|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | + |
| 6 | +################################################################################################################################################ |
| 7 | +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # |
| 8 | +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # |
| 9 | +# # |
| 10 | +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # |
| 11 | +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # |
| 12 | +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # |
| 13 | +# documentation. If you need additional assistance, please contact Fortify support. # |
| 14 | +################################################################################################################################################ |
| 15 | + |
| 16 | +name: Fortify AST Scan |
| 17 | + |
| 18 | +# Customize trigger events based on your DevSecOps process and/or policy |
| 19 | +on: |
| 20 | + push: |
| 21 | + branches: |
| 22 | + - master |
| 23 | + pull_request: |
| 24 | + # The branches below must be a subset of the branches above |
| 25 | + branches: |
| 26 | + - master |
| 27 | + schedule: |
| 28 | + - cron: '07 15 * * 5' |
| 29 | + workflow_dispatch: |
| 30 | + |
| 31 | +jobs: |
| 32 | + Fortify-AST-Scan: |
| 33 | + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). |
| 34 | + runs-on: ubuntu-latest |
| 35 | + permissions: |
| 36 | + actions: read |
| 37 | + contents: read |
| 38 | + security-events: write |
| 39 | + # pull-requests: write # Required if DO_PR_COMMENT is set to true |
| 40 | + |
| 41 | + steps: |
| 42 | + # Check out source code |
| 43 | + - name: Check Out Source Code |
| 44 | + uses: actions/checkout@v4 |
| 45 | + |
| 46 | + # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on |
| 47 | + # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate |
| 48 | + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. |
| 49 | + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is |
| 50 | + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools |
| 51 | + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action |
| 52 | + # documentation at https://github.com/fortify/github-action#readme for more information on the various |
| 53 | + # configuration options and available sub-actions. |
| 54 | + - name: Run Fortify Scan |
| 55 | + # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example |
| 56 | + # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases |
| 57 | + # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability |
| 58 | + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version |
| 59 | + # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. |
| 60 | + uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 |
| 61 | + with: |
| 62 | + sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run |
| 63 | + debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan |
| 64 | + # is disabled). For SSC, run a Debricked scan and import results into SSC. |
| 65 | + env: |
| 66 | + ############################################################# |
| 67 | + ##### Fortify on Demand configuration |
| 68 | + ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) |
| 69 | + ### Required configuration |
| 70 | + FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret |
| 71 | + FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; |
| 72 | + FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. |
| 73 | + FOD_PASSWORD: ${{secrets.FOD_PAT}} |
| 74 | + # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} |
| 75 | + # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} |
| 76 | + ### Optional configuration |
| 77 | + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options |
| 78 | + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch> |
| 79 | + # DO_SETUP: true # Setup FoD application, release & static scan configuration |
| 80 | + # SETUP_ACTION: <URL or file> # Customize setup action |
| 81 | + # Pass extra options to setup action: |
| 82 | + # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" |
| 83 | + # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options |
| 84 | + # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options |
| 85 | + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) |
| 86 | + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL |
| 87 | + # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks |
| 88 | + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action |
| 89 | + # DO_JOB_SUMMARY: true # Generate workflow job summary |
| 90 | + # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary |
| 91 | + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action |
| 92 | + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers |
| 93 | + # PR_COMMENT_ACTION: <URL or file> # Customize PR comments |
| 94 | + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action |
| 95 | + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard |
| 96 | + # EXPORT_ACTION: <URL or file> # Customize export action |
| 97 | + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action |
| 98 | + # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions |
| 99 | + |
| 100 | + ############################################################# |
| 101 | + ##### Fortify Hosted / Software Security Center & ScanCentral |
| 102 | + ##### Remove this section if you're integrating with Fortify on Demand (see above) |
| 103 | + ### Required configuration |
| 104 | + SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret |
| 105 | + SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets |
| 106 | + SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled |
| 107 | + DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled |
| 108 | + SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled |
| 109 | + ### Optional configuration |
| 110 | + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options |
| 111 | + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options |
| 112 | + # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch> |
| 113 | + # DO_SETUP: true # Set up SSC application & version |
| 114 | + # SETUP_ACTION: <URL or file> # Customize setup action |
| 115 | + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action |
| 116 | + # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options |
| 117 | + # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options |
| 118 | + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) |
| 119 | + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL |
| 120 | + # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks |
| 121 | + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action |
| 122 | + # DO_JOB_SUMMARY: true # Generate workflow job summary |
| 123 | + # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary |
| 124 | + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action |
| 125 | + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers |
| 126 | + # PR_COMMENT_ACTION: <URL or file> # Customize PR comments |
| 127 | + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action |
| 128 | + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard |
| 129 | + # EXPORT_ACTION: <URL or file> # Customize export action |
| 130 | + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action |
| 131 | + # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions |
0 commit comments