This manual page describes built-in fcli actions that can be run through
the fcli fod action run <action-name> command.
aws-sast-report
Generate a AWS Security Hub SAST report listing FoD SAST vulnerabilities.
Synopsis
fcli fod action run aws-sast-report [fcli fod action run options] [action options, see below]
Description
This action generate a ASFF report to integrate AWS Security Hub, generated reports then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/ For information on how to create or update findings into AWS Security Hub, see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html
Options
- --file, -f
- 
Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --aws-region
- 
Required AWS region. Default value: AWS_REGION environment variable. 
- --aws-account
- 
Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable. 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths 
bitbucket-sast-report
Generate a BitBucket Code Insights report listing FoD SAST vulnerabilities.
Synopsis
fcli fod action run bitbucket-sast-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into BitBucket, see https://support.atlassian.com/bitbucket-cloud/docs/code-insights/
Options
- --report-file, -r
- 
Optional report output file name (or 'stdout' / 'stderr'). Default value: bb-fortify-report.json 
- --annotations-file, -a
- 
Optional annotations output file name (or 'stdout' / 'stderr'). Default value: bb-fortify-annotations.json 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths 
check-policy
Check security policy.
Synopsis
fcli fod action run check-policy [fcli fod action run options] [action options, see below]
Description
This action checks the outcome of the FoD Security Policy, returning a non-zero exit code if FoD Security Policy status is Fail. Having this defined in an fcli action allows for users to implement custom security policy checks through a custom action, for example if they need more granuality than what’s provided by the standard FoD Security Policy.
ci
(PREVIEW) Run FoD CI pipeline
Synopsis
fcli fod action run ci [fcli fod action run options] [action options, see below]
Description
This action can be used to run a full, standardized CI pipeline that performs the following activities:
- 
Create & configure FoD application release if needed 
- 
Package source code 
- 
Submit SAST scan request 
- 
Wait for SAST scan completion 
- 
Perform post-scan activities, like checking policy outcome, exporting results, … 
Configuration for this fcli action is done through environment variables; the table below lists the environment variables supported by this action.
| Environment Variable | Description | 
|---|---|
| FOD_RELEASE | Fortify on Demand release to use with this action. This should be specified as  | 
| DO_SETUP | If  | 
| PACKAGE_ACTION | By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use  | 
| USE_PACKAGE | These environment variables define packaging behavior. If  | 
| DO_SAST_SCAN | The fcli  | 
| DO_SAST_WAIT | By default, the fcli  | 
| DO_RELEASE_SUMMARY | If  | 
| DO_CHECK_POLICY | If  | 
| DO_PR_COMMENT | (PREVIEW) If  | 
| DO_SAST_EXPORT | If  | 
ci-vars
(PREVIEW) Collect CI-specific data
Synopsis
fcli fod action run ci-vars [fcli fod action run options] [action options, see below]
Description
This action collects data used by the SSC & FoD 'ci' actions, based on CI-specific data like CI-specific environment variables. Data is collected in a CI-agnostic global variable named 'ci'. Note that available properties on the global 'ci' variable may change across fcli releases, potentially breaking any custom actions that depend on these properties.
github-pr-comment
(PREVIEW) Add GitHub Pull Request review comments.
Synopsis
fcli fod action run github-pr-comment [fcli fod action run options] [action options, see below]
Description
This action adds review comments to a GitHub Pull Request. Currently this is marked as PREVIEW as we build out this functionality; later versions may have different behavior and/or require different action cli.
The current implementation simply compares current scan results against previous scan results in the given FoD release, listing all new, re-introduced and removed issues in a new PR comment.
For best results, this fcli action should only be run on GitHub pull_request triggers. Upon PR creation, a new FoD release should be created, copying state from the FoD release that represents the branch into which the PR will be merged, and a new scan should be run on the current PR branch before invoking this fcli action.
This will ensure that scan results for the current PR will be compared against the latest scan results for the target branch upon PR creation. Optionally, new scans can be run upon PR changes, creating new PR comments that show the issue delta compared to the previous scan for this PR.
Options
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --scan-type, -t
- 
Scan type for which to list vulnerabilities. Default value: Static 
- --github-api-url
- 
Required GitHub API URL. Default value: GITHUB_API_URL environment variable. 
- --github-token
- 
Required GitHub Token. Default value: GITHUB_TOKEN environment variable. 
- --github-owner
- 
Required GitHub repository owner. Default value: GITHUB_REPOSITORY_OWNER environment variable. 
- --github-repo
- 
Required GitHub repository. Default value: Taken from GITHUB_REPOSITORY environment variable. 
- --pr
- 
Required PR number. Default value: Taken from GITHUB_REF_NAME environment variable. Note that default value will only work on GitHub pull_request triggers; if this fcli action is invoked through any other GitHub trigger, it will fail unless an explicit PR number is passed through this option. 
- --commit
- 
Required commit hash. Default value: GITHUB_SHA environment variable. 
- --dryrun
- 
Set to true to just output PR decoration JSON; don’t actually update any PR 
github-sast-report
Generate a GitHub Code Scanning report listing FoD SAST vulnerabilities.
Synopsis
fcli fod action run github-sast-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into GitHub, see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
Options
- --file, -f
- 
Optional output file name (or 'stdout' / 'stderr'). Default value: gh-fortify-sast.sarif 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths 
gitlab-codequality-report
Generate a GitLab Code Quality report listing FoD SAST vulnerabilities.
Synopsis
fcli fod action run gitlab-codequality-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality
Options
- --file, -f
- 
Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-codequality.json 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths 
gitlab-dast-report
Generate a GitLab DAST report listing FoD DAST vulnerabilities.
Synopsis
fcli fod action run gitlab-dast-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdast
gitlab-debricked-report
Generate a GitLab Dependency Scanning report listing FoD SCA (Debricked) vulnerabilities.
Synopsis
fcli fod action run gitlab-debricked-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning
gitlab-sast-report
Generate a GitLab SAST report listing FoD SAST vulnerabilities.
Synopsis
fcli fod action run gitlab-sast-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into GitLab, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast
Options
- --file, -f
- 
Optional output file name (or 'stdout' / 'stderr'). Default value: gl-fortify-sast.json 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths 
package
(PREVIEW) Package source code
Synopsis
fcli fod action run package [fcli fod action run options] [action options, see below]
Description
This action can be used to package source code using ScanCentral Client. It will take care of installing the specified ScanCentral Client version, followed by executing the 'scancentral package' command using the specified ScanCentral Client version. To enable debug logging on the scancentral command, use the fcli --debug option, optionally combined with --log-level=NONE to collect only ScanCentral logs, not fcli logs.
Options
- --use-package
- 
Use an existing package file instead of trying to package the given source code directory. If specified, this ignores all other options. 
- --sc-client-version, -v
- 
Specify the ScanCentral Client version to be used for packaging. Defaults to the value of the SC_CLIENT_VERSION environment variable, or 'latest' if not specified. 
- --source-dir, -d
- 
Specify the source directory to be packaged. Defaults to the value of the SOURCE_DIR environment variable, or current working directory if not specified. 
- --tool-definitions
- 
Custom tool definitions to use for identifying available ScanCentral Client versions and download URLs. Defaults to the value of the TOOL_DEFINITIONS environment variable, or the built-in default if not specified. 
- --extra-opts
- 
Extra options to be passed to the 'scancentral package' command. Defaults to the options specified in the EXTRA_PACKAGE_OPTS environment variable, or no extra options if not specified. 
- --output, -o
- 
Name of the zip file in which packaged source code should be stored. Defaults to package.zip in the current working directory. 
release-summary
(PREVIEW) Generate release summary.
Synopsis
fcli fod action run release-summary [fcli fod action run options] [action options, see below]
sarif-sast-report
Generate SARIF report listing SSC SAST vulnerabilities.
Synopsis
fcli fod action run sarif-sast-report [fcli fod action run options] [action options, see below]
Description
This action generates a SARIF report listing Fortify SAST vulnerabilities, which may be useful for integration with various 3rd-party tools that can ingest SARIF reports. For more information about SARIF, please see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
Options
- --file, -f
- 
Optional output file name (or 'stdout' / 'stderr'). Default value: fortify-sast.sarif 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths 
servicenow-csv-report
(PREVIEW) Generate ServiceNow CSV report
Synopsis
fcli fod action run servicenow-csv-report [fcli fod action run options] [action options, see below]
Description
This action generates a CSV report that can be imported into the ServiceNow Vulnerability Response module; please see the following link for details: https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/vulnerability-response/reference/manual-ingestion-template.html The CSV report includes all SAST, DAST, and SCA issues available in the given FoD release.
setup-release
Set up application release.
Synopsis
fcli fod action run setup-release [fcli fod action run options] [action options, see below]
Description
This action allows for preparing an application release for running an application security scan. It will create the application and/or release if they do not exist yet, and optionally configure scan settings. For now, only static scan setup is supported, including optional software composition analysis. Support for other scan types like Dynamic or Mobile may be added in the future, or you may consider implementing a custom setup action to set up other scan types.
Although the same functionality can be achieved by manually running the various
fcli commands used by this action, like fcli fod release create and
fcli fod sast-scan setup, this action provides a convenient and standardized
approach for running those commands, providing default values for many of the
required options.
To provide even more consistency across CI/CD pipelines in your organization, it is recommended to implement one or more custom setup actions that provide suitable default values or even hard-coded, non-overridable values for the various options, for example based on business unit, team, and/or application type. Such custom actions could for example set standard application or release attributes for a particular type of application to be scanned. Alternative to implementing multiple custom actions, you may also consider implementing a single custom action that takes for example a --profile option to select between different profiles that each define appropriate option values and setup commands to run.
Options
- --release, --rel
- 
Required release name as <application>[:<microservice>]:<release> 
- --scan-types, -t
- 
Optional comma-separated list of scan type(s) to set up; for now, only 'sast' is supported 
- --attributes, --attrs
- 
Optional comma-separated list of attributes to set on the application and/or release 
- --copy-from
- --description, -d
- --sdlc-status, --status
- 
See fcli fod release create. Default value: Development
- --app-description
- --app-notify
- --app-owner
- --app-groups
- --app-type
- 
See fcli fod release create. Default value: Web
- --app-criticality
- 
See fcli fod release create. Default value: Medium
- --store
- --assessment-type
- --use-aviator
- --oss
- --technology-stack
- --language-level
sonarqube-sast-report
Generate a SonarQube External Issues report listing FoD SAST vulnerabilities.
Synopsis
fcli fod action run sonarqube-sast-report [fcli fod action run options] [action options, see below]
Description
For information on how to import this report into SonarQube, see https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/
Options
- --file, -f
- 
Optional output file name (or 'stdout' / 'stderr'). Default value: sq-fortify-sast.json 
- --file-path-prefix, --pfx
- 
Optional prefix for issue file paths; please consider using --source-dir option instead 
- --release, --rel
- 
Required release id or <appName>:[<microserviceName>:]<releaseName> 
- --source-dir
- 
(PREVIEW) Optional local repository directory to convert Fortify-reported source file paths to actual repository file paths