Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.
This is still work in progress and should not be used for production purposes. It requires new fcli features that have not yet been released. To test, you will need the fcli development release located here: https://github.com/fortify/fcli/releases/tag/dev_feat.ci-updates
You have two options:
- Manually pre-install fcli from the link above, then run
npx @fortify/setup config --fcli-path=<path to pre-installed fcli> - Configure
@fortify/setupwith the proper download URL, for example, for Linux,npx @fortify/setup config --fcli-url=https://github.com/fortify/fcli/releases/download/dev_feat.ci-updates/fcli-linux.tgz
Once you've configured the above, you can use npx @fortify/setup install to bootstrap fcli and install Fortify tools, followed by npx @fortify/setup env to generate appropriate environment variables. Note that the latter will still undergo significant changes on the fcli side.
The @fortify/setup npm package provides a lightweight, zero-dependency utility for bootstrapping fcli and running the fortify-setup action in any environment.
Key Features:
- Bootstrap fcli automatically from GitHub releases with signature verification
- Zero runtime dependencies for minimal attack surface
- Intelligent caching with CI/CD environment auto-detection
- Multi-platform support (Linux, macOS, Windows)
- Three-tier configuration (file, environment variables, CLI arguments)
- CI/CD tool cache integration (GitHub Actions, Azure DevOps, GitLab)
- Simple command structure:
configure,refresh-cache,clear-cache,install - TypeScript library API for building custom integrations
- Complete examples for GitHub Actions, Azure DevOps, and GitLab CI
Use Cases:
- CI/CD Pipelines: Automatically set up Fortify tools in GitHub Actions, Azure DevOps, GitLab CI
- Custom Integrations: Build platform-specific wrappers using the TypeScript API
- Local Development: Configure once, use cached fcli for fast repeated runs
- Docker: Bootstrap fcli in containerized environments
- Air-gapped Environments: Use pre-installed fcli or custom download locations
- Release Notes: https://github.com/fortify/fortify-setup-js/releases
- GitHub Repository: https://github.com/fortify/fortify-setup-js
- Online Documentation: https://fortify.github.io/fortify-setup-js
- Fcli Documentation: https://github.com/fortify/fcli
- Contributing Guidelines: CONTRIBUTING.md
- Code of Conduct: CODE_OF_CONDUCT.md
- License: LICENSE.txt
For general assistance, please join the Fortify Community to get tips and tricks from other users and the OpenText team.
OpenText customers can contact our world-class support team for questions, enhancement requests and bug reports. You can also raise questions and issues through your OpenText Fortify representative like Customer Success Manager or Technical Account Manager if applicable.
You may also consider raising questions or issues through the GitHub Issues page (if available for this repository), providing public visibility and allowing anyone (including all contributors) to review and comment on your question or issue. Note that this requires a GitHub account, and given public visibility, you should refrain from posting any confidential data through this channel.
This document was auto-generated from README.template.md; do not edit by hand