Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

The Fortify github-action repository hosts various Fortify-related GitHub Actions as listed in the sections below.

Fortify on Demand

• fortify/github-action
  For now, this action provides the same functionality as the fod-sast-scan action listed below. Future versions may add support for running other types of scans or performing other FoD actions.
• fortify/github-action/fod-sast-scan
  Package source code, submit static application security testing (SAST) scan request to Fortify on Demand, optionally wait for completion and export results back to the GitHub Security dashboard.
• fortify/github-action/package
  Package source code for running a SAST scan, using the latest version of ScanCentral Client. Optionally resolve dependencies for Software Composition Analysis (SCA) of open source components with integrated Debricked analysis via Fortify on Demand.
• fortify/github-action/fod-export
  Export SAST vulnerability data from Fortify on Demand to the GitHub Security dashboard.
• fortify/github-action/setup
  Install various Fortify tools like fcli, ScanCentral Client, FortifyVulnerabilityExporter and FortifyBugTrackerUtility for use in your pipeline

Fortify Sofware Security Center (SSC) / ScanCentral SAST

• fortify/github-action
  For now, this action provides the same functionality as the sc-sast-scan action listed below. Future versions may add support for running other types of scans or performing other SSC / ScanCentral actions.
• fortify/github-action/sc-sast-scan
  Package source code, submit SAST scan request to ScanCentral SAST, optionally wait for completion and export results back to the GitHub Security dashboard.
• fortify/github-action/package
  Package source code for running a SAST scan, using the latest version of ScanCentral Client.
• fortify/github-action/ssc-export
  Export SAST vulnerability data from Fortify SSC to the GitHub Security dashboard.
• fortify/github-action/setup
  Install various Fortify tools like fcli, ScanCentral Client, FortifyVulnerabilityExporter and FortifyBugTrackerUtility for use in your pipeline

The primary fortify/github-action action currently allows for running SAST scans on either Fortify on Demand or ScanCentral SAST. Which activities to perform is controlled through action inputs, the input for those activities is provided through environment variables. With Fortify on Demand, software composition analysis of open source components may also be performed in conjunction with the SAST scan for customers who have purchased the functionality.

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

sast-scan - OPTIONAL
When set to true, the action will run a SAST scan on either Fortify on Demand (if the FOD_URL environment variable has been specified), or on ScanCentral SAST (if the SSC_URL environment variable has been specified). This includes packaging the source code, running the scan, and optionally reporting SAST scan results back into GitHub.

If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan.

FOD_URL - REQUIRED
Fortify on Demand URL, for example https://ams.fortify.com

FOD_CLIENT_ID & FOD_CLIENT_SECRET - REQUIRED*
Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret).

FOD_TENANT, FOD_USER & FOD_PASSWORD - REQUIRED*
Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password.

EXTRA_FOD_LOGIN_OPTS - OPTIONAL
Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see fcli fod session login documentation

FOD_RELEASE - OPTIONAL
Fortify on Demand release to use with this action. This can be specified either as a numeric release id, <app-name>:<release-name> (for non-microservices applications) or <app-name>:<microservice-name>:<release-name> (for microservices applications). Default value is <github.action_repository>:<github.action_ref>, for example myOrg/myRepo:myBranch.

EXTRA_PACKAGE_OPTS - OPTIONAL
By default, this action runs scancentral package -o package.zip to package application source code. The EXTRA_PACKAGE_OPTS environment variable can be used to specify additional packaging options.

If FoD Software Composition Analysis has been purchased and configured on the applicable release, you'll need to pass the -oss option through this environment variable to generate and package the additional dependency files required.

Based on the automated build tool detection feature provided by ScanCentral Client, this default scancentral command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the EXTRA_PACKAGE_OPTS environment variable to specify additional packaging options.

As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the -bf <custom build file> option using the EXTRA_PACKAGE_OPTS environment variable. See Command-line options for the package command for more information on available options.

EXTRA_FOD_SAST_SCAN_OPTS - OPTIONAL
Extra FoD SAST scan options; see fcli fod sast-scan start documentation

DO_WAIT - OPTIONAL
By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the DO_WAIT environment variable to true. Note that DO_WAIT is implied if DO_EXPORT is set to true; see below.

DO_EXPORT - OPTIONAL
If set to true, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a GitHub Advanced Security subscription, unless you're running this action on a public github.com repository.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

SSC_URL - REQUIRED
Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/

SSC_TOKEN - REQUIRED*
Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.

SSC_USER & SSC_PASSWORD - REQUIRED*
Required when authenticating with SSC user credentials.

SC_SAST_TOKEN - REQUIRED
Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.

EXTRA_SC_SAST_LOGIN_OPTS - OPTIONAL
Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see fcli sc-sast session login documentation.

SSC_APPVERSION - OPTIONAL
Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format <app-name>:<version-name>. Default value is <github.action_repository>:<github.action_ref>, for example myOrg/myRepo:myBranch.

EXTRA_PACKAGE_OPTS - OPTIONAL
By default, this action runs scancentral package -o package.zip to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default scancentral command is often sufficient. Depending on your build setup, you may however need to configure the EXTRA_PACKAGE_OPTS environment variable to specify additional packaging options.

As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the -bf <custom build file> option using the EXTRA_PACKAGE_OPTS environment variable. See Command-line options for the package command for more information on available options.

SC_SAST_SENSOR_VERSION - REQUIRED
Version of the ScanCentral SAST sensor on which the scan should be performed. See fcli sc-sast scan start documentation for details.

EXTRA_SC_SAST_SCAN_OPTS - OPTIONAL
Extra ScanCentral SAST scan options; see fcli sc-sast scan start documentation

DO_WAIT - OPTIONAL
By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the DO_WAIT environment variable to true. Note that DO_WAIT is implied if DO_EXPORT is set to true; see below.

DO_EXPORT - OPTIONAL
If set to true, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a GitHub Advanced Security subscription, unless you're running this action on a public github.com repository.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

The sample workflows below demonstrate how to configure the action for running a SAST scan on either Fortify on Demand or ScanCentral SAST.

    steps:    
      - name: Check out source code
        uses: actions/checkout@v4  
      - name: Run FoD SAST Scan
        uses: fortify/github-action@v1
        with:
          sast-scan: true
        env:
          FOD_URL: https://ams.fortify.com
          FOD_TENANT: ${{secrets.FOD_TENANT}}
          FOD_USER: ${{secrets.FOD_USER}}
          FOD_PASSWORD: ${{secrets.FOD_PAT}}
          # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s
          # FOD_RELEASE: MyApp:MyRelease
          # EXTRA_PACKAGE_OPTS: -oss
          # DO_WAIT: true
          # DO_EXPORT: true
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

    steps:    
      - name: Check out source code
        uses: actions/checkout@v4  
      - name: Run ScanCentral SAST Scan
        uses: fortify/github-action@v1
        with:
          sast-scan: true
        env:
          SSC_URL: ${{secrets.SSC_URL}}
          SSC_TOKEN: ${{secrets.SSC_TOKEN}}
          SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}}
          # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s
          # SSC_APPVERSION: MyApp:MyVersion
          # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml
          SC_SAST_SENSOR_VERSION: 23.2
          # DO_WAIT: true
          # DO_EXPORT: true
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

Depending on input, this action delegates to the appropriate sub-action(s). Please refer to the documentation of these actions for a more detailed description of action behavior & requirements:

• FoD SAST & optional SCA (open source) scan: fortify/github-action/fod-sast-scan
• ScanCentral SAST scan: fortify/github-action/sc-sast-scan

This action allows for setting up the Fortify tools listed below. Which tools and which versions to install, and whether to add the tool bin-directories to the system path, is controlled through action inputs as listed in the next section.

• fcli
• Debricked CLI
• ScanCentral Client
• FoDUploader
• FortifyVulnerabilityExporter
• FortifyBugTrackerUtility

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

export-path - OPTIONAL
Whether to add the installed tools to the system PATH variable. Allowed values: true (default) or false

tool-definitions - OPTIONAL Allows for overriding the location of the Fortify tool definitions bundle. This can be specified either as an action input or through the TOOL_DEFINITIONS environment variable; see the 'Action environment variable inputs' section below for details.

fcli - OPTIONAL
The fcli version to install. Allowed values: skip (default value, do not install fcli), latest, or specific version number. Supports semantic versioning, for example v2 will install the latest known 2.x.y version. Version may be specified either with or without the v prefix, for example v2.0.0 and 2.0.0 are semantically the same.

sc-client - OPTIONAL
The ScanCentral Client version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example 23.1 will install the latest known 23.1.y patch version. Version may be specified either with or without the v prefix, for example v23.1 and 23.1 are semantically the same.

fod-uploader - OPTIONAL
The FoDUploader version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v5 will install the latest known 5.x.y version. Version may be specified either with or without the v prefix, for example v5.4.0 and 5.4.0 are semantically the same.

vuln-exporter - OPTIONAL
The FortifyVulnerabilityExporter version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v2 will install the latest known 2.x.y version. Version may be specified either with or without the v prefix, for example v2.0.4 and 2.0.4 are semantically the same.

bugtracker-utility - OPTIONAL
The FortifyBugTrackerUtility version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v4 will install the latest known 4.x version. Version may be specified either with or without the v prefix, for example v4.12 and 4.12 are semantically the same.

debricked-cli - OPTIONAL
The Debricked CLI version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v1 will install the latest known 1.x version. Version may be specified either with or without the v prefix, for example v1 and 1 are semantically the same.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

For each tool being installed, the action outputs several environment variables for use by later workflow steps.

PATH
If the export-path action input was set to true (default), the bin-directory of the installed tool will be added to the workflow PATH environment variable.

<TOOL_NAME>_INSTALL_DIR
Directory where the corresponding tool was installed. <TOOL_NAME> corresponds to the various action inputs, but converted to uppercase and dashes replaced by underscore, for example FOD_UPLOADER_INSTALL_DIR.

<TOOL_NAME>_BIN_DIR
Bin-directory that holds the executables for the corresponding tool. <TOOL_NAME> corresponds to the various action inputs, but converted to uppercase and dashes replaced by underscore, for example FOD_UPLOADER_BIN_DIR.

<TOOL_NAME>_CMD
Fully qualified path to the (primary) executable/script for the corresponding tool. <TOOL_NAME> corresponds to the various action inputs, but converted to uppercase and dashes replaced by underscore, for example FOD_UPLOADER_CMD.

The sample workflow below demonstrates how to configure the action for installing the various Fortify tools and how to run these tools. Some notes:

• The export-path and bugtracker-utility inputs are set to their default values, and thus could have been omitted.
• The action supports semantic versioning, so the vuln-exporter input will install the latest known v2.x.y version of FortifyVulnerabilityExporter.

    steps:    
      - name: Setup Fortify tools
        uses: fortify/github-action/setup@v1
        with:
          tool-definitions: https://github.com/fortify/tool-definitions/releases/download/v1/tool-definitions.yaml.zip
          export-path: true
          fcli: latest
          sc-client: 23.1.0
          fod-uploader: latest
          vuln-exporter: v2
          bugtracker-utility: skip
          debricked-cli: skip
      - name: Run fcli from PATH
        run: fcli -V
      - name: Run fcli using FCLI_CMD environment variable
        run: ${FCLI_CMD} -V

This action packages application source code using ScanCentral Client. The output package is saved as package.zip.

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

EXTRA_PACKAGE_OPTS - OPTIONAL
By default, this action runs scancentral package -o package.zip to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default scancentral command is often sufficient. Depending on your build setup, you may however need to configure the EXTRA_PACKAGE_OPTS environment variable to specify additional packaging options.

As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the -bf <custom build file> option using the EXTRA_PACKAGE_OPTS environment variable. See Command-line options for the package command for more information on available options.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD.

    steps:  
      - name: Check out source code
        uses: actions/checkout@v4  
      - name: Package source code
        uses: fortify/github-action/package@v1
        env:
          # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

This action performs a SAST scan on Fortify on Demand (FoD). If software composition analysis of open source has been purchased and configured on the applicable release, this action can be used to perform a combined SAST and SCA (open source) scan.

The SAST and optional open source scan performed by this action consists of the following steps:

• Login to FoD
• Package application source code using ScanCentral Client
• Submit the source code package to be scanned to FoD
• Optionally wait for the scan to complete
• Optionally export scan results to the GitHub Code Scanning dashboard

Before running this action, please ensure that the appropriate release has been created on FoD and has been configured for SAST scans. Future versions of this action may add support for automating app/release creation and scan setup. If open source scanning has been enabled in the FoD SAST scan configuration, be sure to pass the -oss option through the EXTRA_PACKAGE_OPTS environment variable.

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

FOD_URL - REQUIRED
Fortify on Demand URL, for example https://ams.fortify.com

FOD_CLIENT_ID & FOD_CLIENT_SECRET - REQUIRED*
Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret).

FOD_TENANT, FOD_USER & FOD_PASSWORD - REQUIRED*
Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password.

EXTRA_FOD_LOGIN_OPTS - OPTIONAL
Extra FoD login options, for example for disabling SSL checks or changing connection time-outs; see fcli fod session login documentation

FOD_RELEASE - OPTIONAL
Fortify on Demand release to use with this action. This can be specified either as a numeric release id, <app-name>:<release-name> (for non-microservices applications) or <app-name>:<microservice-name>:<release-name> (for microservices applications). Default value is <github.action_repository>:<github.action_ref>, for example myOrg/myRepo:myBranch.

EXTRA_PACKAGE_OPTS - OPTIONAL
By default, this action runs scancentral package -o package.zip to package application source code. The EXTRA_PACKAGE_OPTS environment variable can be used to specify additional packaging options.

If FoD Software Composition Analysis has been purchased and configured on the applicable release, you'll need to pass the -oss option through this environment variable to generate and package the additional dependency files required.

Based on the automated build tool detection feature provided by ScanCentral Client, this default scancentral command is often sufficient to properly package application source code. Depending on your build setup, you may however need to configure the EXTRA_PACKAGE_OPTS environment variable to specify additional packaging options.

As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the -bf <custom build file> option using the EXTRA_PACKAGE_OPTS environment variable. See Command-line options for the package command for more information on available options.

EXTRA_FOD_SAST_SCAN_OPTS - OPTIONAL
Extra FoD SAST scan options; see fcli fod sast-scan start documentation

DO_WAIT - OPTIONAL
By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the DO_WAIT environment variable to true. Note that DO_WAIT is implied if DO_EXPORT is set to true; see below.

DO_EXPORT - OPTIONAL
If set to true, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a GitHub Advanced Security subscription, unless you're running this action on a public github.com repository.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

The sample workflow below demonstrates how to configure the action for running a SAST scan on FoD.

    steps:    
      - name: Check out source code
        uses: actions/checkout@v4  
      - name: Run FoD SAST Scan
        uses: fortify/github-action/fod-sast-scan@v1
        env:
          FOD_URL: https://ams.fortify.com
          FOD_TENANT: ${{secrets.FOD_TENANT}}
          FOD_USER: ${{secrets.FOD_USER}}
          FOD_PASSWORD: ${{secrets.FOD_PAT}}
          # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s
          # FOD_RELEASE: MyApp:MyRelease
          # EXTRA_PACKAGE_OPTS: -oss
          # DO_WAIT: true
          # DO_EXPORT: true
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

This action exports the latest vulnerability data from an FoD release to the GitHub Code Scanning dashboard. Note that this may require a GitHub Advanced Security subscription, unless you're running this action on a public github.com repository.

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

FOD_URL - REQUIRED
Fortify on Demand URL, for example https://ams.fortify.com

FOD_CLIENT_ID & FOD_CLIENT_SECRET - REQUIRED*
Required when authenticating with an API key: FoD Client ID (API key) and Secret (API secret).

FOD_TENANT, FOD_USER & FOD_PASSWORD - REQUIRED*
Required when authenticating with user credentials: FoD tenant, user and password. It's recommended to use a Personal Access Token instead of an actual user password.

FOD_RELEASE - OPTIONAL
Fortify on Demand release to use with this action. This can be specified either as a numeric release id, <app-name>:<release-name> (for non-microservices applications) or <app-name>:<microservice-name>:<release-name> (for microservices applications). Default value is <github.action_repository>:<github.action_ref>, for example myOrg/myRepo:myBranch.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

The sample workflow below demonstrates how to configure the action for exporting FoD SAST vulnerability data to the GitHub Security Code Scanning dashboard.

    steps:    
      - name: Export FoD vulnerability data to GitHub
        uses: fortify/github-action/fod-export@v1
        env:
          FOD_URL: https://ams.fortify.com
          FOD_TENANT: ${{secrets.FOD_TENANT}}
          FOD_USER: ${{secrets.FOD_USER}}
          FOD_PASSWORD: ${{secrets.FOD_PAT}}
          # FOD_RELEASE: MyApp:MyRelease
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

This action performs a SAST scan on ScanCentral SAST, consisting of the following steps:

• Login to ScanCentral SAST Controller
• Package application source code using ScanCentral Client
• Submit the source code package to be scanned to ScanCentral SAST Controller
• Optionally wait for the scan to complete
• Optionally export scan results to the GitHub Code Scanning dashboard

Before running this action, please ensure that the appropriate application version has been created on SSC. Future versions of this action may add support for automating application version creation.

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

SSC_URL - REQUIRED
Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/

SSC_TOKEN - REQUIRED*
Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.

SSC_USER & SSC_PASSWORD - REQUIRED*
Required when authenticating with SSC user credentials.

SC_SAST_TOKEN - REQUIRED
Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.

EXTRA_SC_SAST_LOGIN_OPTS - OPTIONAL
Extra ScanCentral SAST login options, for example for disabling SSL checks or changing connection time-outs; see fcli sc-sast session login documentation.

SSC_APPVERSION - OPTIONAL
Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format <app-name>:<version-name>. Default value is <github.action_repository>:<github.action_ref>, for example myOrg/myRepo:myBranch.

EXTRA_PACKAGE_OPTS - OPTIONAL
By default, this action runs scancentral package -o package.zip to package application source code. Based on the automated build tool detection feature provided by ScanCentral Client, this default scancentral command is often sufficient. Depending on your build setup, you may however need to configure the EXTRA_PACKAGE_OPTS environment variable to specify additional packaging options.

As an example, if the build file that you want to use for packaging doesn't adhere to common naming conventions, you can configure the -bf <custom build file> option using the EXTRA_PACKAGE_OPTS environment variable. See Command-line options for the package command for more information on available options.

SC_SAST_SENSOR_VERSION - REQUIRED
Version of the ScanCentral SAST sensor on which the scan should be performed. See fcli sc-sast scan start documentation for details.

EXTRA_SC_SAST_SCAN_OPTS - OPTIONAL
Extra ScanCentral SAST scan options; see fcli sc-sast scan start documentation

DO_WAIT - OPTIONAL
By default, this action will not wait until the scan has been completed. To have the workflow wait until the scan has been completed, set the DO_WAIT environment variable to true. Note that DO_WAIT is implied if DO_EXPORT is set to true; see below.

DO_EXPORT - OPTIONAL
If set to true, this action will export scan results to the GitHub Security Code Scanning dashboard. Note that this may require a GitHub Advanced Security subscription, unless you're running this action on a public github.com repository.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

The sample workflow below demonstrates how to configure the action for running a SAST scan on ScanCentral SAST.

    steps:    
      - name: Check out source code
        uses: actions/checkout@v4  
      - name: Run ScanCentral SAST Scan
        uses: fortify/github-action/sc-sast-scan@v1
        env:
          SSC_URL: ${{secrets.SSC_URL}}
          SSC_TOKEN: ${{secrets.SSC_TOKEN}}
          SC_SAST_TOKEN: ${{secrets.CLIENT_AUTH_TOKEN}}
          # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s
          # SSC_APPVERSION: MyApp:MyVersion
          # EXTRA_PACKAGE_OPTS: -bf custom-pom.xml
          SC_SAST_SENSOR_VERSION: 23.2
          # DO_WAIT: true
          # DO_EXPORT: true
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

This action exports the latest vulnerability data from an SSC application version to the GitHub Code Scanning dashboard. Note that this may require a GitHub Advanced Security subscription, unless you're running this action on a public github.com repository.

This action assumes the standard software packages as provided by GitHub-hosted runners to be available. If you are using self-hosted runners, you may need to install some of these software packages in order to successfully use this action. In particular, not having the following software installed is known to cause issues when running fortify/github-action or one of its sub-actions:

• Node.js
• Visual C++ Redistributable (Windows-based runners only)
• Bash shell
  If using Windows runners, this must be a Windows-based bash variant, for example as provided by MSYS2. You must make sure that this Windows-based bash variant is used for run steps that specify shell: bash. Actions will fail if the GitHub runner executes bash commands on the WSL-provided bash.exe

SSC_URL - REQUIRED
Fortify Software Security Center URL, for example https://ssc.customer.fortifyhosted.net/

SSC_TOKEN - REQUIRED*
Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.

SSC_USER & SSC_PASSWORD - REQUIRED*
Required when authenticating with SSC user credentials.

SSC_APPVERSION - OPTIONAL
Fortify SSC application version to use with this action. This can be specified either as a numeric application version id, or by providing application and version name in the format <app-name>:<version-name>. Default value is <github.action_repository>:<github.action_ref>, for example myOrg/myRepo:myBranch.

TOOL_DEFINITIONS - OPTIONAL
Fortify tool definitions are used by this GitHub Action to determine available versions, download location and other details of various Fortify-related tools, as required for action execution. By default, the Fortify-provided tool definitions hosted at https://github.com/fortify/tool-definitions/releases/tag/v1 will be used.

This environment variable allows for overriding the default tool definitions, pointing to either a URL or local (workspace) file. For example, if GitHub workflows are not allowed to download tools from their public internet locations, customers may host the tool installation bundles on an internal server, together with a customized tool definitions bundle that lists the alternative download URLs.

The sample workflow below demonstrates how to configure the action for exporting SSC SAST vulnerability data to the GitHub Security Code Scanning dashboard.

    steps:    
      - name: Export SSC vulnerability data to GitHub
        uses: fortify/github-action/ssc-export@v1
        env:
          SSC_URL: ${{secrets.SSC_URL}}
          SSC_TOKEN: ${{secrets.SSC_TOKEN}}
          # SSC_APPVERSION: MyApp:MyVersion
          # TOOL_DEFINITIONS: https://ftfy.mycompany.com/tool-definitions/v1/tool-definitions.yaml.zip

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

The software is provided "as is" and is not supported through the regular OpenText Support channels. Support requests may be submitted through the GitHub Issues page for this repository. A (free) GitHub account is required to submit new issues or to comment on existing issues.

Support requests created through the GitHub Issues page may include bug reports, enhancement requests and general usage questions. Please avoid creating duplicate issues by checking whether there is any existing issue, either open or closed, that already addresses your question, bug or enhancement request. If an issue already exists, please add a comment to provide additional details if applicable.

Support requests on the GitHub Issues page are handled on a best-effort basis; there is no guaranteed response time, no guarantee that reported bugs will be fixed, and no guarantee that enhancement requests will be implemented. If you require dedicated support for this and other Fortify software, please consider purchasing OpenText Fortify Professional Services. OpenText Fortify Professional Services can assist with general usage questions, integration of the software into your processes, and implementing customizations, bug fixes, and feature requests (subject to feasibility analysis). Please contact your OpenText Sales representative or fill in the Professional Services Contact Form to obtain more information on pricing and the services that OpenText Fortify Professional Services can provide.

This document was auto-generated; do not edit by hand