Skip to content

Update SSC pipeline to use "fcli action run ci"#55

Open
kadraman wants to merge 1 commit intomainfrom
azure-pipelines-ssc-update
Open

Update SSC pipeline to use "fcli action run ci"#55
kadraman wants to merge 1 commit intomainfrom
azure-pipelines-ssc-update

Conversation

@kadraman
Copy link
Collaborator

@kadraman kadraman commented Feb 26, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 26, 2026 16:29
@kadraman kadraman requested a review from rsenden February 26, 2026 16:30
@kadraman kadraman changed the title Update FoD pipeline to use "fcli action run ci" Update SSC pipeline to use "fcli action run ci" Feb 26, 2026
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the Azure DevOps pipeline for Fortify ScanCentral SAST by migrating from manual fcli command execution to a higher-level action-based approach using fcli action run ci. The update replaces the Docker container-based setup with dynamic tool installation via @fortify/setup and simplifies the scanning workflow.

Changes:

  • Replaced manual fcli session management and scan commands with fcli action run ci command
  • Updated environment variables from FCLI_DEFAULT_* pattern to simplified SSC_*, SC_SAST_TOKEN, and feature-specific variables
  • Introduced @fortify/setup for dynamic installation of fcli and sc-client tools instead of using pre-built Docker container
  • Added comprehensive DO_* flags for controlling scan behavior (setup, wait, summary, policy check, job summary, PR comment, export)
  • Commented out the old implementation for reference

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml
@@ -1,11 +1,14 @@
# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Azure DevOps pipeline
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title mentions "Update FoD pipeline" but this file is for ScanCentral SAST (fortify-sast-scancentral.yml), not Fortify on Demand (FoD). The title should be updated to accurately reflect that this is updating the ScanCentral SAST pipeline, not the FoD pipeline.

Copilot uses AI. Check for mistakes.
devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml
Comment on lines +85 to +110
# FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN)
# FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER)
# FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD)
# FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN)
# FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL)
# SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID)
# SC_SAST_SENSOR_VERSION: 24.2
# steps:
# - script: |
# echo Setting connection with Fortify Platform
# echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts
# #Use --insecure switch if the SSL certificate is self generated.
# fcli ssc session login
# fcli sc-sast session login
#
# scancentral package -bt mvn -o package.zip
# fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
#
# fcli sc-sast scan wait-for ::Id:: --interval=30s
# fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
#
# echo Terminating connection with Fortify Platform
# fcli sc-sast session logout
# fcli ssc session logout
# displayName: Scan Central Scan
# continueOnError: false
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commented-out code block has incorrect indentation. The lines starting from line 81 should maintain the same indentation level as the active SAST job steps above (lines 39-80). This is important for readability and in case someone needs to uncomment this code in the future. The container configuration should be at the same indentation level as "steps" (line 39), and the nested elements should follow proper YAML indentation.

Suggested change
# FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN)
# FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER)
# FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD)
# FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN)
# FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL)
# SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID)
# SC_SAST_SENSOR_VERSION: 24.2
# steps:
# - script: |
# echo Setting connection with Fortify Platform
# echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts
# #Use --insecure switch if the SSL certificate is self generated.
# fcli ssc session login
# fcli sc-sast session login
#
# scancentral package -bt mvn -o package.zip
# fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
#
# fcli sc-sast scan wait-for ::Id:: --interval=30s
# fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
#
# echo Terminating connection with Fortify Platform
# fcli sc-sast session logout
# fcli ssc session logout
# displayName: Scan Central Scan
# continueOnError: false
# FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN)
# FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER)
# FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD)
# FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN)
# FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL)
# SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID)
# SC_SAST_SENSOR_VERSION: 24.2
# steps:
# - script: |
# echo Setting connection with Fortify Platform
# echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts
# #Use --insecure switch if the SSL certificate is self generated.
# fcli ssc session login
# fcli sc-sast session login
#
# scancentral package -bt mvn -o package.zip
# fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id
#
# fcli sc-sast scan wait-for ::Id:: --interval=30s
# fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
#
# echo Terminating connection with Fortify Platform
# fcli sc-sast session logout
# fcli ssc session logout
# displayName: Scan Central Scan
# continueOnError: false

Copilot uses AI. Check for mistakes.
devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml
Comment on lines +3 to +11
# - $SSC_URL
# - $SSC_TOKEN
# - $SC_SAST_TOKEN
# - $AVIATOR_URL
# - $AVIATOR_TOKEN
# - $AVIATOR_APP
# - $SC_CLIENT_VERSION
# - $SSC_APPVERSION
# - $SSC_PARENT_APPVERSION
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation lists AVIATOR_URL, AVIATOR_TOKEN, and AVIATOR_APP as required pipeline variables, but in the actual implementation, DO_AVIATOR_AUDIT is commented out (line 74), suggesting these variables may be optional. The documentation should clarify which variables are required for basic functionality and which are optional for advanced features like Aviator audits. Consider adding comments indicating optional variables or grouping them separately.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rsenden rsenden Awaiting requested review from rsenden

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kadraman