From 801678330121c54ed85b699ec907698bb446798d Mon Sep 17 00:00:00 2001 From: "Kevin A. Lee" <4321872+kadraman@users.noreply.github.com> Date: Thu, 26 Feb 2026 16:29:12 +0000 Subject: [PATCH 1/3] Update FoD pipeline to use "fcli action run ci" [skip ci] --- ...ure-pipelines-fortify-sast-scancentral.yml | 115 ++++++++++++------ 1 file changed, 80 insertions(+), 35 deletions(-) diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml index 5ede654e..cc96d593 100644 --- a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml +++ b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml @@ -1,11 +1,14 @@ # Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Azure DevOps pipeline # The following pipeline variables must be defined before using SAST stage -# - $_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN -# - $_FCLI_DEFAULT_SSC_USER -# - $_FCLI_DEFAULT_SSC_PASSWORD -# - $_FCLI_DEFAULT_SSC_CI_TOKEN -# - $_FCLI_DEFAULT_SSC_URL -# - $_SSC_APP_VERSION_ID +# - $SSC_URL +# - $SSC_TOKEN +# - $SC_SAST_TOKEN +# - $AVIATOR_URL +# - $AVIATOR_TOKEN +# - $AVIATOR_APP +# - $SC_CLIENT_VERSION +# - $SSC_APPVERSION +# - $SSC_PARENT_APPVERSION trigger: - none @@ -33,33 +36,75 @@ stages: - Build pool: vmImage: 'ubuntu-latest' - container: - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 - options: "--add-host=<>:x.x.x.x" - env: - FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN) - FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER) - FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD) - FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN) - FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL) - SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID) - SC_SAST_SENSOR_VERSION: 24.2 steps: - - script: | - echo Setting connection with Fortify Platform - echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts - #Use --insecure switch if the SSL certificate is self generated. - fcli ssc session login - fcli sc-sast session login - - scancentral package -bt mvn -o package.zip - fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - - fcli sc-sast scan wait-for ::Id:: --interval=30s - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID - - echo Terminating connection with Fortify Platform - fcli sc-sast session logout - fcli ssc session logout - displayName: Scan Central Scan - continueOnError: false + - checkout: self + persistCredentials: "true" + clean: "true" + - task: Bash@3 + displayName: 'Install Fortify CLI via @fortify/setup' + inputs: + targetType: 'inline' + script: | + npx @fortify/setup bootstrap-config + npx @fortify/setup env init --tools=fcli:auto,sc-client:auto + npx @fortify/setup env ado + - task: Bash@3 + displayName: 'Run ScanCentral SAST CI Scan' + inputs: + targetType: 'inline' + script: | + set -euo pipefail + echo "Running ScanCentral SAST CI Scan for AppVersion: ${SSC_APPVERSION:-}" + fcli action run ci + env: + SSC_URL: $(SSC_URL) + SSC_TOKEN: $(SSC_TOKEN) + SC_SAST_TOKEN: $(SC_SAST_TOKEN) + AVIATOR_URL: $(AVIATOR_URL) + AVIATOR_TOKEN: $(AVIATOR_TOKEN) + AVIATOR_APP: $(AVIATOR_APP) + #DEBRICKED_ACCESS_TOKEN: $(DEBRICKED_ACCESS_TOKEN) + SC_CLIENT_VERSION: $(SC_CLIENT_VERSION) + SSC_APPVERSION: "$(SSC_APPVERSION)" + SSC_PARENT_APPVERSION: "$(SSC_PARENT_APPVERSION)" + DO_SETUP: true + DO_SAST_SCAN: true + SAST_WAIT_EXTRA_OPTS: --timeout 2h + #DO_DEBRICKED_SCAN: true + #DO_AVIATOR_AUDIT: true + DO_WAIT: true + DO_APPVERSION_SUMMARY: true + DO_POLICY_CHECK: true + DO_JOB_SUMMARY: true + DO_PR_COMMENT: true + DO_EXPORT: true + # container: + # image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 + # options: "--add-host=<>:x.x.x.x" + # env: + # FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN) + # FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER) + # FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD) + # FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN) + # FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL) + # SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID) + # SC_SAST_SENSOR_VERSION: 24.2 + # steps: + # - script: | + # echo Setting connection with Fortify Platform + # echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts + # #Use --insecure switch if the SSL certificate is self generated. + # fcli ssc session login + # fcli sc-sast session login + # + # scancentral package -bt mvn -o package.zip + # fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id + # + # fcli sc-sast scan wait-for ::Id:: --interval=30s + # fcli ssc issue count --appversion=$SSC_APP_VERSION_ID + # + # echo Terminating connection with Fortify Platform + # fcli sc-sast session logout + # fcli ssc session logout + # displayName: Scan Central Scan + # continueOnError: false From 7dbea1f7fc44ebb62647fb75225dc8ab78a8f417 Mon Sep 17 00:00:00 2001 From: kadraman Date: Fri, 27 Feb 2026 17:09:05 +0000 Subject: [PATCH 2/3] chore: updated after PR review --- ...ure-pipelines-fortify-sast-scancentral.yml | 62 +++++-------------- 1 file changed, 17 insertions(+), 45 deletions(-) diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml index cc96d593..67256baa 100644 --- a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml +++ b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml @@ -1,14 +1,16 @@ # Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Azure DevOps pipeline -# The following pipeline variables must be defined before using SAST stage +# The following pipeline variables must be defined before using SAST stage: # - $SSC_URL # - $SSC_TOKEN # - $SC_SAST_TOKEN +# The following pipeline variables are optional and can be defined to enable additional features: +# - $SSC_APPVERSION # - $AVIATOR_URL # - $AVIATOR_TOKEN # - $AVIATOR_APP -# - $SC_CLIENT_VERSION -# - $SSC_APPVERSION -# - $SSC_PARENT_APPVERSION +# - $DEBRICKED_ACCESS_TOKEN +# For more information on using Fortify ScanCentral SAST in Azure DevOps, see the documentation: +# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-ssc.htmltify-scancentral-sast-ci-azure-devops trigger: - none @@ -45,31 +47,30 @@ stages: inputs: targetType: 'inline' script: | - npx @fortify/setup bootstrap-config - npx @fortify/setup env init --tools=fcli:auto,sc-client:auto - npx @fortify/setup env ado + npx @fortify/setup@v2 env init --tools=fcli:bootstrapped + npx @fortify/setup@v2 env ado - task: Bash@3 displayName: 'Run ScanCentral SAST CI Scan' inputs: targetType: 'inline' script: | set -euo pipefail - echo "Running ScanCentral SAST CI Scan for AppVersion: ${SSC_APPVERSION:-}" fcli action run ci env: SSC_URL: $(SSC_URL) SSC_TOKEN: $(SSC_TOKEN) SC_SAST_TOKEN: $(SC_SAST_TOKEN) - AVIATOR_URL: $(AVIATOR_URL) - AVIATOR_TOKEN: $(AVIATOR_TOKEN) - AVIATOR_APP: $(AVIATOR_APP) + # Uncomment to enable Aviatior AI audit and remediation + #AVIATOR_URL: $(AVIATOR_URL) + #AVIATOR_TOKEN: $(AVIATOR_TOKEN) + #AVIATOR_APP: $(AVIATOR_APP) + # Uncomment to enable Debricked SCA scan #DEBRICKED_ACCESS_TOKEN: $(DEBRICKED_ACCESS_TOKEN) - SC_CLIENT_VERSION: $(SC_CLIENT_VERSION) - SSC_APPVERSION: "$(SSC_APPVERSION)" - SSC_PARENT_APPVERSION: "$(SSC_PARENT_APPVERSION)" + # SSC_APPVERSION is optional, defaults to /: + #SSC_APPVERSION: "$(SSC_APPVERSION)" DO_SETUP: true DO_SAST_SCAN: true - SAST_WAIT_EXTRA_OPTS: --timeout 2h + #SAST_WAIT_EXTRA_OPTS: --timeout 2h #DO_DEBRICKED_SCAN: true #DO_AVIATOR_AUDIT: true DO_WAIT: true @@ -78,33 +79,4 @@ stages: DO_JOB_SUMMARY: true DO_PR_COMMENT: true DO_EXPORT: true - # container: - # image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 - # options: "--add-host=<>:x.x.x.x" - # env: - # FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN) - # FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER) - # FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD) - # FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN) - # FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL) - # SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID) - # SC_SAST_SENSOR_VERSION: 24.2 - # steps: - # - script: | - # echo Setting connection with Fortify Platform - # echo $FORTIFY_SSC_IP fortify.cyberxdemo.com >> /etc/hosts - # #Use --insecure switch if the SSL certificate is self generated. - # fcli ssc session login - # fcli sc-sast session login - # - # scancentral package -bt mvn -o package.zip - # fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - # - # fcli sc-sast scan wait-for ::Id:: --interval=30s - # fcli ssc issue count --appversion=$SSC_APP_VERSION_ID - # - # echo Terminating connection with Fortify Platform - # fcli sc-sast session logout - # fcli ssc session logout - # displayName: Scan Central Scan - # continueOnError: false + \ No newline at end of file From 5e45bb8d8614c4c1bdc7afa0f8a6315a07c9baa6 Mon Sep 17 00:00:00 2001 From: "Kevin A. Lee" <4321872+kadraman@users.noreply.github.com> Date: Fri, 27 Feb 2026 17:25:32 +0000 Subject: [PATCH 3/3] Fix URL in Fortify ScanCentral YAML file --- .../azure/azure-pipelines-fortify-sast-scancentral.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml index 67256baa..32ad49bb 100644 --- a/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml +++ b/devops-integrations/azure/azure-pipelines-fortify-sast-scancentral.yml @@ -10,7 +10,7 @@ # - $AVIATOR_APP # - $DEBRICKED_ACCESS_TOKEN # For more information on using Fortify ScanCentral SAST in Azure DevOps, see the documentation: -# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-ssc.htmltify-scancentral-sast-ci-azure-devops +# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-ssc.html trigger: - none @@ -79,4 +79,4 @@ stages: DO_JOB_SUMMARY: true DO_PR_COMMENT: true DO_EXPORT: true - \ No newline at end of file +