################
2024-05-06 09:57:14 -04:00
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
2021-09-13 10:13:58 +02:00
# #
2024-05-06 09:57:14 -04:00
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
# documentation. If you need additional assistance, please contact Fortify support. #
2021-09-13 10:13:58 +02:00
################################################################################################################################################
2024-05-06 09:57:14 -04:00
name : Fortify AST Scan
2021-09-13 10:13:58 +02:00
2024-05-06 09:57:14 -04:00
# Customize trigger events based on your DevSecOps process and/or policy
2021-09-13 10:13:58 +02:00
on :
push :
2024-05-06 09:57:14 -04:00
branches : [ $default-branch, $protected-branches ]
pull_request :
# The branches below must be a subset of the branches above
2021-09-13 10:29:38 +02:00
branches : [ $default-branch ]
2021-09-13 10:13:58 +02:00
schedule :
2021-09-22 14:12:39 +02:00
- cron : $cron-weekly
2024-05-06 09:57:14 -04:00
workflow_dispatch :
2021-09-13 10:13:58 +02:00
jobs :
2024-05-06 09:57:14 -04:00
Fortify-AST-Scan :
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
2021-09-13 10:13:58 +02:00
runs-on : ubuntu-latest
2021-09-13 10:29:38 +02:00
permissions :
actions : read
contents : read
security-events : write
2024-11-06 17:37:05 +01:00
# pull-requests: write # Required if DO_PR_COMMENT is set to true
2021-09-13 10:13:58 +02:00
steps :
# Check out source code
- name : Check Out Source Code
2024-01-03 02:09:21 -05:00
uses : actions/checkout@v4
2021-09-13 10:13:58 +02:00
2024-11-06 17:37:05 +01:00
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
2024-11-08 11:30:15 +01:00
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
2024-05-06 09:57:14 -04:00
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
2024-11-08 11:30:15 +01:00
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
2024-11-06 17:37:05 +01:00
# documentation at https://github.com/fortify/github-action#readme for more information on the various
# configuration options and available sub-actions.
- name : Run Fortify Scan
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
2024-11-22 14:24:04 +01:00
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
2024-11-06 17:37:05 +01:00
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
2024-11-08 11:30:15 +01:00
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
2024-11-06 17:37:05 +01:00
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
2025-03-17 22:57:43 +01:00
uses : fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
2021-09-13 10:13:58 +02:00
with :
2024-11-06 17:37:05 +01:00
sast-scan : true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan : true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
2024-05-06 09:57:14 -04:00
env :
2024-11-06 17:37:05 +01:00
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL : https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT : ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER : ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
2024-05-06 09:57:14 -04:00
FOD_PASSWORD : ${{secrets.FOD_PAT}}
2024-11-06 17:37:05 +01:00
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
2024-11-22 14:24:04 +01:00
# Pass extra options to setup action:
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
2024-11-06 17:37:05 +01:00
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
2024-11-08 11:31:30 +01:00
2024-11-06 17:37:05 +01:00
#############################################################
##### Fortify Hosted / Software Security Center & ScanCentral
##### Remove this section if you're integrating with Fortify on Demand (see above)
### Required configuration
SSC_URL : ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
SSC_TOKEN : ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
SC_SAST_TOKEN : ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
DEBRICKED_TOKEN : ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
SC_SAST_SENSOR_VERSION : 24.4 .0 # Sensor version to use for the scan, required if SAST scan is enabled
2024-11-08 11:30:15 +01:00
### Optional configuration
2024-11-06 17:37:05 +01:00
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Set up SSC application & version
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions