@@ -40,36 +40,61 @@ jobs:
4040 - name : Check Out Source Code
4141 uses : actions/checkout@v4
4242
43- # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
44- - name : Setup Java
45- uses : actions/setup-java@v4
46- with :
47- java-version : 17
48- distribution : ' temurin'
49-
50- # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
51- # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
43+ # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
44+ # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
45+ # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
46+ # The Fortify GitHub Action provides many customization capabilities, but in case further customization is
5247 # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
53- # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
54- # details.
55- - name : Run FoD SAST Scan
56- uses : fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
48+ # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
49+ # documentation at https://github.com/fortify/github-action#readme for more information on the various
50+ # configuration options and available sub-actions.
51+ - name : Run Fortify Scan
52+ # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
53+ # uses the commit id corresponding to version 1.5.1. It is recommended to check whether any later releases
54+ # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
55+ # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
56+ # of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
57+ uses : fortify/github-action@45b19c5b92f561fc0ecbf9aaf1531644e2d1c0e5
5758 with :
58- sast-scan : true
59+ sast-scan : true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
60+ debricked-sca-scan : true # For FoD, run an open-source scan as part of the SAST scan. For SSC, run a
61+ # Debricked scan and import results into SSC.
5962 env :
60- # ## Required configuration when integrating with Fortify on Demand
61- FOD_URL : https://ams.fortify.com
62- FOD_TENANT : ${{secrets.FOD_TENANT}}
63- FOD_USER : ${{secrets.FOD_USER}}
63+ # ############################################################
64+ # #### Fortify on Demand configuration
65+ # #### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
66+ # ## Required configuration
67+ FOD_URL : https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
68+ FOD_TENANT : ${{secrets.FOD_TENANT}} # Either tenant/user/password or client credentials are required;
69+ FOD_USER : ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
6470 FOD_PASSWORD : ${{secrets.FOD_PAT}}
65- # ## Optional configuration when integrating with Fortify on Demand
66- # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
67- # Debricked SCA scan is enabled on Fortify on Demand
68- # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
69- # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
70- # replace app+release name with numeric release ID
71- # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
72- # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
71+ # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
72+ # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
73+ # ## Optional configuration
74+ # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
75+ # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
76+ # DO_SETUP: true # Setup FoD application, release & static scan configuration
77+ # SETUP_ACTION: <URL or file> # Customize setup action
78+ # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
79+ # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
80+ # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
81+ # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
82+ # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
83+ # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
84+ # DO_JOB_SUMMARY: true # Generate workflow job summary
85+ # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
86+ # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
87+ # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
88+ # PR_COMMENT_ACTION: <URL or file> # Customize Pr comments
89+ # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
90+ # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
91+ # EXPORT_ACTION: <URL or file> # Customize export action
92+ # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
93+ # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
94+
95+ # ############################################################
96+ # #### Fortify Hosted / Software Security Center & ScanCentral
97+ # #### Remove this section if you're integrating with Fortify on Demand (see above)
7398 # ## Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
7499 # SSC_URL: ${{secrets.SSC_URL}} # SSC URL
75100 # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
0 commit comments