Action Documentation: fcli action

Supporting tools like ScanCentral Client or Debricked CLI are by default downloaded from the URLs defined in the default Fortify tool definitions. For airgapped environments, point this environment variable to an internally hosted custom tool definitions zip file to download these tools from an internal mirror.

Set to true to require that all supporting tools (e.g., ScanCentral Client, Debricked CLI) invoked by the fcli ci action are already installed, preventing tool definitions from being updated or tools from being automatically installed. This is useful for environments where pre-installed tools must be used, or where automatic tool installation is not permitted.

OpenText Core Application Security (Fortify on Demand) URL, for example https://ams.fortify.com. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.

Required when authenticating with an API key: OpenText Core Application Security (Fortify on Demand) Client ID (API key) and Secret (API secret).

Required when authenticating with user credentials: OpenText Core Application Security (Fortify on Demand) tenant, user and password. It is recommended to use a Personal Access Token instead of an actual user password.

Extra login options, for example for disabling SSL checks or changing connection time-outs; see fcli fod session login documentation.

OpenText Core Application Security (Fortify on Demand) release to use with this action. This should be specified as <app-name>:<release-name> (for non-microservices applications) or <app-name>:<microservice-name>:<release-name> (for microservices applications). Default value is based on repository and branch name, for example myOrg/myRepo:myBranch. Note that you’ll need to explicitly configure FOD_RELEASE for microservices applications, as the default value lacks a microservice name.

If DO_SETUP is set not set to false, the application and/or release will be created if they do not yet exist, and static scan settings will be configured if necessary. By default, static scan settings will only be configured if no settings have been previously configured for the release; set OVERRIDE_SAST_SETTINGS to true to override existing static scan settings. The setup will be performed using the fcli-provided fcli-provided setup-release action, or, the custom fcli action specified through SETUP_ACTION. Extra options for the fcli action can be passed through the SETUP_EXTRA_OPTS environment variable, but also see below for some convenience environment variables.

Depending on your Git workflow, when a new release is created, it is recommended to copy state from the release representing your default branch by either setting this environment variable or by passing the --copy-from option through SETUP_EXTRA_OPTS.

By default, when setting up a release for SAST scanning, the SAST scan will be configured with the Static Assessment assessment type. You can choose a different assement type by either setting this environment variable or by passing the --assessment-type option through SETUP_EXTRA_OPTS. Note that this won’t update the assessment type if SAST scan settings have already been configured for the release, unless you set OVERRIDE_SAST_SETTINGS to true.

To enable Aviator audits, set this environment variable to true or pass --use-aviator through SETUP_EXTRA_OPTS. Note that Aviator avaliablility depends on tenant and scan policy configuration, and may consume additional entitlement units. Also note that this setting will be ignored if SAST scan settings have already been configured for the release, unless you set OVERRIDE_SAST_SETTINGS to true.

To enable Software Composition Analysis in your SAST scans, set this environment variable to true or pass --oss through SETUP_EXTRA_OPTS. Note that Debricked or Sonatype availability depends on tenant and scan policy configuration, and may consume additional entitlement units. Also note that this option will be ignored if SAST scan settings have already been configured for the release, unless you set OVERRIDE_SAST_SETTINGS to true.

By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use PACKAGE_ACTION to use a custom action for packaging, optionally providing extra options to this custom action through the PACKAGE_ACTION_EXTRA_OPTS environment variable. Note that any custom action must set the global.package.output action variable, pointing to the package or MBS file to be scanned.

These environment variables define packaging behavior. If USE_PACKAGE is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the scancentral package command like -bt or -bf, use PACKAGE_EXTRA_OPTS. Note that the -oss option will be automatically added if Software Composition Analysis in enabled in FoD SAST scan settings.

By default:
* If SC_CLIENT_HOME is specified, the pre-installed ScanCentral Client at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* SC_CLIENT_VERSION may be specified to request a specific ScanCentral Client version to be used. Allowed values:
* An explicit version number (e.g. 25.2 or 25.2.0)
* Path to a specific ScanCentral Client installation
* latest to use the latest available ScanCentral Client version
* auto (default) to use a pre-installed version if available, otherwise installs latest
* If neither SC_CLIENT_VERSION nor SC_CLIENT_HOME are set, defaults to auto behavior.
* Current working directory will be packaged; use SOURCE_DIR to package a different directory.
* Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging.

The fcli ci action currently only supports running a SAST scan, which is enabled by default. The SAST_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the fcli fod sast-scan start command, for example to specify scan notes. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.

By default, the fcli ci action will wait for all started scans to complete; set DO_WAIT to false to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The SAST_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli fod sast-scan wait-for command.

If DO_RELEASE_SUMMARY is not set to false, a release summary will be generated using the fcli-provided release-summary action or, if specified, the custom fcli action specified through RELEASE_SUMMARY_ACTION. Extra options for the fcli action can be specified through the RELEASE_SUMMARY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

If DO_CHECK_POLICY is set to true (implied if any of the other two CHECK_POLICY_* variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through CHECK_POLICY_ACTION. Extra options for a custom fcli action can be passed through the CHECK_POLICY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

(PREVIEW) If DO_PR_COMMENT is set to true (implied if any of the other two PR_COMMENT_* variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through PR_COMMENT_ACTION. Extra options for the fcli action can be specified through the PR_COMMENT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

If DO_SAST_EXPORT is not set to false and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through SAST_EXPORT_ACTION. Extra options for the fcli action can be specified through the SAST_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

OpenText Application Security (Fortify Software Security Center) URL, for example https://ssc.customer.fortifyhosted.net/. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.

Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.

Required when authenticating with SSC user credentials.

ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. This environment variable is required when running a ScanCentral SAST scan.

Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see fcli ssc session login documentation.

Fortify SSC application version to use with this action. This should be specified as <app-name>:<version-name>. Default value is based on repository and branch name, for example myOrg/myRepo:myBranch.

If DO_SETUP is set not set to false, the application and/or version will be created if they do not yet exist using the fcli-provided setup-appversion action, or, if specified, the custom fcli action specified through SETUP_ACTION. Extra options for the fcli action can be passed through the SETUP_EXTRA_OPTS environment variable.

Depending on your Git workflow, it is recommended to copy state from the application version representing your default branch by passing the --copy-from option through SETUP_EXTRA_OPTS.

By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use PACKAGE_ACTION to use a custom action for packaging, optionally providing extra options to this custom action through the PACKAGE_ACTION_EXTRA_OPTS environment variable. Note that any custom action must set the global.package.output action variable, pointing to the package or MBS file to be scanned.

These environment variables define packaging behavior. If USE_PACKAGE is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the scancentral package command like -bt or -bf, use PACKAGE_EXTRA_OPTS.

By default:

* If SC_CLIENT_HOME is specified, the pre-installed ScanCentral Client at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* SC_CLIENT_VERSION may be specified to request a specific ScanCentral Client version to be used. Allowed values:
* An explicit version number (e.g. 25.2 or 25.2.0)
* Path to a specific ScanCentral Client installation
* latest to use the latest available ScanCentral Client version
* auto (default for SSC) to enable automatic detection based on available sensor versions
* If neither SC_CLIENT_VERSION nor SC_CLIENT_HOME are set, defaults to auto behavior (sensor-based detection).
* Current working directory will be packaged; use SOURCE_DIR to package a different directory.
* Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging.

The fcli ci action by default runs a SAST scan, optionally in combination with other scan types. The DO_SAST_SCAN environment variable can be set to false to disable the SAST scan. The SAST_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the fcli sc-sast scan start command, for example to request a scan completion email notification. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.

The fcli ci action supports running a Debricked Software Composition Analysis (SCA) scan, which is enabled automatically if DEBRICKED_ACCESS_TOKEN is provided. The DO_DEBRICKED_SCAN environment variable can be set to false to (temporarily) disable the Debricked scan. The DEBRICKED_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the debricked scan command.

By default:

* If DEBRICKED_HOME is specified, the pre-installed Debricked CLI at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* DEBRICKED_VERSION may be specified to request a specific Debricked CLI version to be used. Allowed values:
* An explicit version number (e.g. 2.6 or 2.6.7)
* Path to a specific Debricked CLI installation
* latest to use the latest available Debricked CLI version
* auto (default) to use a pre-installed version if available, otherwise installs latest
* If neither DEBRICKED_VERSION nor DEBRICKED_HOME are set, defaults to auto behavior.

By default, the fcli ci action will wait for all started scans to complete; set DO_WAIT to false to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The SAST_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli sc-sast scan wait-for command, and similarly, the DEBRICKED_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command.

Aviator URL and JWT token to use for Aviator operations (see below). The AVIATOR_TOKEN environment variable should hold the actual token contents; prefixes like file: or string: (like the --token option on the fcli aviator session login command) are not supported. The AVIATOR_LOGIN_EXTRA_OPTS environment variable can be used to pass additional options to the fcli aviator session login command.

If DO_AVIATOR_AUDIT is not set to false, and Aviator URL and token have been configured, scan results will be sent to Aviator for AI-driven auditing. The Aviator application name can optionally be configured through AVIATOR_APP, which defaults to the SSC application name. The AVIATOR_AUDIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli aviator ssc audit command, for example to adjust tag mappings. The AVIATOR_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command, which will be run to wait for SSC to process the audited results.

If DO_APPVERSION_SUMMARY is not set to false, an application version summary will be generated using the fcli-provided appversion-summary action or, if specified, the custom fcli action specified through APPVERSION_SUMMARY_ACTION. Extra options for the fcli action can be specified through the APPVERSION_SUMMARY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

If DO_CHECK_POLICY is set to true (implied if any of the other two CHECK_POLICY_* variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through CHECK_POLICY_ACTION. Extra options for a custom fcli action can be passed through the CHECK_POLICY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

(PREVIEW) If DO_PR_COMMENT is set to true (implied if any of the other two PR_COMMENT_* variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through PR_COMMENT_ACTION. Extra options for the fcli action can be specified through the PR_COMMENT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

If DO_SAST_EXPORT is not set to false and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through SAST_EXPORT_ACTION. Extra options for the fcli action can be specified through the SAST_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

If DO_DEBRICKED_EXPORT is not set to false and a Debricked scan was completed, the Debricked vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like gitlab-debricked-report, or, if specified, the custom fcli action specified through DEBRICKED_EXPORT_ACTION. Extra options for the fcli action can be specified through the DEBRICKED_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.