This manual page describes built-in fcli FoD actions that can be run through the fcli fod action run <action-name> command.

sample

Sample Action

Synopsis

fcli fod action run sample [fcli fod action run options] [action options, see below]

Description

This action documents action syntax to allow users to build their own custom actions. Note that action syntax is subject to change. Custom action YAML files that work fine on the current fcli version may not work on either older or newer fcli versions, and thus may need to be updated when upgrading fcli. Please see this link for details: https://github.com/fortify/fcli/issues/515

Options

--file, -f

Output file name (or 'stdout' / 'stderr'). Default value: sample.json

--github-token

Required GitHub Token. Default value: GITHUB_TOKEN environment variable.

--github-org, --gho

GitHub owner/organization for which to list repositories

aws-sast-report

Generate a AWS Security Hub SAST report listing FoD SAST vulnerabilities.

Synopsis

fcli fod action run aws-sast-report [fcli fod action run options] [action options, see below]

Description

This action generate a ASFF report to integrate AWS Security Hub, generated reports then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/ For information on how to create or update findings into AWS Security Hub, see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html

Options

--file, -f

Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

--aws-region

Required AWS region. Default value: AWS_REGION environment variable.

--aws-account

Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.

bitbucket-sast-report

Generate a BitBucket Code Insights report listing FoD SAST vulnerabilities.

Synopsis

fcli fod action run bitbucket-sast-report [fcli fod action run options] [action options, see below]

Description

For information on how to import this report into BitBucket, see https://support.atlassian.com/bitbucket-cloud/docs/code-insights/

Options

--report-file, -r

Optional report output file name (or 'stdout' / 'stderr'). Default value: bb-fortify-report.json

--annotations-file, -a

Optional annotations output file name (or 'stdout' / 'stderr'). Default value: bb-fortify-annotations.json

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

check-policy

Check security policy.

Synopsis

fcli fod action run check-policy [fcli fod action run options] [action options, see below]

Description

This action checks the outcome of the FoD Security Policy, returning a non-zero exit code if FoD Security Policy status is Fail. Having this defined in an fcli action allows for users to implement custom security policy checks through a custom action, for example if they need more granuality than what’s provided by the standard FoD Security Policy.

Options

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

github-pr-comment

(PREVIEW) Add GitHub Pull Request review comments.

Synopsis

fcli fod action run github-pr-comment [fcli fod action run options] [action options, see below]

Description

This action adds review comments to a GitHub Pull Request. Currently this is marked as PREVIEW as we build out this functionality; later versions may have different behavior and/or require different action parameters.

The current implementation simply compares current scan results against previous scan results in the given FoD release, listing all new, re-introduced and removed issues in a new PR comment.

For best results, this fcli action should only be run on GitHub pull_request triggers. Upon PR creation, a new FoD release should be created, copying state from the FoD release that represents the branch into which the PR will be merged, and a new scan should be run on the current PR branch before invoking this fcli action.

This will ensure that scan results for the current PR will be compared against the latest scan results for the target branch upon PR creation. Optionally, new scans can be run upon PR changes, creating new PR comments that show the issue delta compared to the previous scan for this PR.

Options

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

--scan-type, -t

Scan type for which to list vulnerabilities. Default value: Static

--github-token

Required GitHub Token. Default value: GITHUB_TOKEN environment variable.

--github-owner

Required GitHub repository owner. Default value: GITHUB_REPOSITORY_OWNER environment variable.

--github-repo

Required GitHub repository. Default value: Taken from GITHUB_REPOSITORY environment variable.

--pr

Required PR number. Default value: Taken from GITHUB_REF_NAME environment variable. Note that default value will only work on GitHub pull_request triggers; if this fcli action is invoked through any other GitHub trigger, it will fail unless an explicit PR number is passed through this option.

--commit

Required commit hash. Default value: GITHUB_SHA environment variable.

--dryrun

Set to true to just output PR decoration JSON; don’t actually update any PR

github-sast-report

Generate a GitHub Code Scanning report listing FoD SAST vulnerabilities.

Synopsis

fcli fod action run github-sast-report [fcli fod action run options] [action options, see below]

Options

--file, -f

Optional output file name (or 'stdout' / 'stderr'). Default value: gh-fortify-sast.sarif

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

gitlab-dast-report

Generate a GitLab DAST report listing FoD DAST vulnerabilities.

Synopsis

fcli fod action run gitlab-dast-report [fcli fod action run options] [action options, see below]

Description

For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdast

Options

--file, -f

Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-dast.json

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

gitlab-sast-report

Generate a GitLab SAST report listing FoD SAST vulnerabilities.

Synopsis

fcli fod action run gitlab-sast-report [fcli fod action run options] [action options, see below]

Description

For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast

Options

--file, -f

Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-sast.json

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

release-summary

(PREVIEW) Generate release summary.

Synopsis

fcli fod action run release-summary [fcli fod action run options] [action options, see below]

Description

This action generates a short summary listing issue counts and other statistics for a given release. Based on user feedback on this initial version of this action, parameters and output of this action may change in the next couple of fcli releases.

Options

--file, -f

Optional output file name (or 'stdout' / 'stderr'). Default value: stdout

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

sarif-sast-report

Generate SARIF report listing SSC SAST vulnerabilities.

Synopsis

fcli fod action run sarif-sast-report [fcli fod action run options] [action options, see below]

Description

This action generates a SARIF report listing Fortify SAST vulnerabilities, which may be useful for integration with various 3rd-party tools that can ingest SARIF reports. For more information about SARIF, please see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html

Options

--file, -f

Optional output file name (or 'stdout' / 'stderr'). Default value: fortify-sast.sarif

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>

setup-release

(PREVIEW) Set up application release.

Synopsis

fcli fod action run setup-release [fcli fod action run options] [action options, see below]

Description

his action is primarily meant for use in CI/CD integrations, allowing users to rovide a custom action with a customized application release setup process if ecessary.

For example, such a custom action could define standard profiles (based on team, business unit, application type/risk, …​) with predefined users, attributes or issue template to be set on newly created application releases. Of course, instead of having a single custom action that defines profiles, you could also provide multiple custom actions that users can select from, or you can use a combination; each business unit or team providing their own custom action, with each of these custom actions defining profiles for different application types/risk.

This built-in action only provides a 'default' profile that simply invokes the fcli fod release create and optionally fcli fod sast-scan setup commands with some default options, amended with options passed to this action.

Options

--release, --rel

Required release name as <application>[:<microservice>]:<release>

--profile, -p

This built-in action only supports the 'default' profile, which is selected by default

--scan-types, -t

Optional comma-separated list of scan type(s) to set up; for now, only 'sast' is supported

--copy-from

See fcli fod release create

--description, -d

See fcli fod release create

--sdlc-status, --status

See fcli fod release create

--assessment-type

See fcli fod sast-scan setup

--use-aviator

See fcli fod sast-scan setup

--oss

See fcli fod sast-scan setup

--attributes, --attrs

Optional comma-separated list of attributes to set on the application and/or release

sonarqube-sast-report

Generate a SonarQube External Issues report listing FoD SAST vulnerabilities.

Synopsis

fcli fod action run sonarqube-sast-report [fcli fod action run options] [action options, see below]

Options

--file, -f

Optional output file name (or 'stdout' / 'stderr'). Default value: sq-fortify-sast.json

--file-path-prefix, --pfx

Optional prefix for issue file paths

--release, --rel

Required release id or <appName>:[<microserviceName>:]<releaseName>