Skip to content

Add Fortify AST Scan workflow #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xerudro wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Fortify AST Scan workflow #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 129 additions & 0 deletions .github/workflows/fortify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

################################################################################################################################################
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
# #
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
# documentation. If you need additional assistance, please contact Fortify support. #
################################################################################################################################################

name: Fortify AST Scan

# Customize trigger events based on your DevSecOps process and/or policy
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '27 22 * * 1'
workflow_dispatch:

jobs:
Fortify-AST-Scan:
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
# pull-requests: write # Required if DO_PR_COMMENT is set to true

steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v4

# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
# documentation at https://github.com/fortify/github-action#readme for more information on the various
# configuration options and available sub-actions.
- name: Run Fortify Scan
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
with:
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
FOD_PASSWORD: ${{secrets.FOD_PAT}}
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# Pass extra options to setup action:
Comment on lines +64 to +79

Copilot AI Oct 30, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Fortify on Demand and SSC/ScanCentral configurations are active simultaneously (lines 68-96 and 102-129). This creates ambiguity about which service is being used and may cause conflicts. The workflow should enable only one integration at a time - either comment out the FoD section (lines 64-96) or the SSC section (lines 98-129) based on which service is actually being used.

Suggested change
#############################################################
##### Fortify on Demand configuration
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
### Required configuration
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
FOD_PASSWORD: ${{secrets.FOD_PAT}}
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# Pass extra options to setup action:
# #############################################################
# ##### Fortify on Demand configuration
# ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
# ### Required configuration
# FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
# FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
# FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
# FOD_PASSWORD: ${{secrets.FOD_PAT}}
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
# ### Optional configuration
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Setup FoD application, release & static scan configuration
# SETUP_ACTION: <URL or file> # Customize setup action
# # Pass extra options to setup action:

Copilot uses AI. Check for mistakes.
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions

#############################################################
##### Fortify Hosted / Software Security Center & ScanCentral
##### Remove this section if you're integrating with Fortify on Demand (see above)
### Required configuration
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
### Optional configuration
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Set up SSC application & version
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
Comment on lines +98 to +129

Copilot AI Oct 30, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both Fortify on Demand and SSC/ScanCentral configurations are active simultaneously (lines 68-96 and 102-129). This creates ambiguity about which service is being used and may cause conflicts. The workflow should enable only one integration at a time - either comment out the FoD section (lines 64-96) or the SSC section (lines 98-129) based on which service is actually being used.

Suggested change
#############################################################
##### Fortify Hosted / Software Security Center & ScanCentral
##### Remove this section if you're integrating with Fortify on Demand (see above)
### Required configuration
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
### Optional configuration
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# DO_SETUP: true # Set up SSC application & version
# SETUP_ACTION: <URL or file> # Customize setup action
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# DO_JOB_SUMMARY: true # Generate workflow job summary
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# EXPORT_ACTION: <URL or file> # Customize export action
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
# #############################################################
# ##### Fortify Hosted / Software Security Center & ScanCentral
# ##### Remove this section if you're integrating with Fortify on Demand (see above)
# ### Required configuration
# SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
# SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
# SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
# DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
# SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
# ### Optional configuration
# # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
# # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
# # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
# # DO_SETUP: true # Set up SSC application & version
# # SETUP_ACTION: <URL or file> # Customize setup action
# # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
# # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
# # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
# # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
# # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
# # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
# # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
# # DO_JOB_SUMMARY: true # Generate workflow job summary
# # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
# # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
# # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
# # PR_COMMENT_ACTION: <URL or file> # Customize PR comments
# # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
# # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
# # EXPORT_ACTION: <URL or file> # Customize export action
# # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
# # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions

Copilot uses AI. Check for mistakes.
Comment on lines +64 to +129

@coderabbitai coderabbitai Bot Oct 30, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Resolve redundant FoD and SSC configuration sections.

Both Fortify on Demand (FoD) and Software Security Center (SSC/ScanCentral) configurations are active simultaneously. The comments on lines 66 and 100 indicate that one section should be removed based on your deployment model, but both are present with environment variables defined. This could cause the Fortify action to receive conflicting configuration.

Clarify which Fortify deployment you're using and remove or properly comment out the unused section.

🏁 Script executed:

#!/bin/bash
# Verify the fortify.yml file content and structure
if [ -f ".github/workflows/fortify.yml" ]; then
  echo "=== File exists, checking lines 60-135 ==="
  sed -n '60,135p' .github/workflows/fortify.yml | cat -n
  echo ""
  echo "=== Checking for conditional logic (if/when statements) ==="
  grep -n "if:\|when:" .github/workflows/fortify.yml
  echo ""
  echo "=== Checking for FOD and SSC environment variable sections ==="
  grep -n "FOD_URL\|SSC_URL\|DEBRICKED_TOKEN\|SC_SAST_TOKEN" .github/workflows/fortify.yml | head -20
else
  echo "File .github/workflows/fortify.yml not found"
fi

Length of output: 7807


---

🌐 Web query:

```web
Fortify GitHub action behavior when both FoD and SSC configurations are present

💡 Result:

Short answer: The top-level fortify/github-action selects the scan workflow based on which product-specific inputs/environment variables are present; it does not run both simultaneously. If both FoD and SSC credentials/URLs are set the action’s internal selection logic decides which sub-action to invoke (so configuration ambiguity can cause unexpected results). To avoid that, either (a) call the product-specific sub-action you want (fortify/.../fod-sast-scan or .../sc-sast-scan) or remove/clear the unused product env vars so only the intended provider is configured. [1][2]

References

  • Fortify GitHub Action README (describes FoD vs SSC workflows and lists fod-sast-scan and sc-sast-scan sub-actions). [1]
  • fcli / action docs (shows product-specific actions and how CI is configured via env vars). [2]

Links: [1] fortify/github-action repository README and sub-actions. [2] fcli action documentation.

Remove or comment out one of the Fortify configuration sections to resolve configuration ambiguity.

The workflow currently defines both Fortify on Demand (FoD) environment variables (FOD_URL, FOD_TENANT, FOD_USER, FOD_PASSWORD) and Fortify Hosted/SSC variables (SSC_URL, SSC_TOKEN, SC_SAST_TOKEN, DEBRICKED_TOKEN) simultaneously. The Fortify GitHub action uses internal selection logic to determine which provider to use when both configurations are present, which can cause unexpected behavior and unpredictable results.

Keep only the configuration for your intended Fortify deployment: either disable/comment out the FoD section (lines 66–96) or the SSC section (lines 100–129), or use a product-specific sub-action (fortify/.../fod-sast-scan or .../sc-sast-scan) instead.

🤖 Prompt for AI Agents 
.github/workflows/fortify.yml around lines 64-129: the workflow defines both
Fortify on Demand (FoD) and Fortify Hosted/SSC environment variables, causing
provider selection ambiguity; fix by removing or commenting out the unused
section (either the FoD block lines ~66–96 or the SSC block lines ~100–129) or
switch to a product-specific sub-action (e.g., fortify/.../fod-sast-scan or
fortify/.../sc-sast-scan) so only the intended Fortify configuration is present.