Fcli FoD Actions

fcli fod action run sample [fcli fod action run options] [action options, see below]

This action documents action syntax to allow users to build their own custom actions. Note that action syntax is subject to change. Custom action YAML files that work fine on the current fcli version may not work on either older or newer fcli versions, and thus may need to be updated when upgrading fcli. Please see this link for details: https://github.com/fortify/fcli/issues/515

fcli fod action run aws-sast-report [fcli fod action run options] [action options, see below]

This action generate a ASFF report to integrate AWS Security Hub, generated reports then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/ For information on how to create or update findings into AWS Security Hub, see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html

fcli fod action run bitbucket-sast-report [fcli fod action run options] [action options, see below]

For information on how to import this report into BitBucket, see https://support.atlassian.com/bitbucket-cloud/docs/code-insights/

fcli fod action run check-policy [fcli fod action run options] [action options, see below]

This action checks the outcome of the FoD Security Policy, returning a non-zero exit code if FoD Security Policy status is Fail. Having this defined in an fcli action allows for users to implement custom security policy checks through a custom action, for example if they need more granuality than what’s provided by the standard FoD Security Policy.

fcli fod action run github-pr-comment [fcli fod action run options] [action options, see below]

This action adds review comments to a GitHub Pull Request. Currently this is marked as PREVIEW as we build out this functionality; later versions may have different behavior and/or require different action parameters.

The current implementation simply compares current scan results against previous scan results in the given FoD release, listing all new, re-introduced and removed issues in a new PR comment.

For best results, this fcli action should only be run on GitHub pull_request triggers. Upon PR creation, a new FoD release should be created, copying state from the FoD release that represents the branch into which the PR will be merged, and a new scan should be run on the current PR branch before invoking this fcli action.

This will ensure that scan results for the current PR will be compared against the latest scan results for the target branch upon PR creation. Optionally, new scans can be run upon PR changes, creating new PR comments that show the issue delta compared to the previous scan for this PR.

fcli fod action run github-sast-report [fcli fod action run options] [action options, see below]

For information on how to import this report into GitHub, see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github

fcli fod action run gitlab-dast-report [fcli fod action run options] [action options, see below]

For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdast

fcli fod action run gitlab-sast-report [fcli fod action run options] [action options, see below]

For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast

fcli fod action run release-summary [fcli fod action run options] [action options, see below]

This action generates a short summary listing issue counts and other statistics for a given release. Based on user feedback on this initial version of this action, parameters and output of this action may change in the next couple of fcli releases.

fcli fod action run sarif-sast-report [fcli fod action run options] [action options, see below]

This action generates a SARIF report listing Fortify SAST vulnerabilities, which may be useful for integration with various 3rd-party tools that can ingest SARIF reports. For more information about SARIF, please see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html

fcli fod action run setup-release [fcli fod action run options] [action options, see below]

This action allows for preparing an application release for running an application security scan. It will create the application and/or release if they do not exist yet, and optionally configure scan settings. For now, only static scan setup is supported, including optional software composition analysis. Support for other scan types like Dynamic or Mobile may be added in the future, or you may consider implementing a custom setup action to set up other scan types.

Although the same functionality can be achieved by manually running the various fcli commands used by this action, like fcli fod release create and fcli fod sast-scan setup, this action provides a convenient and standardized approach for running those commands, providing default values for many of the required options.

To provide even more consistency across CI/CD pipelines in your organization, it is recommended to implement one or more custom setup actions that provide suitable default values or even hard-coded, non-overridable values for the various options, for example based on business unit, team, and/or application type. Such custom actions could for example set standard application or release attributes for a particular type of application to be scanned. Alternative to implementing multiple custom actions, you may also consider implementing a single custom action that takes for example a --profile option to select between different profiles that each define appropriate option values and setup commands to run.

fcli fod action run sonarqube-sast-report [fcli fod action run options] [action options, see below]

For information on how to import this report into SonarQube, see https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/