-
Notifications
You must be signed in to change notification settings - Fork 353
Add Fortify Application Security Testing workflow #556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Itsskell
wants to merge
3
commits into
changesets:main
Choose a base branch
from
Itsskell:main
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| "@changesets/action": patch | ||
| --- | ||
|
|
||
| Add Fortify Application Security Testing workflow |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
|
|
||
| ################################################################################################################################################ | ||
| # Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # | ||
| # software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # | ||
| # # | ||
| # Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # | ||
| # demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # | ||
| # Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # | ||
| # documentation. If you need additional assistance, please contact Fortify support. # | ||
| ################################################################################################################################################ | ||
|
|
||
| name: Fortify AST Scan | ||
|
|
||
| # Customize trigger events based on your DevSecOps process and/or policy | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| # The branches below must be a subset of the branches above | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '39 23 * * 1' | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| Fortify-AST-Scan: | ||
| # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
| # pull-requests: write # Required if DO_PR_COMMENT is set to true | ||
|
|
||
| steps: | ||
| # Check out source code | ||
| - name: Check Out Source Code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on | ||
| # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate | ||
| # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. | ||
| # The Fortify GitHub Action provides many customization capabilities, but in case further customization is | ||
| # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools | ||
| # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action | ||
| # documentation at https://github.com/fortify/github-action#readme for more information on the various | ||
| # configuration options and available sub-actions. | ||
| - name: Run Fortify Scan | ||
| # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example | ||
| # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases | ||
| # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability | ||
| # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version | ||
| # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. | ||
| uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 | ||
| with: | ||
| sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run | ||
| debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan | ||
| # is disabled). For SSC, run a Debricked scan and import results into SSC. | ||
| env: | ||
| ############################################################# | ||
| ##### Fortify on Demand configuration | ||
| ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) | ||
| ### Required configuration | ||
| FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret | ||
| FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; | ||
| FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. | ||
| FOD_PASSWORD: ${{secrets.FOD_PAT}} | ||
| # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} | ||
| # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} | ||
| ### Optional configuration | ||
| # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options | ||
| # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch> | ||
| # DO_SETUP: true # Setup FoD application, release & static scan configuration | ||
| # SETUP_ACTION: <URL or file> # Customize setup action | ||
| # Pass extra options to setup action: | ||
| # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" | ||
| # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options | ||
| # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options | ||
| # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) | ||
| # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL | ||
| # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks | ||
| # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action | ||
| # DO_JOB_SUMMARY: true # Generate workflow job summary | ||
| # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary | ||
| # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action | ||
| # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers | ||
| # PR_COMMENT_ACTION: <URL or file> # Customize PR comments | ||
| # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action | ||
| # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard | ||
| # EXPORT_ACTION: <URL or file> # Customize export action | ||
| # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action | ||
| # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions | ||
|
|
||
| ############################################################# | ||
| ##### Fortify Hosted / Software Security Center & ScanCentral | ||
| ##### Remove this section if you're integrating with Fortify on Demand (see above) | ||
| ### Required configuration | ||
| SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret | ||
| SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets | ||
| SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled | ||
| DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled | ||
| SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled | ||
| ### Optional configuration | ||
| # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options | ||
| # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options | ||
| # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch> | ||
| # DO_SETUP: true # Set up SSC application & version | ||
| # SETUP_ACTION: <URL or file> # Customize setup action | ||
| # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action | ||
| # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options | ||
| # SC_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli sc-sast scan start' options | ||
| # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) | ||
| # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL | ||
| # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks | ||
| # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action | ||
| # DO_JOB_SUMMARY: true # Generate workflow job summary | ||
| # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary | ||
| # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action | ||
| # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers | ||
| # PR_COMMENT_ACTION: <URL or file> # Customize PR comments | ||
| # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action | ||
| # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard | ||
| # EXPORT_ACTION: <URL or file> # Customize export action | ||
| # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action | ||
| # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SSC_URL is configured using vars.SSC_URL (GitHub variable) while the FOD_URL is hardcoded. This inconsistency in configuration approach could cause confusion. For consistency and flexibility, either both should use hardcoded values or both should use GitHub variables, depending on the organization's security and deployment practices.