diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml index c52b70e..01611e8 100644 --- a/code-scanning/fortify.yml +++ b/code-scanning/fortify.yml @@ -4,32 +4,31 @@ # documentation. ################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # # # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # ################################################################################################################################################ -name: Fortify on Demand Scan +name: Fortify AST Scan -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +# Customize trigger events based on your DevSecOps process and/or policy on: - workflow_dispatch: push: + branches: [ $default-branch, $protected-branches ] + pull_request: + # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly + workflow_dispatch: jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). runs-on: ubuntu-latest permissions: actions: read @@ -41,58 +40,45 @@ jobs: - name: Check Out Source Code uses: actions/checkout@v4 - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. - name: Setup Java - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: - java-version: 8 + java-version: 17 distribution: 'temurin' - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip - env: - PACKAGE_OPTS: "-bt mvn" - - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./gh-fortify-sast.sarif + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json index 100b4bb..9a7511c 100644 --- a/code-scanning/properties/fortify.properties.json +++ b/code-scanning/properties/fortify.properties.json @@ -1,7 +1,7 @@ { - "name": "Fortify on Demand Scan", - "creator": "Micro Focus", - "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "name": "Fortify Scan", + "creator": "OpenText", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 33+ languages into your DevSecOps workflows.", "iconName": "fortify", - "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] + "categories": ["Code Scanning", "ABAP", "ActionScript", "Bicep", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Dart", "Go", "HCL", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Solidity", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML", "YAML"] } diff --git a/icons/fortify.svg b/icons/fortify.svg index 45a0d77..7033960 100644 --- a/icons/fortify.svg +++ b/icons/fortify.svg @@ -1 +1,29 @@ - \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + +