This manual page describes built-in fcli SSC actions that can be run through
the fcli ssc action run <action-name>
command.
sample
Sample Action
Synopsis
fcli ssc action run sample [fcli ssc action run options] [action options, see below]
Description
This action documents action syntax to allow users to build their own custom actions. Note that action syntax is subject to change. Custom action YAML files that work fine on the current fcli version may not work on either older or newer fcli versions, and thus may need to be updated when upgrading fcli. Please see this link for details: https://github.com/fortify/fcli/issues/515
appversion-summary
(PREVIEW) Generate application version summary.
Synopsis
fcli ssc action run appversion-summary [fcli ssc action run options] [action options, see below]
Description
This action generates a short summary listing issue counts and other statistics for a given application version. Based on user feedback on this initial version of this action, parameters and output of this action may change in the next couple of fcli releases.
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: stdout
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filtersets, --fs
-
Comma-separated list of filter set names, guid’s or 'default' to display in the summary. If not specified, all filter sets will be included.
aws-sast-report
Generate a AWS Security Hub SAST report listing Fortify SSC SAST vulnerabilities.
Synopsis
fcli ssc action run aws-sast-report [fcli ssc action run options] [action options, see below]
Description
This action generate a ASFF report to integrate AWS Security Hub, generated reports then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/ For information on how to create or update findings into AWS Security Hub, see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
Options
- --file, -f
-
Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
- --aws-region
-
Required AWS region. Default value: AWS_REGION environment variable.
- --aws-account
-
Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.
bitbucket-sast-report
Generate a BitBucket Code Insights report listing SSC SAST vulnerabilities.
Synopsis
fcli ssc action run bitbucket-sast-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into BitBucket, see https://support.atlassian.com/bitbucket-cloud/docs/code-insights/
Options
- --report-file, -r
-
Optional report output file name (or 'stdout' / 'stderr'). Default value: bb-fortify-report.json
- --annotations-file, -a
-
Optional annotations output file name (or 'stdout' / 'stderr'). Default value: bb-fortify-annotations.json
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
check-policy
(SAMPLE) Check security policy.
Synopsis
fcli ssc action run check-policy [fcli ssc action run options] [action options, see below]
github-pr-comment
(PREVIEW) Add GitHub Pull Request review comments.
Synopsis
fcli ssc action run github-pr-comment [fcli ssc action run options] [action options, see below]
Description
This action adds review comments to a GitHub Pull Request. Currently this is marked as PREVIEW as we build out this functionality; later versions may have different behavior and/or require different action parameters.
The current implementation simply compares current scan results against previous scan results in the given SSC application version, listing all new, re-introduced and removed issues in a new PR comment.
For best results, this fcli action should only be run on GitHub pull_request triggers. Upon PR creation, a new SSC application version should be created, copying state from the SSC application version that represents the branch into which the PR will be merged, and a new scan should be run on the current PR branch before invoking this fcli action.
This will ensure that scan results for the current PR will be compared against the latest scan results for the target branch upon PR creation. Optionally, new scans can be run upon PR changes, creating new PR comments that show the issue delta compared to the previous scan for this PR.
Options
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --analysis-type, -t
-
Analysis type for which to list vulnerabilities. Default value: SCA
- --github-token
-
Required GitHub Token. Default value: GITHUB_TOKEN environment variable.
- --github-owner
-
Required GitHub repository owner. Default value: GITHUB_REPOSITORY_OWNER environment variable.
- --github-repo
-
Required GitHub repository. Default value: Taken from GITHUB_REPOSITORY environment variable.
- --pr
-
Required PR number. Default value: Taken from GITHUB_REF_NAME environment variable. Note that default value will only work on GitHub pull_request triggers; if this fcli action is invoked through any other GitHub trigger, it will fail unless an explicit PR number is passed through this option.
- --commit
-
Required commit hash. Default value: GITHUB_SHA environment variable.
- --dryrun
-
Set to true to just output PR decoration JSON; don’t actually update any PR
github-sast-report
Generate a GitHub Code Scanning report listing SSC SAST vulnerabilities.
Synopsis
fcli ssc action run github-sast-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into GitHub, see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: gh-fortify-sast.sarif
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
gitlab-dast-report
Generate a GitLab DAST report listing SSC DAST vulnerabilities.
Synopsis
fcli ssc action run gitlab-dast-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdast
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-dast.json
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
gitlab-debricked-report
Generate a GitLab Dependency Scanning report listing SSC Debricked vulnerabilities.
Synopsis
fcli ssc action run gitlab-debricked-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-debricked-depscan.json
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
gitlab-sast-report
Generate a GitLab SAST report listing SSC SAST vulnerabilities.
Synopsis
fcli ssc action run gitlab-sast-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-sast.json
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
gitlab-sonatype-report
Generate a GitLab Dependency Scanning report listing SSC Sonatype vulnerabilities.
Synopsis
fcli ssc action run gitlab-sonatype-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-sonatype-depscan.json
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
sarif-sast-report
Generate SARIF report listing SSC SAST vulnerabilities.
Synopsis
fcli ssc action run sarif-sast-report [fcli ssc action run options] [action options, see below]
Description
This action generates a SARIF report listing Fortify SAST vulnerabilities, which may be useful for integration with various 3rd-party tools that can ingest SARIF reports. For more information about SARIF, please see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: fortify-sast.sarif
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
setup-appversion
(PREVIEW) Set up application version.
Synopsis
fcli ssc action run setup-appversion [fcli ssc action run options] [action options, see below]
Description
This action is primarily meant for use in CI/CD integrations, allowing users to provide a custom action with a customized application version setup process if necessary.
For example, such a custom action could define standard profiles (based on team, business unit, application type/risk, …) with predefined users, attributes or issue template to be set on newly created application versions. Of course, instead of having a single custom action that defines profiles, you could also provide multiple custom actions that users can select from, or you can use a combination; each business unit or team providing their own custom action, with each of these custom actions defining profiles for different application types/risk.
This built-in action only provides a 'default' profile that simply invokes the
fcli ssc appversion create
command, passing the following options by default:
--skip-if-exists
, --auto-required-attrs
, --refresh
, --refresh-timeout 300s
.
Additional creation options can be passed through the various action options, which
includes the ability to override the default refresh timeout (only applicable when
copying an existing application version).
Options
- --appversion, --av
-
Required application version name as <appName>:<versionName>
- --profile, -p
-
This built-in action only supports the 'default' profile, which is selected by default
- --add-users
- --attrs, --attributes
- --copy
- --description, -d
- --copy-from, --from
- --issue-template
- --refresh-timeout
-
See 'fcli ssc av create'. Default value: 300s
sonarqube-sast-report
Generate a SonarQube External Issues report listing SSC SAST vulnerabilities.
Synopsis
fcli ssc action run sonarqube-sast-report [fcli ssc action run options] [action options, see below]
Description
For information on how to import this report into SonarQube, see https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/
Options
- --file, -f
-
Optional output file name (or 'stdout' / 'stderr'). Default value: sq-fortify-sast.json
- --file-path-prefix, --pfx
-
Optional prefix for issue file paths
- --appversion, --av
-
Required application version id or <appName>:<versionName>
- --filterset, --fs
-
Optional filter set name or guid from which to load issue data. Default value: Default filter set for given application version
- --page-size
-
Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100