### Custom Fortify Workflow Setup Source: https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html Basic setup for custom CI/CD workflows using the `fortify/github-action/setup@v3` action. This example demonstrates pinning a specific bootstrapped fcli version and setting an environment variable for stability. ```yaml name: Custom Fortify Workflow on: [push] jobs: custom-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - uses: fortify/github-action/setup@v3 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). env: FCLI_BOOTSTRAP_VERSION: v3.15.0 # Defaults to latest v3.x.y, pin to specific version for stability - name: Run custom fcli commands run: | fcli fod session login ... # Your custom workflow here fcli fod session logout ... ``` -------------------------------- ### Basic Fortify Setup for Custom Workflows Source: https://fortify.github.io/fcli/v3/ci/github/v3.1.x/setup-action.html Use this example to set up bootstrapped fcli for custom CI/CD workflows. Pinning the `FCLI_BOOTSTRAP_VERSION` environment variable is recommended for stability. ```yaml name: Custom Fortify Workflow on: [push] jobs: custom-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - uses: fortify/github-action/setup@v3 with: fcli: bootstrapped # Set up bootstrapped fcli version. May also specify specific version, but # then fcli may be downloaded twice (bootstrap version and requested version). env: FCLI_BOOTSTRAP_VERSION: v3.15.0 # Defaults to latest v3.x.y, pin to specific version for stability - name: Run custom fcli commands run: | fcli fod session login ... # Your custom workflow here fcli fod session logout ... ``` -------------------------------- ### Use pre-installed fcli via bootstrap config Source: https://fortify.github.io/fcli/v3 Configure the setup process to use an already installed fcli binary, skipping the download step. ```bash # Use pre-installed fcli (skip download) npx @fortify/setup bootstrap-config --fcli-path=/path/to/fcli ``` -------------------------------- ### Quick Start: Fortify Scan with Custom Artifact Upload Source: https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-ssc.html Minimal configuration for running OpenText Fortify AST scans with a custom artifact upload step. This example demonstrates checking out code, setting up a build tool, running the Fortify scan, and then conditionally uploading debug artifacts using a separate action. ```yaml name: OpenText Application Security (Fortify Software Security Center) Scan on: push: branches: [main] pull_request: branches: [main] jobs: fortify: runs-on: ubuntu-latest # permissions: # When overriding default permissions, following are required: # contents: read # Required for checkout action # security-events: write # Required for publishing security reports to GitHub Security tab # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: - uses: actions/checkout@v6 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and collect any debug artifacts # for a custom upload step (see artifact storage section below) - uses: fortify/github-action/without-artifacts@v3 name: Run Fortify Scan id: fortify_scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch - name: Upload debug artifacts (custom) if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} uses: with: path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` -------------------------------- ### GitLab CI/CD Quick Start with FCLI Source: https://fortify.github.io/fcli/v3/ci/gitlab/v2.0.x/fcli-component.html Basic setup for custom workflows using a specific fcli version. Ensure the specified stage is defined in your pipeline. ```yaml include: - component: $CI_SERVER_FQDN/Fortify/components/fcli/linux@2 inputs: job-name: fcli fcli-version: v3 # Use latest fcli 3.x.y release stage: test stages: [test] fcli: image: my-build-tools:v1 # Optional: specify build environment script: - ${FCLI} -V # Verify fcli installation - ${FCLI} fod session login ... - # Your custom fcli commands here - ${FCLI} fod session logout ... ``` -------------------------------- ### Fortify CLI Specific Query Examples Source: https://fortify.github.io/fcli/v3 Examples demonstrating the -q option with Fortify CLI commands for specific use cases like filtering artifacts by scan type, build label, or upload date. ```bash fcli ssc artifact list --appversion MyApp:main -q 'scanTypes matches "\bSCA\b"' ``` ```bash fcli ssc artifact list --appversion MyApp:main -q '_embed.scans.![buildLabel].contains("myLabel")' ``` ```bash fcli ssc artifact list --appversion MyApp:main -q '#now("-90d") < #date(uploadDate)' ``` -------------------------------- ### Reusable Fortify Scan Workflow Example Source: https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html Example of a reusable workflow structure for Fortify scans, demonstrating centralized version management for the Fortify action and fcli bootstrap. ```yaml # .github/workflows/fortify-scan.yml (in your organization's shared workflow repository) name: Fortify Scan Reusable on: workflow_call: inputs: ssc-appversion: description: 'Optional SSC application version, defaults to :' required: false type: string jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - uses: fortify/github-action/with-github-artifacts@v3.1.0 # Centrally managed version env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} SSC_APPVERSION: ${{ inputs.ssc-appversion }} FCLI_BOOTSTRAP_VERSION: v3.15.0 # Centrally managed version ``` -------------------------------- ### Initialize Fortify CLI Configuration Source: https://fortify.github.io/fcli/v3 Use this command to bootstrap the configuration for the Fortify CLI. This is a general setup command. ```bash npx @fortify/setup bootstrap-config ``` -------------------------------- ### Wait for Scan Completion using Scan ID Source: https://fortify.github.io/fcli/v3/manpage/fcli-fod-mast-scan-wait-for.html This example demonstrates how to start a SAST scan and then use the stored scan ID to wait for its completion. It utilizes the --store option to save the scan ID and then references it using '::scan::'. ```bash fcli fod sast-scan start ... --store scan fcli fod sast-scan wait-for ::scan:: ``` -------------------------------- ### Login, List, and Logout Session Example Source: https://fortify.github.io/fcli/v3 Demonstrates the basic workflow of logging into an SSC session, listing application versions, and logging out. It's recommended to log out after use to perform cleanup and avoid exhausting token limits. ```bash fcli ssc session login --url https://my.ssc.org/ssc --user --password fcli ssc appversion list fcli ssc session logout --user --password ``` -------------------------------- ### Install Multiple Versions and Manage Global Bin Source: https://fortify.github.io/fcli/v3/manpage/fcli-tool-debricked-cli-install.html Installs both the latest tool version and the latest version 1, while disabling the installation of global bin scripts for the version 1 installation. This allows for installing multiple versions and controlling the availability of command-line shortcuts. ```bash fcli tool install -v latest fcli tool install -v 1 --no-global-bin ``` -------------------------------- ### Install Latest fcli Version Source: https://fortify.github.io/fcli/v3 Install the latest available fcli version to the default base directory. View usage information and available versions before installing. ```bash fcli tool fcli install -h ``` ```bash fcli tool fcli list ``` ```bash fcli tool fcli install -v latest ``` -------------------------------- ### Quick Start Fortify AST Scan Workflow Source: https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-with-github-artifacts-ssc.html Minimal configuration for running OpenText Fortify AST scans using the GitHub Action. Ensure build tools are set up before this step. ```yaml name: OpenText Application Security (Fortify Software Security Center) Scan on: push: branches: [main] pull_request: branches: [main] jobs: fortify: runs-on: ubuntu-latest # permissions: # When overriding default permissions, following are required: # contents: read # Required for checkout action # security-events: write # Required for publishing security reports to GitHub Security tab # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: - uses: actions/checkout@v6 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts # to GitHub artifact storage (see artifact storage section below for alternative options) - uses: fortify/github-action/with-github-artifacts@v3 name: Run Fortify Scan env: SSC_URL: ${{ vars.SSC_URL }} SSC_TOKEN: ${{ secrets.SSC_TOKEN }} SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }} # SSC_APPVERSION: MyApp:main # Optional: defaults to repo:branch ``` -------------------------------- ### Use custom download URL via bootstrap config Source: https://fortify.github.io/fcli/v3 Configure the setup process to download fcli from a custom URL, such as an internal mirror. ```bash # Use custom download URL (internal mirror) npx @fortify/setup bootstrap-config --fcli-url=https://my-mirror.com/fcli-linux.tgz ``` -------------------------------- ### Install Latest and Uninstall Others Source: https://fortify.github.io/fcli/v3/manpage/fcli-tool-debricked-cli-install.html Installs the latest version of a tool and automatically uninstalls all other previously installed versions. This is useful for ensuring only the most recent version is present, effectively performing an upgrade. ```bash fcli tool install -v latest --uninstall all ``` -------------------------------- ### Quick Start: Fortify Scan with Custom Artifact Upload Source: https://fortify.github.io/fcli/v3/ci/github/v3.1.x/ast-action-without-artifacts-fod.html Minimal configuration for running OpenText Fortify AST scans and a subsequent custom step to upload debug artifacts. ```yaml name: OpenText Core Application Security (Fortify on Demand) Scan on: push: branches: [main] pull_request: branches: [main] jobs: fortify: runs-on: ubuntu-latest # permissions: # When overriding default permissions, following are required: # contents: read # Required for checkout action # security-events: write # Required for publishing security reports to GitHub Security tab # pull-requests: write # Required if DO_PR_COMMENT is set to true steps: - uses: actions/checkout@v6 # Check out source code - uses: actions/setup-@vX # Set up build tool(s) required to build your project # Bootstrap fcli, run the fcli-based Fortify CI workflow, and collect any debug artifacts # for a custom upload step (see artifact storage section below) - uses: fortify/github-action/without-artifacts@v3 name: Run Fortify Scan id: fortify_scan env: FOD_URL: ${{ vars.FOD_URL }} FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }} FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }} # FOD_RELEASE: MyApp:main # Optional: defaults to repo:branch # FCLI_BOOTSTRAP_VERSION: v3.15 # Optional if you prefer stability over latest - name: Upload debug artifacts (custom) if: ${{ always() && steps.fortify_scan.outputs.upload-debug-artifacts == 'true' }} uses: with: path: ${{ steps.fortify_scan.outputs.debug-artifacts-dir }} ``` -------------------------------- ### fcli sc-sast scan start Source: https://fortify.github.io/fcli/v3/manpage/fcli-sc-sast-scan-start.html Starts a ScanCentral SAST scan with specified options. ```APIDOC ## fcli sc-sast scan start ### Description Initiates a Static Code Analysis (SAST) scan using ScanCentral. ### Method CLI Command ### Endpoint N/A (CLI Command) ### Parameters #### Path Parameters None #### Query Parameters None #### Command Options - **--diagnose** (boolean) - Request generation of server-side diagnostic logs. - **--no-replace** (boolean) - If ScanCentral SAST is configured to replace existing scan jobs if jobs are already running for the given application version, this option may be used to override this behavior and keep the existing scan jobs. - **--delim** =__ (string) - Change the default delimiter character when using options that accept "application:version" as an argument or parameter. - **-f**, **--file** =__ (string) - File containing the payload to be scanned. This must be either an MBS file generated through 'sourceanalyzer -export-build-session', or a package file generated through 'scancentral package'. - **--notify** =__ (string) - Email address to which to send a scan completion notification. - **--pool**, **--sensor-pool** =__ (string) - Sensor pool Uuid or Name. - **--publish-as** =__ (string) - FPR file name to use when publishing the scan results to SSC. - **--publish-to** =__ (string) - Publish scan results to the given SSC application version once the scan has completed. - **--publish-token** =__ (string) - SSC token to be used to publish the scan results to SSC. If not specified, the current SSC session token will be used. - **--sargs**, **--scan-args** =__ (string) - Fortify Static Code Analyzer scan arguments. Multiple scan arguments must be provided as a single option argument, arguments containing spaces or that conflict with fcli options like '-filter' must be embedded in single quotes, and local files must be referenced through the '@' prefix. - **--scan-timeout** =__ (string) - Specify scan time-out (in minutes) for this scan job. - **-v**, **--sensor-version** =__ (string) - Version of the sensor on which the payload should be scanned. - **--ssc-session** =__ (string) - Name of the SSC session to use for executing this command. Default value: default. - **-o**, **--output** =__ (string) - Select output type (csv, table, expr, json, xml, yaml) and optional type arguments. - **--store** =_[:]_ (string) - Store JSON results in an fcli variable for later reference. - **--style** =_