Update FoD pipeline to use "fcli action run ci"

kadraman · kadraman · commit ee7655d9ffa4 · 2026-02-26T16:11:59.000Z
[skip ci]
diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
@@ -4,6 +4,14 @@
 #
 # The following task parameter must be defined 
 #   - ReleaseId
+#
+# The following pipeline variables must be defined:
+#   - FOD_URL
+#   - FOD_CLIENT_ID
+#   - FOD_CLIENT_SECRET
+#   - FOD_RELEASE
+#   - FOD_PARENT_RELEASE
+#   - FOD_DEFAULT_OWNER
 
 trigger:
 - main
@@ -12,6 +20,9 @@ pool:
   vmImage: ubuntu-latest
 
 steps:
+- checkout: self
+  persistCredentials: "true"
+  clean: "true"
 - task: Maven@3
   inputs:
     mavenPomFile: 'pom.xml'
@@ -24,16 +35,51 @@ steps:
     mavenAuthenticateFeed: false
     effectivePomSkip: false
     sonarQubeRunAnalysis: false
-- task: FortifyOnDemandStatic@8
+#- task: FortifyOnDemandStatic@8
+#  inputs:
+#    FortifyProjects: '$(Build.Repository.LocalPath)'
+#    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
+#    ReleaseOptions: '0'
+#    ReleaseId: 00000            # update FoD RELEASE ID
+#    EntitlementSelection: '1'
+#    EntitlementPreference: '2'
+#    OverrideScanSettings: '2'
+#    InProgressScanActionType: '0'
+#    RemediationScanPreference: '2'
+#    BuildType: 'mvn'
+#    PolicyFailAction: '0'
+- task: Bash@3
+  displayName: 'Install Fortify CLI via @fortify/setup'
+  inputs:
+    targetType: 'inline'
+    script: |
+      npx @fortify/setup bootstrap-config
+      npx @fortify/setup env init --tools=fcli:auto,sc-client:auto
+      npx @fortify/setup env ado
+- task: Bash@3
+  displayName: 'Run FoD CI Scan'
   inputs:
-    FortifyProjects: '$(Build.Repository.LocalPath)'
-    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
-    ReleaseOptions: '0'
-    ReleaseId: 00000            # update FoD RELEASE ID
-    EntitlementSelection: '1'
-    EntitlementPreference: '2'
-    OverrideScanSettings: '2'
-    InProgressScanActionType: '0'
-    RemediationScanPreference: '2'
-    BuildType: 'mvn'
-    PolicyFailAction: '0'
+    targetType: 'inline'
+    script: |
+      set -euo pipefail
+      echo "Running FoD CI Scan for release: ${FOD_RELEASE:-}"
+      fcli action run ci
+  env:
+    FOD_URL: $(FOD_URL)
+    FOD_CLIENT_ID: $(FOD_CLIENT_ID)
+    FOD_CLIENT_SECRET: $(FOD_CLIENT_SECRET)
+    FOD_RELEASE: "$(FOD_RELEASE)"
+    COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
+    SAST_ASSESSMENT_TYPE: "Static Assessment"
+    SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
+    #PACKAGE_EXTRA_OPTS: ""
+    DO_SETUP: true
+    DO_SAST_SCAN: true
+    DO_AVIATOR_AUDIT: true
+    DO_SCA_SCAN: true
+    DO_WAIT: true
+    SAST_WAIT_EXTRA_OPTS: --timeout 2h
+    DO_POLICY_CHECK: true
+    DO_JOB_SUMMARY: true
+    DO_PR_COMMENT: true
+    DO_EXPORT: true
