Add Fortify Application Security Testing workflow #556
Conversation
This workflow integrates Fortify Application Security Testing into GitHub workflows, enabling SAST and SCA scans.
🦋 Changeset detectedLatest commit: 3978f6a The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Pull request overview
This pull request adds a GitHub Actions workflow for Fortify Application Security Testing, enabling automated SAST (Static Application Security Testing) and SCA (Software Composition Analysis) scans. The workflow is triggered on pushes to main, pull requests, weekly scheduled runs, and manual dispatches.
Changes:
- Adds comprehensive Fortify AST scanning workflow with support for both Fortify on Demand and Software Security Center configurations
- Configures security-events permissions for GitHub code scanning integration
- Includes extensive configuration options for customizing scan behavior, policy checks, and reporting
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ##### Fortify Hosted / Software Security Center & ScanCentral | ||
| ##### Remove this section if you're integrating with Fortify on Demand (see above) | ||
| ### Required configuration | ||
| SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret |
There was a problem hiding this comment.
The SSC_URL is configured using vars.SSC_URL (GitHub variable) while the FOD_URL is hardcoded. This inconsistency in configuration approach could cause confusion. For consistency and flexibility, either both should use hardcoded values or both should use GitHub variables, depending on the organization's security and deployment practices.
| SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret | |
| SSC_URL: https://ssc.example.com # Must be hardcoded or configured through GitHub variable, not secret |
| # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch> | ||
| # DO_SETUP: true # Set up SSC application & version | ||
| # SETUP_ACTION: <URL or file> # Customize setup action | ||
| # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action | ||
| # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options | ||
| # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options | ||
| # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) | ||
| # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL | ||
| # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks | ||
| # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action | ||
| # DO_JOB_SUMMARY: true # Generate workflow job summary | ||
| # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary | ||
| # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action | ||
| # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers | ||
| # PR_COMMENT_ACTION: <URL or file> # Customize PR comments | ||
| # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action | ||
| # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard | ||
| # EXPORT_ACTION: <URL or file> # Customize export action | ||
| # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action | ||
| # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions |
There was a problem hiding this comment.
The workflow configures both Fortify on Demand (FOD) and Software Security Center (SSC) authentication environments simultaneously. This creates ambiguity about which platform will be used and could lead to authentication conflicts or unintended behavior. According to the comments, only one of these sections should be configured - either lines 64-96 (FOD) or lines 98-129 (SSC) should be removed or properly conditionalized.
| # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch> | |
| # DO_SETUP: true # Set up SSC application & version | |
| # SETUP_ACTION: <URL or file> # Customize setup action | |
| # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action | |
| # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options | |
| # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options | |
| # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) | |
| # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL | |
| # POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks | |
| # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action | |
| # DO_JOB_SUMMARY: true # Generate workflow job summary | |
| # JOB_SUMMARY_ACTION: <URL or file> # Customize job summary | |
| # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action | |
| # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers | |
| # PR_COMMENT_ACTION: <URL or file> # Customize PR comments | |
| # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action | |
| # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard | |
| # EXPORT_ACTION: <URL or file> # Customize export action | |
| # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action | |
| # TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions | |
| # Note: This workflow is configured and documented for a single Fortify platform. | |
| # If you need Software Security Center (SSC) setup guidance, please refer to the | |
| # official Fortify documentation or a dedicated SSC-specific workflow template. |
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
Merge |
2 participants
This workflow integrates Fortify Application Security Testing into GitHub workflows, enabling SAST and SCA scans.