fortify/github-action/setup

Overview

The fortify/github-action/setup@v3 action allows for setting up fcli and various other Fortify tools for use in custom CI/CD workflows. This allows you to implement fully customized AST scan workflows or other automation workflows that interact with Fortify products.

The Fortify tools to be installed are specified through action inputs, whereas optional bootstrapping behavior for fcli and supporting tools can be controlled through environment variables.

Quick Start Example

Basic setup for custom workflows with fcli version pinning.

name: Custom Fortify Workflow
on: [push]

jobs:
  custom-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: fortify/github-action/setup@v3
        with:
          fcli: bootstrapped               # Set up bootstrapped fcli version. May also specify specific version, but
                                           # then fcli may be downloaded twice (bootstrap version and requested version).

        env:
          FCLI_BOOTSTRAP_VERSION: v3.15.0  # Defaults to latest v3.x.y, pin to specific version for stability
      - name: Run custom fcli commands
        run: |
          fcli fod session login ...
          # Your custom workflow here
          fcli fod session logout ...

Tips & Recommendations

Air-Gapped Environments

For air-gapped or restricted network environments, host custom tool definitions and tool bundles in an internal SCM repository or artifact registry. Configure the integration to use these internal resources:

Set TOOL_DEFINITIONS to point to your internally hosted tool definitions file
Set FCLI_BOOTSTRAP_URL to download fcli from your internal mirror

This ensures all required tools are accessible without external internet access.

Configuration

Specifying the tools to be installed is done through action inputs, whereas bootstrapping behavior can be controlled through environment variables as shown in the following sections.

Action Inputs

Action inputs allow you to specify which Fortify tool versions to install, and whether the corresponding binaries should be added to the system PATH. The following action inputs are supported:

Input Description

Input	Description
`export-path`	Whether to add the installed tools to the system PATH variable. Allowed values: `true` (default) or `false`
`fcli`	The fcli version to install. Allowed values: `skip` (default value, do not install), `bootstrapped` (use the bootstrapped fcli version), `latest`, or specific version number. Supports semantic versioning, for example `23.1` will install the latest known `23.1.y` patch version. Version may be specified either with or without the `v` prefix, for example `v23.1` and `23.1` are semantically the same. Recommended value: `bootstrapped`.
`sc-client`	The ScanCentral Client version to install. Allowed values: `skip` (default value, do not install), `latest`, or specific version number.
`fod-uploader`	The FoDUploader version to install. Allowed values: `skip` (default value, do not install), `latest`, or specific version number. Supports semantic versioning, for example `v5` will install the latest known `5.x.y` version. Version may be specified either with or without the `v` prefix, for example `v5.4.0` and `5.4.0` are semantically the same.
`vuln-exporter`	The FortifyVulnerabilityExporter version to install. Allowed values: `skip` (default value, do not install), `latest`, or specific version number. Supports semantic versioning, for example `v2` will install the latest known `2.x.y` version. Version may be specified either with or without the `v` prefix, for example `v2.0.4` and `2.0.4` are semantically the same.
`bugtracker-utility`	The FortifyBugTrackerUtility version to install. Allowed values: `skip` (default value, do not install), `latest`, or specific version number. Supports semantic versioning, for example `v4` will install the latest known `4.x` version. Version may be specified either with or without the `v` prefix, for example `v4.12` and `4.12` are semantically the same.
`debricked-cli`	The Debricked CLI version to install. Allowed values: `skip` (default value, do not install), `latest`, or specific version number. Supports semantic versioning, for example `v1` will install the latest known `1.x` version. Version may be specified either with or without the `v` prefix, for example `v1.7` and `1.7` are semantically the same.

export-path

Whether to add the installed tools to the system PATH variable. Allowed values: true (default) or false

fcli

The fcli version to install. Allowed values: skip (default value, do not install), bootstrapped (use the bootstrapped fcli version), latest, or specific version number. Supports semantic versioning, for example 23.1 will install the latest known 23.1.y patch version. Version may be specified either with or without the v prefix, for example v23.1 and 23.1 are semantically the same. Recommended value: bootstrapped.

sc-client

The ScanCentral Client version to install. Allowed values: skip (default value, do not install), latest, or specific version number.

fod-uploader

The FoDUploader version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v5 will install the latest known 5.x.y version. Version may be specified either with or without the v prefix, for example v5.4.0 and 5.4.0 are semantically the same.

vuln-exporter

The FortifyVulnerabilityExporter version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v2 will install the latest known 2.x.y version. Version may be specified either with or without the v prefix, for example v2.0.4 and 2.0.4 are semantically the same.

bugtracker-utility

The FortifyBugTrackerUtility version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v4 will install the latest known 4.x version. Version may be specified either with or without the v prefix, for example v4.12 and 4.12 are semantically the same.

debricked-cli

The Debricked CLI version to install. Allowed values: skip (default value, do not install), latest, or specific version number. Supports semantic versioning, for example v1 will install the latest known 1.x version. Version may be specified either with or without the v prefix, for example v1.7 and 1.7 are semantically the same.

Setup & Bootstrap

The environment variables in this section allow you to customize bootstrapping behavior of fcli and supporting tools like ScanCentral Client.

Note	This GitHub Action requires at least fcli v3.15.0 to function correctly.

Environment Variable

Description

FCLI_BOOTSTRAP_VERSION

By default, the latest fcli v3.x.y release is used for running the fcli-provided ci workflow, allowing you to always benefit from the latest features and fixes. If you prefer stability over automatic updates, you can pin to a specific minor or patch release like v3.15 or v3.15.0 by setting this environment variable to the desired version. Likewise, you can set this variable to an fcli pre-release tag like dev_v3.x to experiment with upcoming changes provided by an fcli development version.

FCLI_BOOTSTRAP_PATH

Path to a pre-installed fcli executable. When set, fcli bootstrapping will use this binary instead of downloading fcli.

FCLI_BOOTSTRAP_URL

By default, fcli is downloaded from the official GitHub releases page. This environment variable allows you to specify a custom URL, for example pointing to an internal mirror in air-gapped environments. In those cases, you’ll likely also want to set TOOL_DEFINITIONS to point to a custom tool definitions file to allow for downloading supporting tools like ScanCentral Client from the internal mirror.

FCLI_BOOTSTRAP_RSA_SHA256_URL

Custom URL for the fcli RSA SHA256 signature file. Defaults to <FCLI_BOOTSTRAP_URL>.rsa_sha256.

FCLI_BOOTSTRAP_VERIFY_SIGNATURE

Set to false to skip verification (not recommended) of the fcli download.

TOOL_DEFINITIONS

Supporting tools like ScanCentral Client or Debricked CLI are by default downloaded from the URLs defined in the default Fortify tool definitions. For airgapped environments, point this environment variable to an internally hosted custom tool definitions zip file to download these tools from an internal mirror.

PREINSTALLED

Set to true to require that all supporting tools (e.g., ScanCentral Client, Debricked CLI) invoked by the fcli ci action are already installed, preventing tool definitions from being updated or tools from being automatically installed. This is useful for environments where pre-installed tools must be used, or where automatic tool installation is not permitted.

Migrating from fortify/github-action/setup@v2

The fortify/github-action/setup@v3 action supports the same action inputs as v2.x.y versions, so migrating should be straightforward. However, bootstrapping behavior for fcli has changed; please review the following table for details:

fortify/github-action/setup@v2 fortify/github-action/setup@v3 Recommended Action

fortify/github-action/setup@v2	fortify/github-action/setup@v3	Recommended Action
Undocumented `fcli: action_default` input to use internal, pinned fcli version	Documented `fcli: bootstrapped` input to use bootstrapped fcli version	Use `fcli: bootstrapped` to leverage bootstrapped fcli version based on `FCLI_BOOTSTRAP_*` environment variables, to avoid download of multiple fcli versions
Uses `tool-definitions` input for fcli bootstrapping	Uses `TOOL_DEFINITIONS` environment variable and dedicated `FCLI_BOOTSTRAP_*` environment variables for fcli bootstrapping	If you used custom tool definitions, you’ll need to change from `tool-definitions` input to `TOOL_DEFINITIONS` environment variable. If your tool definitions included custom fcli download URLs, you’ll need to configure `FCLI_BOOTSTRAP_URL` to point to the appropriate fcli download URL

Undocumented fcli: action_default input to use internal, pinned fcli version

Documented fcli: bootstrapped input to use bootstrapped fcli version

Use fcli: bootstrapped to leverage bootstrapped fcli version based on FCLI_BOOTSTRAP_* environment variables, to avoid download of multiple fcli versions

Uses tool-definitions input for fcli bootstrapping

Uses TOOL_DEFINITIONS environment variable and dedicated FCLI_BOOTSTRAP_* environment variables for fcli bootstrapping

If you used custom tool definitions, you’ll need to change from tool-definitions input to TOOL_DEFINITIONS environment variable. If your tool definitions included custom fcli download URLs, you’ll need to configure FCLI_BOOTSTRAP_URL to point to the appropriate fcli download URL

Resources

Marketplace Listing: https://github.com/marketplace/actions/fortify-ast-scan
Action Repository: https://www.github.com/fortify/github-action
Starter workflow: https://github.com/actions/starter-workflows/blob/main/code-scanning/fortify.yml

FCLI: The Universal Fortify CLI