@@ -34,51 +34,96 @@ jobs:
3434 actions : read
3535 contents : read
3636 security-events : write
37+ # pull-requests: write # Required if DO_PR_COMMENT is set to true
3738
3839 steps :
3940 # Check out source code
4041 - name : Check Out Source Code
4142 uses : actions/checkout@v4
4243
43- # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
44- - name : Setup Java
45- uses : actions/setup-java@v4
46- with :
47- java-version : 17
48- distribution : ' temurin'
49-
50- # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
51- # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
44+ # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
45+ # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
46+ # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
47+ # The Fortify GitHub Action provides many customization capabilities, but in case further customization is
5248 # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
53- # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
54- # details.
55- - name : Run FoD SAST Scan
56- uses : fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
49+ # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
50+ # documentation at https://github.com/fortify/github-action#readme for more information on the various
51+ # configuration options and available sub-actions.
52+ - name : Run Fortify Scan
53+ # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
54+ # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
55+ # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
56+ # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
57+ # of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
58+ uses : fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
5759 with :
58- sast-scan : true
60+ sast-scan : true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
61+ debricked-sca-scan : true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
62+ # is disabled). For SSC, run a Debricked scan and import results into SSC.
5963 env :
60- # ## Required configuration when integrating with Fortify on Demand
61- FOD_URL : https://ams.fortify.com
62- FOD_TENANT : ${{secrets.FOD_TENANT}}
63- FOD_USER : ${{secrets.FOD_USER}}
64+ # ############################################################
65+ # #### Fortify on Demand configuration
66+ # #### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
67+ # ## Required configuration
68+ FOD_URL : https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
69+ FOD_TENANT : ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
70+ FOD_USER : ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
6471 FOD_PASSWORD : ${{secrets.FOD_PAT}}
65- # ## Optional configuration when integrating with Fortify on Demand
66- # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
67- # Debricked SCA scan is enabled on Fortify on Demand
68- # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
69- # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
70- # replace app+release name with numeric release ID
71- # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
72- # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
73- # ## Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
74- # SSC_URL: ${{secrets.SSC_URL}} # SSC URL
75- # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
76- # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
77- # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
78- # usually defined as organization or repo variable
79- # ## Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
80- # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
81- # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
82- # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
83- # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
84- # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
72+ # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
73+ # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
74+ # ## Optional configuration
75+ # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
76+ # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
77+ # DO_SETUP: true # Setup FoD application, release & static scan configuration
78+ # SETUP_ACTION: <URL or file> # Customize setup action
79+ # Pass extra options to setup action:
80+ # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
81+ # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
82+ # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
83+ # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
84+ # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
85+ # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
86+ # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
87+ # DO_JOB_SUMMARY: true # Generate workflow job summary
88+ # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
89+ # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
90+ # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
91+ # PR_COMMENT_ACTION: <URL or file> # Customize PR comments
92+ # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
93+ # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
94+ # EXPORT_ACTION: <URL or file> # Customize export action
95+ # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
96+ # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
97+
98+ # ############################################################
99+ # #### Fortify Hosted / Software Security Center & ScanCentral
100+ # #### Remove this section if you're integrating with Fortify on Demand (see above)
101+ # ## Required configuration
102+ SSC_URL : ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
103+ SSC_TOKEN : ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
104+ SC_SAST_TOKEN : ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
105+ DEBRICKED_TOKEN : ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
106+ SC_SAST_SENSOR_VERSION : 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
107+ # ## Optional configuration
108+ # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
109+ # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
110+ # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
111+ # DO_SETUP: true # Set up SSC application & version
112+ # SETUP_ACTION: <URL or file> # Customize setup action
113+ # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
114+ # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
115+ # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
116+ # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
117+ # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
118+ # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
119+ # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
120+ # DO_JOB_SUMMARY: true # Generate workflow job summary
121+ # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
122+ # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
123+ # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
124+ # PR_COMMENT_ACTION: <URL or file> # Customize PR comments
125+ # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
126+ # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
127+ # EXPORT_ACTION: <URL or file> # Customize export action
128+ # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
129+ # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
0 commit comments