The fcli utility can be used to interact with various Fortify products, like Fortify on Demand (FoD), Software Security Center (SSC), ScanCentral SAST and ScanCentral DAST. This document describes installation and general usage of fcli. For a full listing of fcli commands and corresponding command line options, please see the man-pages as listed in the Manual Pages section.

Some of the fcli highlights:

The following Fortify products are currently supported by fcli:

  • Software Security Center (SSC)

    • Includes virtually all functionality provided by the legacy FortifyClient utility

    • Includes virtually all functionality provided by the ssc-client sample shipped with SSC

    • Adds a wide range of other functionalities not previously included in any Fortify client-side utilities

  • ScanCentral SAST

    • Support for starting and managing ScanCentral SAST scans

  • ScanCentral DAST

    • Support for starting and managing ScanCentral DAST scans

    • Support for listing scan policies and settings

    • Support for listing and managing sensors

  • Fortify on Demand (FoD)

    • Currently in preview mode

    • No manual pages available

    • fod command is hidden from fcli -h output

    • View available FoD commands by running fcli fod -h

Installation

Download bundles for fcli are available on the Releases page, containing both development releases (named Development Release - <branch> branch) and final releases. In general, the use of a final release is recommended, unless you want to use any functionality that hasn’t made it into a final release yet.

Each release comes with a list of assets:

  • docs-html.zip & docs-manpage.zip: Manual pages in either HTML or manpage format

  • fcli-linux.tgz, fcli-mac.tgz & fcli-windows.zip: Native binaries for each of the mentioned platforms

    • Note that some browsers by default will disallow downloading of fcli-windows.zip; please bypass the warning

    • Linux and Mac downloads include an auto-completion script that makes interactive fcli usage easier

  • fcli.jar: Java version of fcli, which should be runnable on any platform that has Java 11+ installed

    • Note that in general, the native binaries are easier to invoke, offer better performance, and have the benefit of auto-completion capabilities on Linux & Mac

    • If you experience any unexpected behavior with native binaries, like commands or command line options not being listed or recognized, or technical error messages about methods, constructors or serializers not being found, please try with the Java version a s it may be an issue specific to the native binaries. See the Troubleshooting section for details.

  • fcli-thirdparty.zip: Third-party licenses and sources for license purposes; usually no need to download

  • LICENSE.TXT & README.md: Some generic information and license for fcli

Please note that when publishing a new release, it may take up to 30-60 minutes before release assets are posted. If the latest release doesn’t show any of the assets listed above, please check again in 30-60 minutes. If you encounter a release without these assets after waiting for 60 minutes, please consider submitting an issue on the fcli issue tracker.

To install one of the binary distributions of fcli:

  • Download the appropriate binary archive for your platform

  • Extract the archive contents to a directory of your choosing

  • For ease of use, add this directory to your operating system or shell PATH environment variable, or move the fcli/fcli.exe binary to a directory that is already on the PATH

  • Linux/Mac only: Run the following command to install fcli auto command completion, allowing for use of the <tab> to get suggestions for fcli command and option names. You may want to add this to your shell startup script, such that fcli auto-completion is readily available in every shell.
    source <extraction-dir>/fcli_completion

To install the .jar version of fcli, simply download fcli.jar and put in in a directory of your choosing, after which it can be executed using java -jar path/to/fcli.jar. You may want to set up a simple wrapper script/batch file or shell alias to make it slightly easier to invoke fcli.jar.

Command Structure

Fcli provides a product-oriented command structure, with each product represented by a separate tree of subcommands. For example, the fcli fod command tree can be used to interact with Fortify on Demand (FoD), and the fcli ssc command tree can be used to interact with Fortify Software Security Center (SSC). There are also some non product-related command trees, like the fcli config command tree to manage fcli configuration.

To see what top-level fcli commands are available, you can use the fcli --help command. You can drill down into the command tree to see what sub-commands are available within a particular parent command, for example by running fcli ssc --help to see all fcli ssc sub-commands, or fcli ssc session --help to see all SSC session management commands.

If you don’t have fcli up and running yet, you can also refer to the downloadable or online manual pages; refer to the Manual Pages section for more information.

Common Options

The following sections describe common options that are available on (most) fcli commands.

-h | –help

This option can be used on every fcli (sub-)command to view usage information for that command. Usage information usually shows the command synopsis, a description of the functionality provided by the command, and a description of each command line option or parameter accepted by the command.

–env-prefix

As described in the Environment Variables section, default option and parameter values can be retrieved from environment variables starting with FCLI_DEFAULT. This option allows for configuring a different environment variable prefix. This may be useful if, for example, you want to login to multiple instances of the same system using environment variables. For example, when running fcli ssc session login --env-prefix PROD, fcli will look for environment variables like PROD_SSC_URL instead of FCLI_DEFAULT_SSC_URL.

Note that a default value for the --env-prefix option itself can be specified through an FCLI_DEFAULT_ENV_PREFIX environment variable, for example if you want to globally override the FCLI_DEFAULT prefix.

–log-level

This option can be used on every fcli (sub-)command to specify the fcli log level; see the help output for a list of allowed levels. Note that this option also requires the --log-file option to be specified, otherwise no log will be written.

–log-file

This option can be used on every fcli (sub-)command to specify the file to which to output log data. If not specified, currently no log data will be written, although future versions may specify a default log file location in the fcli home folder.

-o | –output

Available on virtually all (leaf) commands that output data, this option can be used to specify the output format. Fcli supports a wide variety of output formats, like table, csv, json, xml, and tree formats, allowing for both human-readable output or output suitable for automations. The csv-plain and table-plain output formats produce CSV or table output without headers. The *-flat output formats produce a flattened view of the output data, potentially making it easier to process that data without having to navigate through an object tree. For a full list of output formats supported by your fcli version, please refer to the help output or Manual Pages.

Most output formats allow for specifying the JSON properties to be included in the output, for example -o csv=id,name. If no JSON properties are specified, most output formats will output all available JSON properties, except for table output, which usually outputs a predefined set of JSON properties.

There are two output formats that are somewhat special:

  • -o 'expr=Text with {property1} or {property2}\n' Formats the output data based on the given expression, which is a combination of (optional) plain text and JSON property placeholders. This can be used for a variety of purposes, for example generating output in a human-readable format, or for generating a list of commands to be run at a later stage. Note that by default, no newline character will be inserted after evaluating the given expression. If necessary, the expression should explicitly include \n to output a newline character. To demonstrate the power of this output format, following are two examples of how -o expr can be used to generate a script that purges all application versions matching certain criteria:

    • fcli ssc appversion list -q createdBy=admin -o 'expr=fcli ssc appversion-artifact purge --older-than 30d --appversion {id}\n'

    • for id in $(fcli ssc appversion list -q createdBy=admin -o ‘expr={id}’); do echo “fcli ssc appversion-artifact purge –older-than 30d –appversion ${id}”; done

  • -o json-properties List all JSON properties returned by the current command, which can be used on options that take JSON propert ies as input, like output expressions (-o expr={prop}), properties to include in the output (-o table=prop1,prop2), queries (-q prop1=value1), and fcli variables (--store var:prop1,prop2 & {?var:prop1}). Two important notes about this output format:

    • The command will be executed as specified, so be careful when using this output option on any command that changes state (delete/update/create/…) * On some commands, the list of available JSON properties may vary depending on command line options. For example, when a query returns no records, then -o json-properties will not output any properties. Likewise, a command may provide options for including additional data for each record; the corresponding JSON properties will only be shown if -o json-properties is used in combination with these options that load additional data.

–output-to-file

Available on virtually all (leaf) commands that output data, this option can be used to write the command output data to a file, in the format specified by the --output option listed above. In some cases, this may be more convenient than redirecting the output to a file. For example, although currently not implemented, fcli could potentially skip creating the output file if there is no output data or if an error occurs. Also, for commands that output status updates, like wait-for commands, the --output-to-file option allows for status updates to be written to standard output while the final output of the command will be written to the file specified.

–store

Available on virtually all (leaf) commands that output data, this option can be used to store command output data in an fcli variable. For more details, see the Fcli Variables section.

-q | –query

Available on most list commands and some other commands, this option allows for querying the output data, outputting only records that match the given query or queries. For now, only equals-based matching is supported; future fcli versions may provide additional matching options. General format is -q <json-property>=<value>; the list of JSON properties available for matching can be found by executing the same command with the -o json-properties option; see -o | –output for details.

–session

Available on virtually all commands that interact with a target system, this option allows for specifying a session name. For more details, see the Session Management section.

Session Management

Most fcli product modules are session-based, meaning that you need to run a session login command before you can use most of the other commands provided by a product module, and run a session logout command when finished, for example:

fcli ssc session login --url https://my.ssc.org/ssc --user <user> --password <password>
fcli ssc appversion list
fcli ssc session logout --user <user> --password <password>

For interactive use, you can choose to keep the session open until it expires (expiration period depends on target system and login method). For pipeline use or other automation scenarios, it is highly recommended to issue a session logout command when no further interaction with the target system is required, to allow for any client-side and server-side cleanup to be performed. For example, upon logging in to SSC with user credentials, fcli will generate a UnifiedLoginToken, which will be invalidated when the ssc session logout is being run. If you have many (frequently executed) pipelines that interact with SSC, and you don’t run the ssc session logout command when the pipeline finishes, you risk exhausting SSC’s limit on active tokens. In addition, the logout commands will perform client-side cleanup, like removing session details like URL and authentication tokens from the client system.

For product modules that support it, like SSC or ScanCentral DAST, it is also highly recommended to use token-based authentication rather than username/password-based authentication when incorporating fcli into pipelines or other automation tasks. This will avoid creation of a temporary token as described above, but also allows for better access control based on token permissions. Similarly, for systems that support Personal Access tokens, like FoD, it is highly recommended to utilize a Personal Access Token rather than user password. Note however that depending on (personal access) token permissions, not all fcli functionality may be available. In particular, even the least restrictive SSC CIToken may not provide access to all endpoints covered by fcli. If you need access to functionality not covered by CIToken, you may need to define a custom token definition, but this can only be done on self-hosted SSC environments, not on Fortify Hosted. If all else fails, you may need to revert to username/password-based authentication to utilize the short-lived UnifiedLoginToken.

Named Sessions

Fcli supports named sessions, allowing you to have multiple open sessions for a single product. When issuing a session login command, you can optionally provide a session name as in fcli ssc session login mySession ..., and then use that session in other commands using the --session mySession command line option. If no session name is specified, a session named default will be created/used. Named sessions allow for a variety of use cases, for example:

  • Run fcli commands against multiple instances of the same product, like DEV and PROD instances or an on-premise instance and a Fortify Hosted instance, without having to continuously login and logout from one instance to switch to another instance

  • Run fcli commands against a single instance of a product, but with alternating credentials, for example with one session providing admin rights and another session providing limited user rights

  • Run one session with username/password credentials to allow access to all fcli functionality (based on user permissions), and another session with token-based authentication with access to only a subset of fcli functionality

  • Run multiple pipelines or automation scripts simultaneously, each with their own session name, to reduce chances of these pipelines and scripts affecting each other (see Fcli Home Folder though for a potentially better solution for this scenario)

Session Storage

To keep session state between fcli invocations, fcli stores session data like URL and authentication tokens in the Fcli Home Folder. To reduce the risk of unauthorized access to this sensitive data, fcli encrypts the session data files. However, this is not bullet-proof, as the default encryption key and algorithm can be easily viewed in fcli source code. As such, it is recommended to ensure file permissions on the FCLI Home folder are properly configured to disallow access by other users. Being stored in the user’s home directory by default, the correct file permissions should usually already be in place. For enhanced security, you may also consider setting the FCLI_ENCRYPT_KEY environment variable; see the Fcli Home Folder section for details.

Fcli Home Folder

Fcli stores various files in its home directory, like session files (see Session Management) and fcli variable contents (see Fcli Variables). Future versions of fcli may also automatically generated log files in this home directory, if no --log-file option is provided.

By default, the fcli home directory is located at <user home directory>/.fortify/fcli, but this can be overridden through the FORTIFY_HOME or FCLI_HOME environment variables. If the FCLI_HOME environment variable is set, then this will be used as the fcli home directory. If the FORTIFY_HOME environment variable is set (and FCLI_HOME is not set), then fcli will use <FORTIFY_HOME>/fcli as its home directory.

When utilizing fcli in pipelines or automation scripts, especially when multiple pipelines or scripts may be running simultaneously on a single, non-containerized system, it is highly recommended to set the FCLI_HOME or FORTIFY_HOME environment variables to a dedicated directory for each individual pipeline/script run. Failure to do so may cause these runs to share session data, variables and other persistent fcli data, which will likely cause issues. For example, both pipelines may try to login with the same session name but with different URL’s or credentials, or even when using the same session configuration, one pipeline may log out of the session while the other pipeline is still using that session. Or, both pipelines may be updating the same fcli variable but with different contents, causing unexpected results when accessing those fcli variables. On containerized systems, like pipelines running in GitLab or GitHub, the fcli home folder will usually be stored inside the individual pipeline containers, so in this case it shouldn’t be necessary to set the FCLI_HOME or FORTIFY_HOME variables.

Note that some files stored in the fcli home directory may contain sensitive data, like authentication tokens generated by login commands, or proxy credentials configured through the fcli config proxy commands. Fcli encrypts any sensitive files, but since the encryption key and algorithm are hardcoded, these files can be decrypted fairly easily. You should ensure proper file access permissions on the fcli home folder. In addition, you can consider setting the FCLI_ENCRYPT_KEY environment variable to configure an alternative encryption key. That way, the sensitive files can only be decrypted if someone has access to this customer encryption key.

Environment Variables

Apart from the special-purpose environment variables described in other sections, like the Fcli Home Folder section, fcli allows for specifying default option and parameter values through environment variables. This is particularly useful for specifying product URL’s and credentials through pipeline secrets, but also allows for preventing having to manually supply command line options if you frequently invoke a particular command with the same option value(s). For example, you could define a default value for the fcli ssc appversion create --issue-template option, to avoid having to remember the issue template name every time you invoke this command.

Fcli walks the command tree to find an environment variable that matches a particular option, starting with the most detailed command prefix first. For the issue-template example above, fcli would look for the following environment variable names, in this order:

  • FCLI_DEFAULT_SSC_APPVERSION_CREATE_ISSUE_TEMPLATE

  • FCLI_DEFAULT_SSC_APPVERSION_ISSUE_TEMPLATE

  • FCLI_DEFAULT_SSC_ISSUE_TEMPLATE

  • FCLI_DEFAULT_ISSUE_TEMPLATE

Environment variable lookups are based on the following rules:

  • Command aliases are not taken into account when looking for environment variables; suppose we have a delete command with alias rm, you will need to use FCLI_DEFAULT_..._DELETE_... and not FCLI_DEFAULT_..._RM_...

  • For options, fcli will use the longest option name when looking for environment variables; suppose we have an option with names -a, --ab and --abc, you will need to use FCLI_DEFAULT_..._ABC and not FCLI_DEFAULT_..._AB or FCLI_DEFAULT_..._A

  • Currently, not all positional parameters support default values from environment variables; this will be improved over time. Please refer to the positional parameter description in help output or manual pages to identify what environment variable suffix should be used for a particular positional parameter.

Although powerful, these environment variables for providing default option and parameter values should be used with some care to avoid unexpected results:

  1. Obviously command option requirements should be respected; supplying default values for exclusive options may result in errors or unexpected behavior

  2. Preferably, you should use the most specific environment variable name, like FCLI_DEFAULT_SSC_APPVERSION_CREATE_ISSUE_TEMPLATE from the example above, to avoid accidentally supplying default values to a similarly named option on other commands

Despite #2 above, in some cases it may be useful to use less specific environment names, in particular if the same default values should be applied to multiple commands. As an example, consider an environment variable named FCLI_DEFAULT_SSC_URL:

  • This variable value will be used as a default value for all --url options in the SSC module

  • This variable value will be used as a default value for all --ssc-url options in other product modules

This means that defining a single FCLI_DEFAULT_SSC_URL environment variable, together with for example FCLI_DEFAULT_SSC_USER and FCLI_DEFAULT_SSC_PASSWORD environment variables, allows for applying these default values to all of the fcli ssc session login, fcli sc-sast session login, fcli sc-dast session login, and corresponding logout commands.

Note that as described in the –env-prefix section, you can override the FCLI_DEFAULT prefix. For example, with --env-prefix MYPREFIX, fcli will look for MYPREFIX_* environment variables instead of FCLI_DEFAULT_* environment variables.

Fcli Variables

Fcli allows for storing fcli output data in fcli variables for use by subsequent fcli commands. This is a powerful feature that prevents users from having to use shell features to parse fcli output when needing to provide output from one command as input to another command. For example, this feature allows for starting a scan, and then passing the scan id to a corresponding wait-for command, or for creating an SSC application version, and passing the SSC application version id to the appversion-artifact upload command.

Fcli supports two types of variables:

  • Named variables

    • Stored using the --store myVarName[:prop1,prop2] option on data output commands

    • If no properties are provided with the --store option, all JSON properties will be stored

    • Referenced using the '{?myVarName:prop1}' syntax anywhere on the command line of subsequent fcli commands

    • As a best practice, variable references should be quoted to avoid the shell interpreting the curly braces

    • On most shells, you should be able to put the variable reference in single quotes, or use \{

    • If you have any suggestions for a better syntax, please comment here: https://github.com/fortify/fcli/issues/160

    • Variable names are global and can be referenced across products and sessions

  • Predefined variables:

    • Stored using the --store '?' option on a subset of data output commands

    • Stored under a command-specific predefined variable name

    • Referenced using the '?' syntax on specific options

    • As a best practice, question marks should be quoted to avoid the shell interpreting ? as a file name wildcard (for example, if you have a file named x in the current directory, then --store ? would store a variable named x instead of the predefined variable name)

    • On most shells, you should be able to put the ? in single or double quotes, or use \?

    • If you have any suggestions for a better syntax, please comment here: https://github.com/fortify/fcli/issues/160

    • Help output and manual pages may currently lack information about which commands and options support the '?' syntax, so for now you’ll need to look at examples or just try.

Predefined variables are easier to use; they are more concise and you do not need to remember JSON property names. However, as indicated, they are more limited in use; they only store a predefined JSON property, and are only available on a subset of commands and options.

Following are some examples, assuming the necessary login sessions are available:

fcli ssc appversion create myApp:1.0 --auto-required --skip-if-exists --store '?'
fcli ssc appversion-artifact upload myScan.fpr --appversion '?'

fcli ssc appversion create myApp:1.0 --auto-required --skip-if-exists --store myVersion:id,name
fcli ssc appversion-artifact upload myScan.fpr --appversion {?myVersion:id}

fcli sc-dast scan start MyScan -S 011daf6b-f2d0-4127-89ab-1d3cebab8784 --store '?'
fcli sc-dast scan wait-for '?'

fcli sc-dast scan start MyScan -S 011daf6b-f2d0-4127-89ab-1d3cebab8784 --store myScan
fcli sc-dast scan wait-for {?myScan:id}

Fcli provides dedicated commands for managing variables and variable contents through the following commands; please see help output or manual pages for available sub-commands:

  • fcli config variable definition * fcli config variable contents

Note that the fcli config variable contents get and list commands support the regular fcli output options, and the list command also provides query capabilities. This allows for advanced use cases, like retrieving server data once and then outputting it in multiple formats, potentially even applying separate filters. As an example:

fcli ssc appversion list --store myVersions
fcli config variable contents list myVersions -o csv --output-to-file myVersions.csv
fcli config variable contents list myVersions -o json -q createdBy=admin --output-to-file myAdminVersions.json
fcli config variable contents list myVersions -o 'expr={id}\n' --output-to-file myVersionIds.txt

Manual Pages

The manual pages for this fcli release can be found here: fcli (1). If you are viewing this documentation offline, please make sure that you have fully extracted the docs-html.zip file to access the manual pages.

Manual pages for each fcli release are automatically generated as new fcli releases are being built, and are available in HTML and Linux man-page formats. The manual pages in man-page format can be downloaded from the fcli releases page at https://github.com/fortify/fcli/releases. The HTML-formatted manual pages, including this documentation page, can also be downloaded from the fcli release page or viewed online at https://fortify.github.io/fcli.

Troubleshooting

Native Binaries

Native binaries require some special source code annotations for proper operation, which are not required for the plain Java .jar version of fcli. If fcli developers forgot to include any of these annotations, you may experience any of the following behavior:

  • Commands and/or option listed in manual pages are not listed by the help output of a native binary

  • Trying to use commands and/or options listed in the manual pages result in errors stating that the command or option is not recognized

  • Some commands and/or options result in technical error messages about classes, constructors or methods not being found or not being accessible

If you encounter any of these issues, please submit a bug report as described in Submitting a Bug Report. As described in that section, please include information on whether the .jar version of fcli exhibits the same erroneous behavior. While fcli developers are working on fixing the issue, you can temporarily use the .jar version of fcli until the issue is resolved.

Submitting a Bug Report

After confirming that an issue cannot be resolved based on the information above, and is not caused by user error, please consider submitting a bug report on the fcli issue tracker. Before doing so, please verify that there is not already a bug report open for the issue that you are experiencing; in that case, feel free to leave a comment on the existing bug report to confirm the issue and/or provide additional details.

When opening a bug report, please include the following information:

  • Fcli version, as shown by the fcli --version command

  • Which fcli variant you are using; one of the native binaries or the .jar variant invoked using java -jar fcli.jar

  • If you are experiencing an issue with the native binaries, please confirm whether the .jar version of fcli exhibits the same behavior

  • Operating system and any other relevant environment details, for example:

    • Interactive or pipeline/automation use

    • If pipeline use, what CI/CD system are you running fcli on (Jenkins, GitHub, GitLab, …)

    • What FCLI environment variables have been set

  • Steps to reproduce

  • Any other information that may be relevant