diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml index 5ede654e..32ad49bb 100644 --- a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml +++ b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml @@ -1,11 +1,16 @@ # Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Azure DevOps pipeline -# The following pipeline variables must be defined before using SAST stage -# - $_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN -# - $_FCLI_DEFAULT_SSC_USER -# - $_FCLI_DEFAULT_SSC_PASSWORD -# - $_FCLI_DEFAULT_SSC_CI_TOKEN -# - $_FCLI_DEFAULT_SSC_URL -# - $_SSC_APP_VERSION_ID +# The following pipeline variables must be defined before using SAST stage: +# - $SSC_URL +# - $SSC_TOKEN +# - $SC_SAST_TOKEN +# The following pipeline variables are optional and can be defined to enable additional features: +# - $SSC_APPVERSION +# - $AVIATOR_URL +# - $AVIATOR_TOKEN +# - $AVIATOR_APP +# - $DEBRICKED_ACCESS_TOKEN +# For more information on using Fortify ScanCentral SAST in Azure DevOps, see the documentation: +# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-ssc.html trigger: - none @@ -33,33 +38,45 @@ stages: - Build pool: vmImage: 'ubuntu-latest' - container: - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 - options: "--add-host=<>:x.x.x.x" - env: - FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN) - FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER) - FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD) - FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN) - FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL) - SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID) - SC_SAST_SENSOR_VERSION: 24.2 steps: - - script: | - echo Setting connection with Fortify Platform - echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts - #Use --insecure switch if the SSL certificate is self generated. - fcli ssc session login - fcli sc-sast session login - - scancentral package -bt mvn -o package.zip - fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - - fcli sc-sast scan wait-for ::Id:: --interval=30s - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID - - echo Terminating connection with Fortify Platform - fcli sc-sast session logout - fcli ssc session logout - displayName: Scan Central Scan - continueOnError: false + - checkout: self + persistCredentials: "true" + clean: "true" + - task: Bash@3 + displayName: 'Install Fortify CLI via @fortify/setup' + inputs: + targetType: 'inline' + script: | + npx @fortify/setup@v2 env init --tools=fcli:bootstrapped + npx @fortify/setup@v2 env ado + - task: Bash@3 + displayName: 'Run ScanCentral SAST CI Scan' + inputs: + targetType: 'inline' + script: | + set -euo pipefail + fcli action run ci + env: + SSC_URL: $(SSC_URL) + SSC_TOKEN: $(SSC_TOKEN) + SC_SAST_TOKEN: $(SC_SAST_TOKEN) + # Uncomment to enable Aviatior AI audit and remediation + #AVIATOR_URL: $(AVIATOR_URL) + #AVIATOR_TOKEN: $(AVIATOR_TOKEN) + #AVIATOR_APP: $(AVIATOR_APP) + # Uncomment to enable Debricked SCA scan + #DEBRICKED_ACCESS_TOKEN: $(DEBRICKED_ACCESS_TOKEN) + # SSC_APPVERSION is optional, defaults to /: + #SSC_APPVERSION: "$(SSC_APPVERSION)" + DO_SETUP: true + DO_SAST_SCAN: true + #SAST_WAIT_EXTRA_OPTS: --timeout 2h + #DO_DEBRICKED_SCAN: true + #DO_AVIATOR_AUDIT: true + DO_WAIT: true + DO_APPVERSION_SUMMARY: true + DO_POLICY_CHECK: true + DO_JOB_SUMMARY: true + DO_PR_COMMENT: true + DO_EXPORT: true +