Synopsis

fcli ssc session login [[-h] [--env-prefix=<envPrefix>] [--log-file=<logFile>] [--log-level=<logLevel>] [--log-mask=<logMaskLevel>] [--debug]] ] [--style=<outputStyleElements>_[, <outputStyleElements>…​]]…​ ] [--to-file=<outputFile>_]] ([-k] [--socket-timeout=<socketTimeout>] [--connect-timeout=<connectTimeout>] --url=<sscUrl> [--sc-sast-url=<scSastControllerUrl>]) ([-c [=<scSastClientAuthToken>]] -u=<user> -p[=<password>] [--expire-in=<expireIn>]) | -t[=<token>] [[--ssc-session=<sessionName>]]

Description

This command stores the URLs and authentication tokens for interacting with SSC and optionally ScanCentral SAST/DAST in an encrypted session file in the fcli state data folder. You can authenticate with either SSC username and password, or a previously generated SSC token.

When authenticating with username and password, this command will connect to SSC to generate an Automationtoken (falling back to UnifiedLoginToken for older SSC versions); the user password is not stored by fcli. When logging in with a previously generated token, this token will be stored as-is after checking its validity. Note that on SSC 23.2 or below, fcli cannot determine when a pre-generated token will expire.

For interactive use, you may choose to keep the session open until it expires. For CI/CD integrations and other automations, you should always invoke the logout command once work is complete to allow for tokens to be cleaned up in SSC. On shared/non-containerized CI/CD systems, consider setting FCLI_STATE_DIR or FCLI_DATA_DIR environment variables to prevent unexpected interactions between different pipelines.

To avoid having to remember the various option values whenever you need to run the 'fcli ssc session login' command, you may want to consider utilizing fcli’s support for providing default option values through environment variables; see fcli documentation for details. If you always connect to the same SSC environment, you can for example set the FCLI_DEFAULT_SSC_URL environment variable to avoid having to re-enter the SSC URL on every login. You can do the same for user/password, but obviously should consider whether anyone else may be able to see the environment variable values. If you frequently connect to multiple SSC environments, you can for example define PROD_SSC_URL and DEV_SSC_URL environment variables, and then use the --env-prefix=PROD or --env-prefix=DEV option to select from which environment variables the default values should be retrieved.

Options

-c, --client-auth-token[=<scSastClientAuthToken>]

ScanCentral SAST client_auth_token (shared secret). This token must match the client_auth_token property in ScanCentral SAST Controller config.properties file. This is not an SSC token.

-u, --user=<user>

SSC user name.

-p, --password[=<password>]

SSC password.

--expire-in=<expireIn>

When authenticating with user credentials, specify for how long the session token should remain active, for example 1h (1 hour), 1d (1 day). Default value: 3d. Note that actual session lifetime may be shorter due to maximum token lifetime configured on SSC.

-t, --token[=<token>]

SSC token in either encoded (REST) or decoded (application) format. Tokens can be created through the SSC web UI, or using the 'fcli ssc access-control create-token' command. Fcli supports all SSC token types, but functionality may be (significantly) reduced depending on token permissions. To allow for SC-SAST/SC-DAST interaction, you should use an AutomationToken, CIToken, or UnifiedLoginToken.

--url=<sscUrl>

SSC URL.

--sc-sast-url=<scSastControllerUrl>

Override ScanCentral SAST Controller URL. If not specified, the controller URL as configured in SSC will be used.

-k, --insecure

Disable SSL checks.

--socket-timeout=<socketTimeout>

Socket timeout for this session, for example 30s (30 seconds), 5m (5 minutes). Default value: 5 minutes.

--connect-timeout=<connectTimeout>

Connection timeout for this session, for example 30s (30 seconds), 5m (5 minutes). Default value: 10 seconds.

SSC session name options

--ssc-session=<sessionName>

Name for this SSC session. Default value: default.

Output options

-o, --output=type[=<args>]

Specify output type and optional type arguments. Available output formats: csv, table, expr, json, xml, yaml. The 'expr' output format takes a string containing '{property}' placeholders, other output formats take an optional, comma-separated list of properties to include in the output.

--style=<outputStyleElements>[,<outputStyleElements>…​]

Comma-separated list of style elements to apply to the selected output format. Allowed values: header, no-header, pretty, no-pretty, flat, no-flat, array, single, border, no-border, md-border.

--store=variableName[:<propertyNames>]

Store the JSON results of this command in a variable. Variables can be managed through the 'fcli util variable' command, and can be referenced using ::variable::[property] on any subsequent command.

--to-file=<outputFile>

Write command output to the specified file instead of stdout.

Generic fcli options

-h, --help

Show this help message and exit. Use 'fcli <command> -h' to display help for subcommands.

--env-prefix=<envPrefix>

Environment variable prefix for resolving default option and parameter values. Default value: FCLI_DEFAULT.

--log-file=<logFile>

File where logging data will be written. Defaults to fcli.log in current directory if --log-level is specified.

--log-level=<logLevel>

Set logging level. Note that DEBUG and TRACE levels may result in sensitive data being written to the log file. Allowed values: TRACE, DEBUG, INFO, WARN, ERROR, NONE.

--log-mask=<logMaskLevel>

Masking level to apply to logging data. Allowed values: high, medium, low, none. Default value: medium. Note that this is on a best-effort basis; you should always check log contents for sensitive data before sharing or publishing logs.

--debug

Enable both fcli trace logging and collection of extra debugging data on applicable fcli actions and commands, for example enabling debug logging on tools invoked through fcli tool run commands, or enabling server-side debug log generation.