IWA-Java/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml at ee7655d9ffa41bf71a640d615361bae91e0ebe12 · fortify/IWA-Java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps  pipeline
# The following service connection must be establish before using this job
#   - FoD_AMS
#
# The following task parameter must be defined
#   - ReleaseId
#
# The following pipeline variables must be defined:
#   - FOD_URL
#   - FOD_CLIENT_ID
#   - FOD_CLIENT_SECRET
#   - FOD_RELEASE
#   - FOD_PARENT_RELEASE
#   - FOD_DEFAULT_OWNER

trigger:
- main

pool:
  vmImage: ubuntu-latest

steps:
- checkout: self
  persistCredentials: "true"
  clean: "true"
- task: Maven@3
  inputs:
    mavenPomFile: 'pom.xml'
    publishJUnitResults: true
    testResultsFiles: '**/surefire-reports/TEST-*.xml'
    javaHomeOption: 'JDKVersion'
    jdkVersionOption: '1.11'
    mavenVersionOption: 'Default'
    mavenOptions: '-Xmx3072m'
    mavenAuthenticateFeed: false
    effectivePomSkip: false
    sonarQubeRunAnalysis: false
#- task: FortifyOnDemandStatic@8
#  inputs:
#    FortifyProjects: '$(Build.Repository.LocalPath)'
#    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
#    ReleaseOptions: '0'
#    ReleaseId: 00000            # update FoD RELEASE ID
#    EntitlementSelection: '1'
#    EntitlementPreference: '2'
#    OverrideScanSettings: '2'
#    InProgressScanActionType: '0'
#    RemediationScanPreference: '2'
#    BuildType: 'mvn'
#    PolicyFailAction: '0'
- task: Bash@3
  displayName: 'Install Fortify CLI via @fortify/setup'
  inputs:
    targetType: 'inline'
    script: |
      npx @fortify/setup bootstrap-config
      npx @fortify/setup env init --tools=fcli:auto,sc-client:auto
      npx @fortify/setup env ado
- task: Bash@3
  displayName: 'Run FoD CI Scan'
  inputs:
    targetType: 'inline'
    script: |
      set -euo pipefail
      echo "Running FoD CI Scan for release: ${FOD_RELEASE:-}"
      fcli action run ci
  env:
    FOD_URL: $(FOD_URL)
    FOD_CLIENT_ID: $(FOD_CLIENT_ID)
    FOD_CLIENT_SECRET: $(FOD_CLIENT_SECRET)
    FOD_RELEASE: "$(FOD_RELEASE)"
    COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
    SAST_ASSESSMENT_TYPE: "Static Assessment"
    SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
    #PACKAGE_EXTRA_OPTS: ""
    DO_SETUP: true
    DO_SAST_SCAN: true
    DO_AVIATOR_AUDIT: true
    DO_SCA_SCAN: true
    DO_WAIT: true
    SAST_WAIT_EXTRA_OPTS: --timeout 2h
    DO_POLICY_CHECK: true
    DO_JOB_SUMMARY: true
    DO_PR_COMMENT: true
    DO_EXPORT: true