Action Documentation: fcli action

ci

(PREVIEW) Run CI pipeline

Synopsis

fcli action run ci [fcli action run options] [action options, see below]

Description

This action can be used to run a full, standardized CI pipeline that performs the following activities:

Create & configure SSC application version / FoD release if needed
Install ScanCentral Client for packaging
Package source code using ScanCentral Client
Submit SAST scan request
Wait for SAST scan completion
Perform post-scan activities, like checking security policy outcome, exporting results, …

Configuration for this fcli action is done through environment variables; the sections below list the environment variables supported by this action.

Fortify on Demand

Environment Variable Description

Environment Variable	Description
FOD_URL	Fortify on Demand URL, for example `https://ams.fortify.com`. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.
FOD_CLIENT_ID FOD_CLIENT_SECRET	Required when authenticating with an API key: Fortify on Demand Client ID (API key) and Secret (API secret).
FOD_TENANT FOD_USER FOD_PASSWORD	Required when authenticating with user credentials: Fortify on Demand tenant, user and password. It is recommended to use a Personal Access Token instead of an actual user password.
FOD_LOGIN_EXTRA_OPTS	Extra login options, for example for disabling SSL checks or changing connection time-outs; see `fcli fod session login` documentation.
FOD_RELEASE	Fortify on Demand release to use with this action. This should be specified as `<app-name>:<release-name>` (for non-microservices applications) or `<app-name>:<microservice-name>:<release-name>` (for microservices applications). Default value is based on repository and branch name, for example `myOrg/myRepo:myBranch`. Note that you’ll need to explicitly configure `FOD_RELEASE` for microservices applications, as the default value lacks a microservice name.
DO_SETUP SETUP_ACTION SETUP_EXTRA_OPTS	If `DO_SETUP` is set not set to `false`, the application and/or release will be created if they do not yet exist, and static scan settings will be configured if not configured already, using the fcli-provided setup-release action, or, if specified, the custom fcli action specified through `SETUP_ACTION`. Extra options for the fcli action can be passed through the `SETUP_EXTRA_OPTS` environment variable. Depending on your Git workflow, it is recommended to copy state from the release representing your default branch by passing the `--copy-from` option through `SETUP_EXTRA_OPTS`. To allow this action to create new applications, depending on FoD version, you may (also) need to provide the `--app-owner <user id or name>` option through `SETUP_EXTRA_OPTS`.
PACKAGE_ACTION PACKAGE_ACTION_EXTRA_OPTS	By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use `PACKAGE_ACTION` to use a custom action for packaging, optionally providing extra options to this custom action through the `PACKAGE_ACTION_EXTRA_OPTS` environment variable. Note that any custom action must set the `global.package.output` action variable, pointing to the package or MBS file to be scanned.
USE_PACKAGE PACKAGE_EXTRA_OPTS SC_CLIENT_VERSION SOURCE_DIR TOOL_DEFINITIONS	These environment variables define packaging behavior. If `USE_PACKAGE` is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the `scancentral package` command like `-bt` or `-bf`, use `PACKAGE_EXTRA_OPTS`. By default: - Latest available ScanCentral Client version will be used for packaging; use `SC_CLIENT_VERSION` to specify a different version. - Current working directory will be packaged; use `SOURCE_DIR` to package a different directory. - Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging. - Tool definitions to identify available ScanCentral Client versions will be downloaded from the default location; use `TOOL_DEFINITIONS` to use customized tool definitions.
DO_SAST_SCAN SAST_SCAN_EXTRA_OPTS	The fcli `ci` action currently only supports running a SAST scan, which is enabled by default. The `SAST_SCAN_EXTRA_OPTS` environment variable can be used to provide additional options to the `fcli fod sast-scan start` command, for example to specify scan notes. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.
DO_WAIT DO_SAST_WAIT SAST_WAIT_EXTRA_OPTS	By default, the fcli `ci` action will wait for all started scans to complete; set `DO_WAIT` to `false` to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The `SAST_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli fod sast-scan wait-for` command. Note that `DO_SAST_WAIT` is deprecated; please use `DO_WAIT` instead.
DO_RELEASE_SUMMARY RELEASE_SUMMARY_ACTION RELEASE_SUMMARY_EXTRA_OPTS	If `DO_RELEASE_SUMMARY` is not set to `false`, a release summary will be generated using the fcli-provided release-summary action or, if specified, the custom fcli action specified through `RELEASE_SUMMARY_ACTION`. Extra options for the fcli action can be specified through the `RELEASE_SUMMARY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_CHECK_POLICY CHECK_POLICY_ACTION CHECK_POLICY_EXTRA_OPTS	If `DO_CHECK_POLICY` is set to true (implied if any of the other two `CHECK_POLICY_*` variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through `CHECK_POLICY_ACTION`. Extra options for a custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_PR_COMMENT PR_COMMENT_ACTION PR_COMMENT_EXTRA_OPTS	(PREVIEW) If `DO_PR_COMMENT` is set to true (implied if any of the other two `PR_COMMENT_*` variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. Extra options for the fcli action can be specified through the `PR_COMMENT_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_SAST_EXPORT SAST_EXPORT_ACTION SAST_EXPORT_EXTRA_OPTS	If `DO_SAST_EXPORT` is not set to `false` and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through `SAST_EXPORT_ACTION`. Extra options for the fcli action can be specified through the `SAST_EXPORT_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.

FOD_URL

Fortify on Demand URL, for example https://ams.fortify.com. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.

FOD_CLIENT_ID
FOD_CLIENT_SECRET

Required when authenticating with an API key: Fortify on Demand Client ID (API key) and Secret (API secret).

FOD_TENANT
FOD_USER
FOD_PASSWORD

Required when authenticating with user credentials: Fortify on Demand tenant, user and password. It is recommended to use a Personal Access Token instead of an actual user password.

FOD_LOGIN_EXTRA_OPTS

Extra login options, for example for disabling SSL checks or changing connection time-outs; see fcli fod session login documentation.

FOD_RELEASE

Fortify on Demand release to use with this action. This should be specified as <app-name>:<release-name> (for non-microservices applications) or <app-name>:<microservice-name>:<release-name> (for microservices applications). Default value is based on repository and branch name, for example myOrg/myRepo:myBranch. Note that you’ll need to explicitly configure FOD_RELEASE for microservices applications, as the default value lacks a microservice name.

DO_SETUP
SETUP_ACTION
SETUP_EXTRA_OPTS

If DO_SETUP is set not set to false, the application and/or release will be created if they do not yet exist, and static scan settings will be configured if not configured already, using the fcli-provided setup-release action, or, if specified, the custom fcli action specified through SETUP_ACTION. Extra options for the fcli action can be passed through the SETUP_EXTRA_OPTS environment variable.

Depending on your Git workflow, it is recommended to copy state from the release representing your default branch by passing the --copy-from option through SETUP_EXTRA_OPTS. To allow this action to create new applications, depending on FoD version, you may (also) need to provide the --app-owner <user id or name> option through SETUP_EXTRA_OPTS.

PACKAGE_ACTION
PACKAGE_ACTION_EXTRA_OPTS

By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use PACKAGE_ACTION to use a custom action for packaging, optionally providing extra options to this custom action through the PACKAGE_ACTION_EXTRA_OPTS environment variable. Note that any custom action must set the global.package.output action variable, pointing to the package or MBS file to be scanned.

USE_PACKAGE
PACKAGE_EXTRA_OPTS
SC_CLIENT_VERSION
SOURCE_DIR
TOOL_DEFINITIONS

These environment variables define packaging behavior. If USE_PACKAGE is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the scancentral package command like -bt or -bf, use PACKAGE_EXTRA_OPTS.
By default:
- Latest available ScanCentral Client version will be used for packaging; use SC_CLIENT_VERSION to specify a different version.
- Current working directory will be packaged; use SOURCE_DIR to package a different directory.
- Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging.
- Tool definitions to identify available ScanCentral Client versions will be downloaded from the default location; use TOOL_DEFINITIONS to use customized tool definitions.

DO_SAST_SCAN
SAST_SCAN_EXTRA_OPTS

The fcli ci action currently only supports running a SAST scan, which is enabled by default. The SAST_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the fcli fod sast-scan start command, for example to specify scan notes. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.

DO_WAIT
DO_SAST_WAIT
SAST_WAIT_EXTRA_OPTS

By default, the fcli ci action will wait for all started scans to complete; set DO_WAIT to false to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The SAST_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli fod sast-scan wait-for command. Note that DO_SAST_WAIT is deprecated; please use DO_WAIT instead.

DO_RELEASE_SUMMARY
RELEASE_SUMMARY_ACTION
RELEASE_SUMMARY_EXTRA_OPTS

If DO_RELEASE_SUMMARY is not set to false, a release summary will be generated using the fcli-provided release-summary action or, if specified, the custom fcli action specified through RELEASE_SUMMARY_ACTION. Extra options for the fcli action can be specified through the RELEASE_SUMMARY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_CHECK_POLICY
CHECK_POLICY_ACTION
CHECK_POLICY_EXTRA_OPTS

If DO_CHECK_POLICY is set to true (implied if any of the other two CHECK_POLICY_* variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through CHECK_POLICY_ACTION. Extra options for a custom fcli action can be passed through the CHECK_POLICY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_PR_COMMENT
PR_COMMENT_ACTION
PR_COMMENT_EXTRA_OPTS

(PREVIEW) If DO_PR_COMMENT is set to true (implied if any of the other two PR_COMMENT_* variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through PR_COMMENT_ACTION. Extra options for the fcli action can be specified through the PR_COMMENT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_SAST_EXPORT
SAST_EXPORT_ACTION
SAST_EXPORT_EXTRA_OPTS

If DO_SAST_EXPORT is not set to false and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through SAST_EXPORT_ACTION. Extra options for the fcli action can be specified through the SAST_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

Fortify Software Security Center

Environment Variable Description

Environment Variable	Description
SSC_URL	Software Security Center (SSC) URL, for example `https://ssc.customer.fortifyhosted.net/`. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.
SSC_TOKEN	Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.
SSC_USER SSC_PASSWORD	Required when authenticating with SSC user credentials.
SC_SAST_TOKEN	ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. This environment variable is required when running a ScanCentral SAST scan.
SSC_LOGIN_EXTRA_OPTS	Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see `fcli ssc session login` documentation.
SSC_APPVERSION	Fortify SSC application version to use with this action. This should be specified as `<app-name>:<version-name>`. Default value is based on repository and branch name, for example `myOrg/myRepo:myBranch`.
DO_SETUP SETUP_ACTION SETUP_EXTRA_OPTS	If `DO_SETUP` is set not set to `false`, the application and/or version will be created if they do not yet exist using the fcli-provided setup-appversion action, or, if specified, the custom fcli action specified through `SETUP_ACTION`. Extra options for the fcli action can be passed through the `SETUP_EXTRA_OPTS` environment variable. Depending on your Git workflow, it is recommended to copy state from the application version representing your default branch by passing the `--copy-from` option through `SETUP_EXTRA_OPTS`.
PACKAGE_ACTION PACKAGE_ACTION_EXTRA_OPTS	By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use `PACKAGE_ACTION` to use a custom action for packaging, optionally providing extra options to this custom action through the `PACKAGE_ACTION_EXTRA_OPTS` environment variable. Note that any custom action must set the `global.package.output` action variable, pointing to the package or MBS file to be scanned.
USE_PACKAGE PACKAGE_EXTRA_OPTS SC_CLIENT_VERSION SOURCE_DIR TOOL_DEFINITIONS	These environment variables define packaging behavior. If `USE_PACKAGE` is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the `scancentral package` command like `-bt` or `-bf`, use `PACKAGE_EXTRA_OPTS`. By default: - Latest available ScanCentral Client version will be used for packaging; use `SC_CLIENT_VERSION` to specify a different version. - Current working directory will be packaged; use `SOURCE_DIR` to package a different directory. - Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging. - Tool definitions to identify available ScanCentral Client versions will be downloaded from the default location; use `TOOL_DEFINITIONS` to use customized tool definitions.
DO_SAST_SCAN SAST_SCAN_EXTRA_OPTS	The fcli `ci` action by default runs a SAST scan, optionally in combination with other scan types. The `DO_SAST_SCAN` environment variable can be set to `false` to disable the SAST scan. The `SAST_SCAN_EXTRA_OPTS` environment variable can be used to provide additional options to the `fcli sc-sast scan start` command, for example to request a scan completion email notification. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.
DO_DEBRICKED_SCAN DEBRICKED_SCAN_EXTRA_OPTS DEBRICKED_ACCESS_TOKEN DEBRICKED_CLI_VERSION	The fcli `ci` action supports running a Debricked Software Composition Analysis (SCA) scan, which is enabled automatically if `DEBRICKED_ACCESS_TOKEN` is provided. The `DO_DEBRICKED_SCAN` environment variable can be set to `false` to (temporarily) disable the Debricked scan. By default, latest known Debricked CLI version will be used to run the scan, unless a different version is specified through `nDEBRICKED_CLI_VERSION`. The `DEBRICKED_SCAN_EXTRA_OPTS` environment variable can be used to provide additional options to the `debricked scan` command.
DO_WAIT DO_SAST_WAIT SAST_WAIT_EXTRA_OPTS DEBRICKED_WAIT_EXTRA_OPTS	By default, the fcli `ci` action will wait for all started scans to complete; set `DO_WAIT` to `false` to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The `SAST_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli sc-sast scan wait-for` command, and similarly, the `DEBRICKED_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli ssc artifact wait-for` command. Note that `DO_SAST_WAIT` is deprecated; please use `DO_WAIT` instead.
AVIATOR_URL AVIATOR_TOKEN AVIATOR_LOGIN_EXTRA_OPTS	Aviator URL and JWT token to use for Aviator operations (see below). The `AVIATOR_TOKEN` environment variable should hold the actual token contents; prefixes like `file:` or `string:` (like the `--token` option on the `fcli aviator session login` command) are not supported. The `AVIATOR_LOGIN_EXTRA_OPTS` environment variable can be used to pass additional options to the `fcli aviator session login` command.
DO_AVIATOR_AUDIT AVIATOR_APP AVIATOR_AUDIT_EXTRA_OPTS AVIATOR_WAIT_EXTRA_OPTS	If `DO_AVIATOR_AUDIT` is not set to `false`, and Aviator URL and token have been configured, scan results will be sent to Aviator for AI-driven auditing. The Aviator application name can optionally be configured through `AVIATOR_APP`, which defaults to the SSC application name. The `AVIATOR_AUDIT_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli aviator ssc audit` command, for example to adjust tag mappings. The `AVIATOR_WAIT_EXTRA_OPTS` environment variable can be used to pass extra options to the `fcli ssc artifact wait-for` command, which will be run to wait for SSC to process the audited results.
DO_APPVERSION_SUMMARY APPVERSION_SUMMARY_ACTION APPVERSION_SUMMARY_EXTRA_OPTS	If `DO_APPVERSION_SUMMARY` is not set to `false`, an application version summary will be generated using the fcli-provided appversion-summary action or, if specified, the custom fcli action specified through `APPVERSION_SUMMARY_ACTION`. Extra options for the fcli action can be specified through the `APPVERSION_SUMMARY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_CHECK_POLICY CHECK_POLICY_ACTION CHECK_POLICY_EXTRA_OPTS	If `DO_CHECK_POLICY` is set to true (implied if any of the other two `CHECK_POLICY_*` variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through `CHECK_POLICY_ACTION`. Extra options for a custom fcli action can be passed through the `CHECK_POLICY_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_PR_COMMENT PR_COMMENT_ACTION PR_COMMENT_EXTRA_OPTS	(PREVIEW) If `DO_PR_COMMENT` is set to true (implied if any of the other two `PR_COMMENT_*` variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through `PR_COMMENT_ACTION`. Extra options for the fcli action can be specified through the `PR_COMMENT_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_SAST_EXPORT SAST_EXPORT_ACTION SAST_EXPORT_EXTRA_OPTS	If `DO_SAST_EXPORT` is not set to `false` and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through `SAST_EXPORT_ACTION`. Extra options for the fcli action can be specified through the `SAST_EXPORT_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.
DO_DEBRICKED_EXPORT DEBRICKED_EXPORT_ACTION DEBRICKED_EXPORT_EXTRA_OPTS	If `DO_DEBRICKED_EXPORT` is not set to `false` and a Debricked scan was completed, the Debricked vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like gitlab-debricked-report, or, if specified, the custom fcli action specified through `DEBRICKED_EXPORT_ACTION`. Extra options for the fcli action can be specified through the `DEBRICKED_EXPORT_EXTRA_OPTS` environment variable, which may include fcli options to allow unsigned custom actions to be used.

SSC_URL

Software Security Center (SSC) URL, for example https://ssc.customer.fortifyhosted.net/. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.

SSC_TOKEN

Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.

SSC_USER
SSC_PASSWORD

Required when authenticating with SSC user credentials.

SC_SAST_TOKEN

ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. This environment variable is required when running a ScanCentral SAST scan.

SSC_LOGIN_EXTRA_OPTS

Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see fcli ssc session login documentation.

SSC_APPVERSION

Fortify SSC application version to use with this action. This should be specified as <app-name>:<version-name>. Default value is based on repository and branch name, for example myOrg/myRepo:myBranch.

DO_SETUP
SETUP_ACTION
SETUP_EXTRA_OPTS

If DO_SETUP is set not set to false, the application and/or version will be created if they do not yet exist using the fcli-provided setup-appversion action, or, if specified, the custom fcli action specified through SETUP_ACTION. Extra options for the fcli action can be passed through the SETUP_EXTRA_OPTS environment variable.

Depending on your Git workflow, it is recommended to copy state from the application version representing your default branch by passing the --copy-from option through SETUP_EXTRA_OPTS.

PACKAGE_ACTION
PACKAGE_ACTION_EXTRA_OPTS

By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use PACKAGE_ACTION to use a custom action for packaging, optionally providing extra options to this custom action through the PACKAGE_ACTION_EXTRA_OPTS environment variable. Note that any custom action must set the global.package.output action variable, pointing to the package or MBS file to be scanned.

USE_PACKAGE
PACKAGE_EXTRA_OPTS
SC_CLIENT_VERSION
SOURCE_DIR
TOOL_DEFINITIONS

These environment variables define packaging behavior. If USE_PACKAGE is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the scancentral package command like -bt or -bf, use PACKAGE_EXTRA_OPTS.
By default:
- Latest available ScanCentral Client version will be used for packaging; use SC_CLIENT_VERSION to specify a different version.
- Current working directory will be packaged; use SOURCE_DIR to package a different directory.
- Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging.
- Tool definitions to identify available ScanCentral Client versions will be downloaded from the default location; use TOOL_DEFINITIONS to use customized tool definitions.

DO_SAST_SCAN
SAST_SCAN_EXTRA_OPTS

The fcli ci action by default runs a SAST scan, optionally in combination with other scan types. The DO_SAST_SCAN environment variable can be set to false to disable the SAST scan. The SAST_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the fcli sc-sast scan start command, for example to request a scan completion email notification. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.

DO_DEBRICKED_SCAN
DEBRICKED_SCAN_EXTRA_OPTS
DEBRICKED_ACCESS_TOKEN
DEBRICKED_CLI_VERSION

The fcli ci action supports running a Debricked Software Composition Analysis (SCA) scan, which is enabled automatically if DEBRICKED_ACCESS_TOKEN is provided. The DO_DEBRICKED_SCAN environment variable can be set to false to (temporarily) disable the Debricked scan. By default, latest known Debricked CLI version will be used to run the scan, unless a different version is specified through nDEBRICKED_CLI_VERSION. The DEBRICKED_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the debricked scan command.

DO_WAIT
DO_SAST_WAIT
SAST_WAIT_EXTRA_OPTS
DEBRICKED_WAIT_EXTRA_OPTS

By default, the fcli ci action will wait for all started scans to complete; set DO_WAIT to false to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The SAST_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli sc-sast scan wait-for command, and similarly, the DEBRICKED_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command. Note that DO_SAST_WAIT is deprecated; please use DO_WAIT instead.

AVIATOR_URL
AVIATOR_TOKEN
AVIATOR_LOGIN_EXTRA_OPTS

Aviator URL and JWT token to use for Aviator operations (see below). The AVIATOR_TOKEN environment variable should hold the actual token contents; prefixes like file: or string: (like the --token option on the fcli aviator session login command) are not supported. The AVIATOR_LOGIN_EXTRA_OPTS environment variable can be used to pass additional options to the fcli aviator session login command.

DO_AVIATOR_AUDIT
AVIATOR_APP
AVIATOR_AUDIT_EXTRA_OPTS
AVIATOR_WAIT_EXTRA_OPTS

If DO_AVIATOR_AUDIT is not set to false, and Aviator URL and token have been configured, scan results will be sent to Aviator for AI-driven auditing. The Aviator application name can optionally be configured through AVIATOR_APP, which defaults to the SSC application name. The AVIATOR_AUDIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli aviator ssc audit command, for example to adjust tag mappings. The AVIATOR_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command, which will be run to wait for SSC to process the audited results.

DO_APPVERSION_SUMMARY
APPVERSION_SUMMARY_ACTION
APPVERSION_SUMMARY_EXTRA_OPTS

If DO_APPVERSION_SUMMARY is not set to false, an application version summary will be generated using the fcli-provided appversion-summary action or, if specified, the custom fcli action specified through APPVERSION_SUMMARY_ACTION. Extra options for the fcli action can be specified through the APPVERSION_SUMMARY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_CHECK_POLICY
CHECK_POLICY_ACTION
CHECK_POLICY_EXTRA_OPTS

If DO_CHECK_POLICY is set to true (implied if any of the other two CHECK_POLICY_* variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through CHECK_POLICY_ACTION. Extra options for a custom fcli action can be passed through the CHECK_POLICY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_PR_COMMENT
PR_COMMENT_ACTION
PR_COMMENT_EXTRA_OPTS

(PREVIEW) If DO_PR_COMMENT is set to true (implied if any of the other two PR_COMMENT_* variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through PR_COMMENT_ACTION. Extra options for the fcli action can be specified through the PR_COMMENT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_SAST_EXPORT
SAST_EXPORT_ACTION
SAST_EXPORT_EXTRA_OPTS

If DO_SAST_EXPORT is not set to false and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through SAST_EXPORT_ACTION. Extra options for the fcli action can be specified through the SAST_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_DEBRICKED_EXPORT
DEBRICKED_EXPORT_ACTION
DEBRICKED_EXPORT_EXTRA_OPTS

If DO_DEBRICKED_EXPORT is not set to false and a Debricked scan was completed, the Debricked vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like gitlab-debricked-report, or, if specified, the custom fcli action specified through DEBRICKED_EXPORT_ACTION. Extra options for the fcli action can be specified through the DEBRICKED_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

ci-vars

(PREVIEW) Collect CI-specific data

Synopsis

fcli action run ci-vars [fcli action run options] [action options, see below]

Description

This action collects data used by the SSC & FoD 'ci' actions, based on CI-specific data like CI-specific environment variables. Data is collected in a CI-agnostic global variable named 'ci'. Note that available properties on the global 'ci' variable may change across fcli releases, potentially breaking any custom actions that depend on these properties.

fortify-env

(PREVIEW) Output environment variables for Fortify tools

Synopsis

fcli action run fortify-env [fcli action run options] [action options, see below]

Description

Generates environment variable definitions for installed Fortify tools in various formats suitable for sourcing in shells or setting through CI/CD systems.

Outputs environment variables for the last installed version of each tool by default, or for a specific version if requested. If a tool is not installed, it will be skipped unless a specific version is explicitly requested (which will cause an error).

Supports multiple output formats: - shell: Bash/Zsh compatible export statements - powershell: PowerShell $env: syntax - cmd: Windows Command Prompt SET statements - github: GitHub Actions GITHUB_ENV format - azure: Azure Pipelines ##vso[task.setvariable] format - gitlab: GitLab CI export statements

Examples: # Generate env for all installed tools (shell format) fcli action run fortify-env

# Generate env for specific tools with versions
link:manpage/fcli-action-run.html[fcli action run] fortify-env --sc-client-version 24.4.0 --fcli-version latest

# Generate env for GitHub Actions
link:manpage/fcli-action-run.html[fcli action run] fortify-env --format github

# Generate env for specific tool only
link:manpage/fcli-action-run.html[fcli action run] fortify-env --sc-client-version auto --skip-others

# Use in shell (bash/zsh)
source <(link:manpage/fcli-action-run.html[fcli action run] fortify-env)

Options

--fcli-version: Version to output env for: <specific-version>, latest, auto (last installed), skip. Default: auto
--sc-client-version: Version to output env for: <specific-version>, latest, auto (last installed), skip. Default: auto
--fod-uploader-version: Version to output env for: <specific-version>, latest, auto (last installed), skip. Default: auto
--debricked-cli-version: Version to output env for: <specific-version>, latest, auto (last installed), skip. Default: auto
--bugtracker-utility-version: Version to output env for: <specific-version>, latest, auto (last installed), skip. Default: auto
--vuln-exporter-version: Version to output env for: <specific-version>, latest, auto (last installed), skip. Default: auto
--format: Output format: shell, powershell, cmd, github, azure, gitlab. Default: shell
--path: Include PATH updates: include, exclude, auto (detect if needed). Default: auto
--cmd-var: Include *_CMD variables: include, exclude, auto. Default: auto
--home-var: Include *_HOME variables: include, exclude, auto. Default: auto
--skip-others: Only output env for explicitly versioned tools (skip tools with version=auto)

fortify-setup

(PREVIEW) Set up Fortify tools for CI/CD workflows

Synopsis

fcli action run fortify-setup [fcli action run options] [action options, see below]

Description

Detects, registers, and installs Fortify tools (fcli, sc-client, fod-uploader, debricked-cli, bugtracker-utility, vuln-exporter) for use in CI/CD pipelines.

Once tools are installed/registered, use the 'fcli tool <tool-name> env' command to generate environment variables for shell scripts or CI/CD systems.

Supports: - Auto-detection of pre-installed tools - Dynamic installation with signature verification - Platform-specific tool caching (GitHub, Azure, GitLab) - Air-gapped environments (pre-installed tools only) - Docker multi-stage builds (fcli bootstrap)

Examples: # Minimal: install sc-client only fcli action run fortify-setup --sc-client 24.4.0

# Pre-installed tools (air-gapped)
link:manpage/fcli-action-run.html[fcli action run] fortify-setup --air-gapped \
  --sc-client auto --fod-uploader auto

# Platform tool cache
link:manpage/fcli-action-run.html[fcli action run] fortify-setup --use-tool-cache \
  --sc-client latest --debricked-cli v2

# Docker multi-stage build, installing from preinstalled fcli
link:manpage/fcli-action-run.html[fcli action run] fortify-setup --self /base/usr/bin/fcli \
  --fcli auto \
  --base-dir /opt/fortify --sc-client 24.4.0

Options

--fcli: Version to use: <specific-version>, latest, auto, preinstalled, skip. Default: skip
--sc-client: Version to use: <specific-version>, latest, auto, preinstalled, skip. Default: skip
--fod-uploader: Version to use: <specific-version>, latest, auto, preinstalled, skip. Default: skip
--debricked-cli: Version to use: <specific-version>, latest, auto, preinstalled, skip. Default: skip
--bugtracker-utility: Version to use: <specific-version>, latest, auto, preinstalled, skip. Default: skip
--vuln-exporter: Version to use: <specific-version>, latest, auto, preinstalled, skip. Default: skip
--with-jre: JRE handling for sc-client: yes (install with JRE), no (use system Java), auto (detect compatible JRE). Default: auto
--fcli-path: Explicit path to fcli binary or installation directory
--sc-client-path: Explicit path to sc-client binary or installation directory
--fod-uploader-path: Explicit path to fod-uploader binary or installation directory
--debricked-cli-path: Explicit path to debricked-cli binary or installation directory
--bugtracker-utility-path: Explicit path to bugtracker-utility binary or installation directory
--vuln-exporter-path: Explicit path to vuln-exporter binary or installation directory
--base-dir: Base directory for tool installations: <base-dir>/<tool>/<version>/
--use-tool-cache: Use platform-specific tool cache (detected via ci-vars)
--self: Path to bootstrapped fcli executable. Not intended for end users; typically set by platform integration tools.
--air-gapped: Air-gapped mode: all tools must be pre-installed, don’t update tool definitions
--tool-definitions: Custom tool definitions URL (ignored in air-gapped mode)

package

(PREVIEW) Package source code

Synopsis

fcli action run package [fcli action run options] [action options, see below]

Description

This action can be used to package source code using ScanCentral Client. It will take care of installing the specified ScanCentral Client version, followed by executing the 'scancentral package' command using the specified ScanCentral Client version. To enable debug logging on the scancentral command, use the fcli --debug option, optionally combined with --log-level=NONE to collect only ScanCentral logs, not fcli logs.

Options

--use-package: Use an existing package file instead of trying to package the given source code directory. If specified, this ignores all other options.
--sc-client-version, -v: Specify the ScanCentral Client version to be used for packaging. Defaults to the value of the SC_CLIENT_VERSION environment variable, or 'latest' if not specified.
--source-dir, -d: Specify the source directory to be packaged. Defaults to the value of the SOURCE_DIR environment variable, or current working directory if not specified.
--tool-definitions: Custom tool definitions to use for identifying available ScanCentral Client versions and download URLs. Defaults to the value of the TOOL_DEFINITIONS environment variable, or the built-in default if not specified.
--extra-opts: Extra options to be passed to the 'scancentral package' command. Defaults to the options specified in the EXTRA_PACKAGE_OPTS environment variable, or no extra options if not specified.
--output, -o: Name of the zip file in which packaged source code should be stored. Defaults to package.zip in the current working directory.

FCLI: The Universal Fortify CLI

Action Documentation: `fcli action`

ci

Synopsis

Description

Fortify on Demand

Fortify Software Security Center

ci-vars

Synopsis

Description

fortify-env

Synopsis

Description

Options

fortify-setup

Synopsis

Description

Options

package

Synopsis

Description

Options