Action Documentation: fcli ssc action

This manual page describes built-in fcli actions that can be run through the fcli ssc action run <action-name> command.

appversion-summary

(PREVIEW) Generate application version summary.

Synopsis

fcli ssc action run appversion-summary [fcli ssc action run options] [action options, see below]

Description

This action generates a short summary listing issue counts and other statistics for a given application version. Based on user feedback on this initial version of this action, parameters and output of this action may change in the next couple of fcli releases.

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Default value: stdout
--appversion, --av: Required application version id or <appName>:<versionName>
--filtersets, --fs: Comma-separated list of filter set names, guid’s or 'default' to display in the summary. If not specified, all filter sets will be included.

aws-sast-report

Generate a AWS Security Hub SAST report listing Fortify SSC SAST vulnerabilities.

Synopsis

fcli ssc action run aws-sast-report [fcli ssc action run options] [action options, see below]

Description

This action generate a ASFF report to integrate AWS Security Hub, generated reports then parsed by the lambda function, see: https://github.com/fortify/CloudDevSecOpsTemplates/ For information on how to create or update findings into AWS Security Hub, see https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-update-types.html

Options

--file, -f: Optional report output file name (or 'stdout' / 'stderr'). Default value: aws-fortify-report.json
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--aws-region: Required AWS region. Default value: AWS_REGION environment variable.
--aws-account: Required AWS account id. Default value: AWS_ACCOUNT_ID environment variable.
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: (DEPRECATED: use --workspace-dir) Alias for --workspace-dir

bitbucket-sast-report

Integrate SSC SAST results with BitBucket Code Insights.

Synopsis

fcli ssc action run bitbucket-sast-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC SAST vulnerabilities to BitBucket. With the --publish option, results are automatically uploaded to BitBucket pipelines.

For manual report uploads, see https://support.atlassian.com/bitbucket-cloud/docs/code-insights/

Options

--report-file, -r: Optional report output file name (or 'stdout' / 'stderr'). Defaults to bb-fortify-report.json if --publish not specified
--annotations-file, -a: Optional annotations output file name (or 'stdout' / 'stderr'). Defaults to bb-fortify-annotations.json if --publish not specified
--publish: Publish report and annotations to Bitbucket Code Insights
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: Source directory that was scanned - used for prioritizing path matches when multiple files have the same name (e.g., index.js in src/ vs node_modules/)

bulkaudit

(PREVIEW) Perform SAST Aviator audits of SSC application versions in bulk.

Synopsis

fcli ssc action run bulkaudit [fcli ssc action run options] [action options, see below]

Description

This action identifies SSC application versions with pending audit issues and automatically submits them for auditing by Fortify SAST Aviator. The action intelligently filters to only process versions with actual pending audit issues, while ignoring versions for which audit information needs to be refreshed.

For application versions that don’t already exist in Aviator, the action will automatically create them before submitting for audit.

Either --tag-mapping or --add-aviator-tags must be specified. The default tag mapping leaves unsure issues unaudited, causing indefinite reselection. Use a custom mapping file or 'fcli ssc aviator prepare' to configure Aviator-specific issue templates.

This action assumes active sessions with SSC, Aviator (user role for auditing), and Aviator (admin role for application listing and creation).

Options

--max-audits, -m: Maximum number of project versions to audit. Default: -1 (unlimited)
--filter, -f: Optional filter to apply when querying SSC for projects. Example: 'Languages:java'. Default: no filtering
--exclude-filter, -e: Optional inverse filter to exclude projects from audit. Projects matching this filter will be skipped. Example: 'Languages:c#' to exclude .NET projects. Can be combined with --filter. Default: no exclusion
--dry-run, -n: Show what aviator commands would be executed without actually running them. Default: false
--tag-mapping, -t: Path to tag mapping YAML file. This custom mapping ensures that SAST Aviator 'Unsure' audit results are properly handled. Required unless --add-aviator-tags is specified.
--add-aviator-tags: If specified, runs 'fcli aviator prepare' for the application before audit. Required unless --tag-mapping is specified.
--refresh: Refresh application version metrics before audit. For large applications this can lead to timeout errors. Default: true
--refresh-timeout: Timeout period for metric refresh, e.g., 30s (30 seconds), 5m (5 minutes), 1h (1 hour). Default: 60s

check-policy

(SAMPLE) Check security policy.

Synopsis

fcli ssc action run check-policy [fcli ssc action run options] [action options, see below]

Description

This sample action demonstrates how to implement a security policy using fcli actions, returning a non-zero exit code if any of the checks fail.

Options

--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version

ci

Run SSC CI pipeline

Synopsis

fcli ssc action run ci [fcli ssc action run options] [action options, see below]

Description

This action can be used to run a full, standardized CI pipeline that performs the following activities:

Create & configure SSC application version if needed
Package source code
Submit SAST scan request
Wait for SAST scan completion
Perform post-scan activities, like checking policy outcome, exporting results, …

Configuration for this fcli action is done through environment variables; the sections below list the environment variables supported by this action.

Bootstrap & Setup

The fcli ci action uses the following environment variables to control bootstrapping behavior for supporting tools.

Environment Variable

Description

TOOL_DEFINITIONS

Supporting tools like ScanCentral Client or Debricked CLI are by default downloaded from the URLs defined in the default Fortify tool definitions. For airgapped environments, point this environment variable to an internally hosted custom tool definitions zip file to download these tools from an internal mirror.

PREINSTALLED

Set to true to require that all supporting tools (e.g., ScanCentral Client, Debricked CLI) invoked by the fcli ci action are already installed, preventing tool definitions from being updated or tools from being automatically installed. This is useful for environments where pre-installed tools must be used, or where automatic tool installation is not permitted.

Application Version Management

Configure OpenText Application Security (Fortify Software Security Center) application version settings, including automatic creation of application versions if they don’t exist.

Environment Variable

Description

SSC_APPVERSION

Fortify SSC application version to use with this action. This should be specified as <app-name>:<version-name>. Default value is based on repository and branch name, for example myOrg/myRepo:myBranch.

DO_SETUP
SETUP_ACTION
SETUP_EXTRA_OPTS

If DO_SETUP is set not set to false, the application and/or version will be created if they do not yet exist using the fcli-provided setup-appversion action, or, if specified, the custom fcli action specified through SETUP_ACTION. Extra options for the fcli action can be passed through the SETUP_EXTRA_OPTS environment variable.

Depending on your Git workflow, it is recommended to copy state from the application version representing your default branch by passing the --copy-from option through SETUP_EXTRA_OPTS.

Package Configuration

Configure source code packaging behavior for SAST scans. Control whether to use custom packaging actions, specify pre-built packages, or customize ScanCentral Client usage.

Environment Variable

Description

PACKAGE_ACTION
PACKAGE_ACTION_EXTRA_OPTS

By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use PACKAGE_ACTION to use a custom action for packaging, optionally providing extra options to this custom action through the PACKAGE_ACTION_EXTRA_OPTS environment variable. Note that any custom action must set the global.package.output action variable, pointing to the package or MBS file to be scanned.

USE_PACKAGE
PACKAGE_EXTRA_OPTS
SC_CLIENT_VERSION
SC_CLIENT_HOME
SOURCE_DIR

These environment variables define packaging behavior. If USE_PACKAGE is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the scancentral package command like -bt or -bf, use PACKAGE_EXTRA_OPTS.

By default:

* If SC_CLIENT_HOME is specified, the pre-installed ScanCentral Client at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* SC_CLIENT_VERSION may be specified to request a specific ScanCentral Client version to be used. Allowed values:
* An explicit version number (e.g. 25.2 or 25.2.0)
* Path to a specific ScanCentral Client installation
* latest to use the latest available ScanCentral Client version
* auto (default for SSC) to enable automatic detection based on available sensor versions
* If neither SC_CLIENT_VERSION nor SC_CLIENT_HOME are set, defaults to auto behavior (sensor-based detection).
* Current working directory will be packaged; use SOURCE_DIR to package a different directory.
* Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging.

Scan Execution

Configure SAST and Debricked scan execution and waiting behavior for OpenText Application Security (Fortify Software Security Center).

Environment Variable

Description

DO_SAST_SCAN
SAST_SCAN_EXTRA_OPTS

The fcli ci action by default runs a SAST scan, optionally in combination with other scan types. The DO_SAST_SCAN environment variable can be set to false to disable the SAST scan. The SAST_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the fcli sc-sast scan start command, for example to request a scan completion email notification. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.

DO_DEBRICKED_SCAN
DEBRICKED_SCAN_EXTRA_OPTS
DEBRICKED_ACCESS_TOKEN
DEBRICKED_VERSION
DEBRICKED_HOME

The fcli ci action supports running a Debricked Software Composition Analysis (SCA) scan, which is enabled automatically if DEBRICKED_ACCESS_TOKEN is provided. The DO_DEBRICKED_SCAN environment variable can be set to false to (temporarily) disable the Debricked scan. The DEBRICKED_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the debricked scan command.

By default:

* If DEBRICKED_HOME is specified, the pre-installed Debricked CLI at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* DEBRICKED_VERSION may be specified to request a specific Debricked CLI version to be used. Allowed values:
* An explicit version number (e.g. 2.6 or 2.6.7)
* Path to a specific Debricked CLI installation
* latest to use the latest available Debricked CLI version
* auto (default) to use a pre-installed version if available, otherwise installs latest
* If neither DEBRICKED_VERSION nor DEBRICKED_HOME are set, defaults to auto behavior.

DO_WAIT
DO_SAST_WAIT
SAST_WAIT_EXTRA_OPTS
DEBRICKED_WAIT_EXTRA_OPTS

By default, the fcli ci action will wait for all started scans to complete; set DO_WAIT to false to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The SAST_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli sc-sast scan wait-for command, and similarly, the DEBRICKED_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command.

Post-Scan Actions

Configure post-scan tasks including Aviator auditing, application version summaries, policy checks, pull request comments, and vulnerability data exports for OpenText Application Security (Fortify Software Security Center). NOTE: Availability and behavior of post-scan tasks may vary across CI/CD systems and fcli versions.

Environment Variable

Description

AVIATOR_URL
AVIATOR_TOKEN
AVIATOR_LOGIN_EXTRA_OPTS

Aviator URL and JWT token to use for Aviator operations (see below). The AVIATOR_TOKEN environment variable should hold the actual token contents; prefixes like file: or string: (like the --token option on the fcli aviator session login command) are not supported. The AVIATOR_LOGIN_EXTRA_OPTS environment variable can be used to pass additional options to the fcli aviator session login command.

DO_AVIATOR_AUDIT
AVIATOR_APP
AVIATOR_AUDIT_EXTRA_OPTS
AVIATOR_WAIT_EXTRA_OPTS

If DO_AVIATOR_AUDIT is not set to false, and Aviator URL and token have been configured, scan results will be sent to Aviator for AI-driven auditing. The Aviator application name can optionally be configured through AVIATOR_APP, which defaults to the SSC application name. The AVIATOR_AUDIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli aviator ssc audit command, for example to adjust tag mappings. The AVIATOR_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command, which will be run to wait for SSC to process the audited results.

DO_APPVERSION_SUMMARY
APPVERSION_SUMMARY_ACTION
APPVERSION_SUMMARY_EXTRA_OPTS

If DO_APPVERSION_SUMMARY is not set to false, an application version summary will be generated using the fcli-provided appversion-summary action or, if specified, the custom fcli action specified through APPVERSION_SUMMARY_ACTION. Extra options for the fcli action can be specified through the APPVERSION_SUMMARY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_CHECK_POLICY
CHECK_POLICY_ACTION
CHECK_POLICY_EXTRA_OPTS

If DO_CHECK_POLICY is set to true (implied if any of the other two CHECK_POLICY_* variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through CHECK_POLICY_ACTION. Extra options for a custom fcli action can be passed through the CHECK_POLICY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_PR_COMMENT
PR_COMMENT_ACTION
PR_COMMENT_EXTRA_OPTS

(PREVIEW) If DO_PR_COMMENT is set to true (implied if any of the other two PR_COMMENT_* variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through PR_COMMENT_ACTION. Extra options for the fcli action can be specified through the PR_COMMENT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_SAST_EXPORT
SAST_EXPORT_ACTION
SAST_EXPORT_EXTRA_OPTS

If DO_SAST_EXPORT is not set to false and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through SAST_EXPORT_ACTION. Extra options for the fcli action can be specified through the SAST_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_DEBRICKED_EXPORT
DEBRICKED_EXPORT_ACTION
DEBRICKED_EXPORT_EXTRA_OPTS

If DO_DEBRICKED_EXPORT is not set to false and a Debricked scan was completed, the Debricked vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like gitlab-debricked-report, or, if specified, the custom fcli action specified through DEBRICKED_EXPORT_ACTION. Extra options for the fcli action can be specified through the DEBRICKED_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

debricked-scan

(PREVIEW) Run Debricked Scan

Synopsis

fcli ssc action run debricked-scan [fcli ssc action run options] [action options, see below]

Description

This action can be used to run a debricked scan of the project.

Options

--source-dir, -s

Source directory on which to run Debricked Software Composition Analysis (SCA) scan. Defaults to current working directory if not specified.

--repository, -r

Debricked source repository name or ID. Will be auto-detected if source directory points to a local git repository.

--branch, -b

Debricked source branch name or ID. Will be auto-detected if source directory points to a local git repository.

--app-version, --av

SSC application version to which the debricked report must be imported to. Defaults to <repository>:<branch> if not specified. Application version must already exist in SSC.

--debricked-token, -t

Access token required for Debricked authentication.

--cli-version, -v

Specify the Debricked CLI tool version to be used for scanning. Defaults to the value of the DEBRICKED_HOME or DEBRICKED_VERSION environment variables. Allowed values:

An explicit version number (e.g. 2.6 or 2.6.7)
Path to a specific Debricked CLI installation
latest to use the latest available Debricked CLI version
auto (default) to use a pre-installed version if available, otherwise installs latest

--tool-definitions

Custom tool definitions to use for identifying available Debricked CLI tool versions and download URLs.

--skip-wait

By default, the action will wait for the Debricked scan import to complete. Use this option to skip waiting for the import to complete.

--extra-scan-opts

Extra options to be passed to the 'debricked scan' command.

github-pr-comment

(PREVIEW) Add GitHub Pull Request review comments.

Synopsis

fcli ssc action run github-pr-comment [fcli ssc action run options] [action options, see below]

Description

This action adds review comments to a GitHub Pull Request. Currently this is marked as PREVIEW as we build out this functionality; later versions may have different behavior and/or require different action cli.

The current implementation simply compares current scan results against previous scan results in the given SSC application version, listing all new, re-introduced and removed issues in a new PR comment.

For best results, this fcli action should only be run on GitHub pull_request triggers. Upon PR creation, a new SSC application version should be created, copying state from the SSC application version that represents the branch into which the PR will be merged, and a new scan should be run on the current PR branch before invoking this fcli action.

This will ensure that scan results for the current PR will be compared against the latest scan results for the target branch upon PR creation. Optionally, new scans can be run upon PR changes, creating new PR comments that show the issue delta compared to the previous scan for this PR.

Options

--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--analysis-type, -t: Analysis type for which to list vulnerabilities. Default value: SCA
--github-api-url: Required GitHub API URL. Default value: GITHUB_API_URL environment variable.
--github-token: Required GitHub Token. Default value: GITHUB_TOKEN environment variable.
--github-owner: Required GitHub repository owner. Default value: GITHUB_REPOSITORY_OWNER environment variable.
--github-repo: Required GitHub repository. Default value: Taken from GITHUB_REPOSITORY environment variable.
--pr: Required PR number. Default value: Taken from GITHUB_REF_NAME environment variable. Note that default value will only work on GitHub pull_request triggers; if this fcli action is invoked through any other GitHub trigger, it will fail unless an explicit PR number is passed through this option.
--commit: Required commit hash. Default value: GITHUB_SHA environment variable.
--dryrun: Set to true to just output PR decoration JSON; don’t actually update any PR

github-sast-report

Integrate SSC SAST results with GitHub Code Scanning.

Synopsis

fcli ssc action run github-sast-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC SAST vulnerabilities to GitHub. With the --publish option, results are automatically uploaded as either SARIF reports (for GitHub Advanced Security) or Check Runs (for free-tier repositories). The optional --type option allows you to specify which format to use.

For manual SARIF file uploads, see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Defaults to gh-fortify-sast.sarif if --publish not specified
--publish: Publish report to GitHub Code Scanning (requires GITHUB_TOKEN environment variable with 'security-events: write' permission)
--type: Report type to generate/publish: 'sarif' (GHAS Code Scanning) or 'check-run' (free-tier Check Run). If not specified, tries SARIF first, falls back to Check Run if GHAS unavailable. For best performance, specify the report type that matches your repository’s GitHub plan (GHAS vs free tier).
--dryrun: Set to true to load and format all data but output to stdout instead of publishing
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: Source directory that was scanned - used for prioritizing path matches when multiple files have the same name (e.g., index.js in src/ vs node_modules/)

gitlab-codequality-report

Integrate SSC SAST results with GitLab Code Quality.

Synopsis

fcli ssc action run gitlab-codequality-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC SAST vulnerabilities to GitLab. With the --publish option, results are automatically uploaded to GitLab pipelines.

For manual report uploads, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Defaults to gl-fortify-codequality.json if --publish not specified
--publish: Publish report to GitLab merge request
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: Source directory that was scanned - used for prioritizing path matches when multiple files have the same name (e.g., index.js in src/ vs node_modules/)

gitlab-dast-report

Integrate SSC DAST results with GitLab.

Synopsis

fcli ssc action run gitlab-dast-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC DAST vulnerabilities to GitLab. With the --publish option, results are automatically uploaded to GitLab pipelines.

For manual report uploads, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdast

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Defaults to gl-fortify-dast.json if --publish not specified
--publish: Publish report to GitLab Security Dashboard
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100

gitlab-debricked-report

Integrate SSC Debricked results with GitLab Dependency Scanning.

Synopsis

fcli ssc action run gitlab-debricked-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC Debricked vulnerabilities to GitLab. With the --publish option, results are automatically uploaded to GitLab pipelines.

For manual report uploads, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Defaults to gl-fortify-debricked-depscan.json if --publish not specified
--publish: Publish report to GitLab Security Dashboard
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100

gitlab-sast-report

Integrate SSC SAST results with GitLab.

Synopsis

fcli ssc action run gitlab-sast-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC SAST vulnerabilities to GitLab. With the --publish option, results are automatically uploaded to GitLab pipelines.

For manual report uploads, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Defaults to gl-fortify-sast.json if --publish not specified
--publish: Publish report to GitLab Security Dashboard
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: Source directory that was scanned - used for prioritizing path matches when multiple files have the same name (e.g., index.js in src/ vs node_modules/)

gitlab-sonatype-report

Integrate SSC Sonatype results with GitLab Dependency Scanning.

Synopsis

fcli ssc action run gitlab-sonatype-report [fcli ssc action run options] [action options, see below]

Description

This action generates and optionally publishes SSC Sonatype vulnerabilities to GitLab. With the --publish option, results are automatically uploaded to GitLab pipelines.

For manual report uploads, see https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Defaults to gl-fortify-sonatype-depscan.json if --publish not specified
--publish: Publish report to GitLab Security Dashboard
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100

package

Package source code

Synopsis

fcli ssc action run package [fcli ssc action run options] [action options, see below]

Description

This action can be used to package source code using ScanCentral Client. It will take care of installing the specified ScanCentral Client version, followed by executing the 'scancentral package' command using the specified ScanCentral Client version. To enable debug logging on the scancentral command, use the fcli --debug option, optionally combined with --log-level=NONE to collect only ScanCentral logs, not fcli logs.

Options

--use-package

Use an existing package file instead of trying to package the given source code directory. If specified, this ignores all other options.

--sc-client-version, -v

Specify the ScanCentral Client version to be used for packaging. Defaults to the value of the SC_CLIENT_HOME or SC_CLIENT_VERSION environment variables. Allowed values:

An explicit version number (e.g. 25.2 or 25.2.0)
Path to a specific ScanCentral Client installation
latest to use the latest available ScanCentral Client version
auto (default) to enable automatic detection based on available sensor versions

--appversion, --av

SSC application version (name or id) for which to detect the appropriate ScanCentral Client version. If not specified, detection will use sensors from all pools. This option is only used when --sc-client-version is not specified or set to 'auto'.

--source-dir, -d

Specify the source directory to be packaged. Defaults to the value of the SOURCE_DIR environment variable, or current working directory if not specified.

--tool-definitions

Custom tool definitions to use for identifying available ScanCentral Client versions and download URLs.

--extra-opts

Extra options to be passed to the 'scancentral package' command. Defaults to the options specified in the EXTRA_PACKAGE_OPTS environment variable, or no extra options if not specified.

--output, -o

Name of the zip file in which packaged source code should be stored. Defaults to package.zip in the current working directory.

sarif-sast-report

Generate SARIF report listing SSC SAST vulnerabilities.

Synopsis

fcli ssc action run sarif-sast-report [fcli ssc action run options] [action options, see below]

Description

This action generates a SARIF report listing Fortify SAST vulnerabilities, which may be useful for integration with various 3rd-party tools that can ingest SARIF reports. For more information about SARIF, please see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Default value: fortify-sast.sarif
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: Source directory that was scanned - used for prioritizing path matches when multiple files have the same name (e.g., index.js in src/ vs node_modules/)

servicenow-csv-report

(PREVIEW) Generate ServiceNow CSV report

Synopsis

fcli ssc action run servicenow-csv-report [fcli ssc action run options] [action options, see below]

Description

This action generates a CSV report that can be imported into the ServiceNow Vulnerability Response module; please see the following link for details: https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/vulnerability-response/reference/manual-ingestion-template.html The CSV report includes all SAST, DAST, and 3rd-party issues available in the given SSC application version and filter set.

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Default value: servicenow-fortify.csv
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--priority: Comma-separated priority levels to include in the output; defaults to Critical,High

setup-appversion

Set up application version.

Synopsis

fcli ssc action run setup-appversion [fcli ssc action run options] [action options, see below]

Description

This action allows for preparing an application version for running an application security scan, creating the application and/or release if they do not exist yet.

Although the same functionality can be achieved by manually running the fcli ssc appversion create command, this action provides a convenient and standardized approach for running this command with some default options like --skip-if-exists and --auto-required-attrs.

To provide even more consistency across CI/CD pipelines in your organization, it is recommended to implement one or more custom setup actions that provide suitable default values or even hard-coded, non-overridable values for the various options, for example based on business unit, team, and/or application type. Such custom actions could for example set standard application version attributes for a particular type of application to be scanned. Alternative to implementing multiple custom actions, you may also consider implementing a single custom action that takes for example a --profile option to select between different profiles that each define appropriate option values and setup commands to run.

Options

--appversion, --av: Required application version name as <appName>:<versionName>
--add-users: See fcli ssc appversion create
--attrs, --attributes: See fcli ssc appversion create
--copy: See fcli ssc appversion create
--description, -d: See fcli ssc appversion create
--copy-from, --from: See fcli ssc appversion create
--issue-template: See fcli ssc appversion create
--refresh-timeout: See fcli ssc appversion create. Default value: 300s
--store: See fcli ssc appversion create

sonarqube-sast-report

Generate a SonarQube External Issues report listing SSC SAST vulnerabilities.

Synopsis

fcli ssc action run sonarqube-sast-report [fcli ssc action run options] [action options, see below]

Description

For information on how to import this report into SonarQube, see https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/

Options

--file, -f: Optional output file name (or 'stdout' / 'stderr'). Default value: sq-fortify-sast.json
--file-path-prefix, --pfx: Optional prefix for issue file paths
--appversion, --av: Required application version id or <appName>:<versionName>
--filterset, --fs: Optional filter set name or guid from which to load issue data. Default value: Default filter set for given application version
--page-size: Number of vulnerabilities to retrieve at a time. Higher numbers may reduce time required to build the report, at the cost of increased memory usage (on both fcli and SSC), and could potentially negatively affect overall SSC performance or result in read time-outs (see --socket-timeout option on fcli ssc session login command). Default value: 100
--workspace-dir: Workspace/repository root directory for resolving Fortify source file paths to workspace-relative paths in reports
--source-dir: (DEPRECATED: use --workspace-dir) Alias for --workspace-dir

FCLI: The Universal Fortify CLI

Action Documentation: fcli ssc action

appversion-summary

Synopsis

Description

Options

aws-sast-report

Synopsis

Description

Options

bitbucket-sast-report

Synopsis

Description

Options

bulkaudit

Synopsis

Description

Options

check-policy

Synopsis

Description

Options

ci

Synopsis

Description

Bootstrap & Setup

Application Version Management

Package Configuration

Scan Execution

Post-Scan Actions

debricked-scan

Synopsis

Description

Options

github-pr-comment

Synopsis

Description

Options

github-sast-report

Synopsis

Description

Options

gitlab-codequality-report

Synopsis

Description

Options

gitlab-dast-report

Synopsis

Description

Options

gitlab-debricked-report

Synopsis

Description

Options

gitlab-sast-report

Synopsis

Description

Options

gitlab-sonatype-report

Synopsis

Description

Options

package

Synopsis

Description

Options

sarif-sast-report

Synopsis

Description

Options

servicenow-csv-report

Synopsis

Description

Options

setup-appversion

Synopsis

Description

Options

sonarqube-sast-report

Synopsis

Action Documentation: `fcli ssc action`