2021-09-14 09:06:33 +02:00
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
2021-09-13 10:13:58 +02:00
################################################################################################################################################
2024-05-06 09:57:14 -04:00
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
2021-09-13 10:13:58 +02:00
# #
2024-05-06 09:57:14 -04:00
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
# documentation. If you need additional assistance, please contact Fortify support. #
2021-09-13 10:13:58 +02:00
################################################################################################################################################
2024-05-06 09:57:14 -04:00
name : Fortify AST Scan
2021-09-13 10:13:58 +02:00
2024-05-06 09:57:14 -04:00
# Customize trigger events based on your DevSecOps process and/or policy
2021-09-13 10:13:58 +02:00
on :
push :
2024-05-06 09:57:14 -04:00
branches : [ $default-branch, $protected-branches ]
pull_request :
# The branches below must be a subset of the branches above
2021-09-13 10:29:38 +02:00
branches : [ $default-branch ]
2021-09-13 10:13:58 +02:00
schedule :
2021-09-22 14:12:39 +02:00
- cron : $cron-weekly
2024-05-06 09:57:14 -04:00
workflow_dispatch :
2021-09-13 10:13:58 +02:00
jobs :
2024-05-06 09:57:14 -04:00
Fortify-AST-Scan :
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
2021-09-13 10:13:58 +02:00
runs-on : ubuntu-latest
2021-09-13 10:29:38 +02:00
permissions :
actions : read
contents : read
security-events : write
2021-09-13 10:13:58 +02:00
steps :
# Check out source code
- name : Check Out Source Code
2024-01-03 02:09:21 -05:00
uses : actions/checkout@v4
2021-09-13 10:13:58 +02:00
2024-05-06 09:57:14 -04:00
# Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
2021-09-13 10:13:58 +02:00
- name : Setup Java
2024-05-06 09:57:14 -04:00
uses : actions/setup-java@v4
2021-09-13 10:13:58 +02:00
with :
2024-05-06 09:57:14 -04:00
java-version : 17
2022-03-28 13:10:48 -04:00
distribution : 'temurin'
2021-09-13 10:13:58 +02:00
2024-05-06 09:57:14 -04:00
# Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
# optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
# and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
# details.
- name : Run FoD SAST Scan
uses : fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
2021-09-13 10:13:58 +02:00
with :
2024-05-06 09:57:14 -04:00
sast-scan : true
env :
### Required configuration when integrating with Fortify on Demand
FOD_URL : https://ams.fortify.com
FOD_TENANT : ${{secrets.FOD_TENANT}}
FOD_USER : ${{secrets.FOD_USER}}
FOD_PASSWORD : ${{secrets.FOD_PAT}}
### Optional configuration when integrating with Fortify on Demand
# EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
# Debricked SCA scan is enabled on Fortify on Demand
# EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
# replace app+release name with numeric release ID
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
# SSC_URL: ${{secrets.SSC_URL}} # SSC URL
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
# SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
# SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
# usually defined as organization or repo variable
### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
# EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
# EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
# DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
# DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard