diff --git a/code-scanning/fortify-on-demand.yml b/code-scanning/fortify-on-demand.yml index 2baf56b..4e3c3b6 100644 --- a/code-scanning/fortify-on-demand.yml +++ b/code-scanning/fortify-on-demand.yml @@ -17,10 +17,7 @@ name: Fortify on Demand Scan on: workflow_dispatch: push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] + branches: [ $default-branch ] schedule: - cron: '24 18 * * 5' @@ -29,13 +26,18 @@ jobs: # Use the appropriate runner for building your source code. # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: # Check out source code - name: Check Out Source Code uses: actions/checkout@v2 - # Java 8 required by ScanCentral Client and FoD Uploader(Univeral CI Tool) + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. - name: Setup Java uses: actions/setup-java@v1 with: @@ -64,29 +66,27 @@ jobs: - name: Perform SAST Scan run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" FOD_TENANT: ${{ secrets.FOD_TENANT }} FOD_USER: ${{ secrets.FOD_USER }} FOD_PAT: ${{ secrets.FOD_PAT }} FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - # TODO: Review Action inputs. For most users, these will be the same as used in the Perform SAST Scan step. - - name: Download Results - uses: fortify/gha-fod-generate-sarif@1.1.0 + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@v1 with: - base-url: https://ams.fortify.com - tenant: ${{ secrets.FOD_TENANT }} - user: ${{ secrets.FOD_USER }} - password: ${{ secrets.FOD_PAT }} - release-id: ${{ secrets.FOD_RELEASE_ID }} - output: ./sarif/output.sarif + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} # Import Fortify on Demand results to GitHub Security Code Scanning - name: Import Results uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: ./sarif/output.sarif + sarif_file: ./gh-fortify-sast.sarif