Merge branch 'main' into fortify-action-update

rsenden · web-flow · commit fd30e613aeab · 2026-03-20T11:40:34.000+01:00
diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml
@@ -52,5 +52,3 @@ jobs:
           DO_SCA_SCAN: true
           DO_AVIATOR_AUDIT: true
           COPY_FROM_RELEASE: "${{ github.repository }}:${{ github.event.repository.default_branch }}"
-          #DO_PR_COMMENT: true
-          #DO_POLICY_CHECK: true
diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
@@ -1,39 +1,80 @@
-# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps  pipeline
-# The following service connection must be establish before using this job
-#   - FoD_AMS
-#
-# The following task parameter must be defined 
-#   - ReleaseId
+# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps pipeline
+# The following pipeline variables must be defined before using SAST stage:
+#   - $FOD_URL
+#   - $FOD_CLIENT_ID
+#   - $FOD_CLIENT_SECRET
+# The following pipeline variables are optional and can be defined to enable additional features:
+#   - $FOD_RELEASE
+#   - $FOD_PARENT_RELEASE
+#   - $FOD_DEFAULT_OWNER
+# For more information on using Fortify on Demand SAST in Azure DevOps, see the documentation: 
+# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-fod.html
 
-trigger:
-- main
-
-pool:
-  vmImage: ubuntu-latest
 
-steps:
-- task: Maven@3
-  inputs:
-    mavenPomFile: 'pom.xml'
-    publishJUnitResults: true
-    testResultsFiles: '**/surefire-reports/TEST-*.xml'
-    javaHomeOption: 'JDKVersion'
-    jdkVersionOption: '1.11'
-    mavenVersionOption: 'Default'
-    mavenOptions: '-Xmx3072m'
-    mavenAuthenticateFeed: false
-    effectivePomSkip: false
-    sonarQubeRunAnalysis: false
-- task: FortifyOnDemandStatic@8
-  inputs:
-    FortifyProjects: '$(Build.Repository.LocalPath)'
-    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
-    ReleaseOptions: '0'
-    ReleaseId: 00000            # update FoD RELEASE ID
-    EntitlementSelection: '1'
-    EntitlementPreference: '2'
-    OverrideScanSettings: '2'
-    InProgressScanActionType: '0'
-    RemediationScanPreference: '2'
-    BuildType: 'mvn'
-    PolicyFailAction: '0'
+trigger:
+- none
+stages:
+- stage: Build
+  jobs:
+    - job: Build
+      displayName: Building IWA Project
+      pool:
+        vmImage: ubuntu-latest
+      steps:
+      - task: Maven@3
+        inputs:
+          mavenPomFile: 'pom.xml'
+          mavenOptions: '-Xmx3072m'
+          javaHomeOption: 'JDKVersion'
+          jdkVersionOption: '1.17'
+          jdkArchitectureOption: 'x64'
+          publishJUnitResults: true
+          testResultsFiles: '**/surefire-reports/TEST-*.xml'
+          goals: 'package'
+    - job: SAST
+      displayName: Fortify SAST
+      dependsOn:
+       - Build
+      pool:
+       vmImage: 'ubuntu-latest'
+      steps:
+        - checkout: self
+          persistCredentials: "true"
+          clean: "true"
+        - task: Bash@3
+          displayName: 'Install Fortify CLI via @fortify/setup'
+          inputs:
+            targetType: 'inline'
+            script: |
+              npx @fortify/setup@v2 env init --tools=fcli:bootstrapped
+              npx @fortify/setup@v2 env ado
+        - task: Bash@3
+          displayName: 'Run Fortify on Demand SAST CI Scan'
+          inputs:
+            targetType: 'inline'
+            script: |
+              set -euo pipefail
+              fcli action run ci
+          env:
+            FOD_URL: $(FOD_URL)
+            FOD_CLIENT_ID: $(FOD_CLIENT_ID)
+            FOD_CLIENT_SECRET: $(FOD_CLIENT_SECRET)
+            # FOD_RELEASE is optional, defaults to <org>/<repo>:<branch>
+            #FOD_RELEASE: "$(FOD_RELEASE)"
+            # Uncomment the following line to copy from an existing release
+            #COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
+            # Uncomment to set the default Static Assessment type when a new release is created
+            #SAST_ASSESSMENT_TYPE: "Static Assessment"
+            # Example of setting extra options for when creating a new release
+            #SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
+            DO_SETUP: true
+            DO_SAST_SCAN: true
+            # Uncomment to enable Aviator AI audit and remedation
+            #DO_AVIATOR_AUDIT: true
+            #SAST_WAIT_EXTRA_OPTS: --timeout 2h
+            DO_SCA_SCAN: true
+            DO_WAIT: true
+            DO_POLICY_CHECK: true
+            DO_JOB_SUMMARY: true
+            DO_PR_COMMENT: true
+            DO_EXPORT: true
diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml
@@ -1,11 +1,16 @@
 # Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Azure DevOps pipeline
-# The following pipeline variables must be defined before using SAST stage
-#   - $_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN
-#   - $_FCLI_DEFAULT_SSC_USER
-#   - $_FCLI_DEFAULT_SSC_PASSWORD
-#   - $_FCLI_DEFAULT_SSC_CI_TOKEN
-#   - $_FCLI_DEFAULT_SSC_URL
-#   - $_SSC_APP_VERSION_ID
+# The following pipeline variables must be defined before using SAST stage:
+#   - $SSC_URL
+#   - $SSC_TOKEN
+#   - $SC_SAST_TOKEN
+# The following pipeline variables are optional and can be defined to enable additional features:
+#   - $SSC_APPVERSION
+#   - $AVIATOR_URL
+#   - $AVIATOR_TOKEN
+#   - $AVIATOR_APP
+#   - $DEBRICKED_ACCESS_TOKEN
+# For more information on using Fortify ScanCentral SAST in Azure DevOps, see the documentation: 
+# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-ssc.html
 
 trigger:
 - none
@@ -33,33 +38,45 @@ stages:
        - Build
       pool:
        vmImage: 'ubuntu-latest'
-      container:
-        image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
-        options: "--add-host=<<SSC_FQDN_NAME>>:x.x.x.x"
-        env:
-          FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN)
-          FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER)
-          FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD)
-          FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN)
-          FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL)
-          SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID)
-          SC_SAST_SENSOR_VERSION: 24.2
       steps:
-      - script: |
-          echo Setting connection with Fortify Platform
-          echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts
-          #Use --insecure switch if the SSL certificate is self generated.
-          fcli ssc session login
-          fcli sc-sast session login
-          
-          scancentral package -bt mvn -o package.zip
-          fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
-
-          fcli sc-sast scan wait-for ::Id:: --interval=30s
-          fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
-
-          echo Terminating connection with Fortify Platform
-          fcli sc-sast session logout
-          fcli ssc session logout  
-        displayName: Scan Central Scan
-        continueOnError: false
+        - checkout: self
+          persistCredentials: "true"
+          clean: "true"
+        - task: Bash@3
+          displayName: 'Install Fortify CLI via @fortify/setup'
+          inputs:
+            targetType: 'inline'
+            script: |
+              npx @fortify/setup@v2 env init --tools=fcli:bootstrapped
+              npx @fortify/setup@v2 env ado
+        - task: Bash@3
+          displayName: 'Run ScanCentral SAST CI Scan'
+          inputs:
+            targetType: 'inline'
+            script: |
+              set -euo pipefail
+              fcli action run ci
+          env:
+            SSC_URL: $(SSC_URL)
+            SSC_TOKEN: $(SSC_TOKEN)
+            SC_SAST_TOKEN: $(SC_SAST_TOKEN)
+            # Uncomment to enable Aviatior AI audit and remediation
+            #AVIATOR_URL: $(AVIATOR_URL)
+            #AVIATOR_TOKEN: $(AVIATOR_TOKEN)
+            #AVIATOR_APP: $(AVIATOR_APP)
+            # Uncomment to enable Debricked SCA scan
+            #DEBRICKED_ACCESS_TOKEN: $(DEBRICKED_ACCESS_TOKEN)
+            # SSC_APPVERSION is optional, defaults to <org>/<repo>:<branch>
+            #SSC_APPVERSION: "$(SSC_APPVERSION)"
+            DO_SETUP: true
+            DO_SAST_SCAN: true
+            #SAST_WAIT_EXTRA_OPTS: --timeout 2h
+            #DO_DEBRICKED_SCAN: true
+            #DO_AVIATOR_AUDIT: true
+            DO_WAIT: true
+            DO_APPVERSION_SUMMARY: true
+            DO_POLICY_CHECK: true
+            DO_JOB_SUMMARY: true
+            DO_PR_COMMENT: true
+            DO_EXPORT: true
+    
