Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your software supply chain. As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code demands great security, and with Fortify, go beyond 'check the box' security to achieve that.

The fortify/github-action GitHub Action allows for easy integration of OpenText Fortify Application Security Testing (AST) into your GitHub Action workflows by bootstrapping the latest fcli v3 release using the @fortify/setup NPM component, and then running the fcli action run ci command.

As such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli ci action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST & MAST) may be added in the future.

Apart from the top-level fortify/github-action (and related fortify/github-action/with-github-artifacts, fortify/github-action/with-ghes-artifacts, and fortify/github-action/without-artifacts sub-actions) for running the fcli-based ci workflow, this repository also provides the fortify/github-action/setup GitHub Action. This setup action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products.

name: Fortify on Demand Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  fortify:
    runs-on: ubuntu-latest
    # permissions:               # When overriding default permissions, following are required:
    #   contents: read           # Required for checkout action
    #   security-events: write   # Required for publishing security reports to GitHub Security tab
    #   pull-requests: write     # Required if DO_PR_COMMENT is set to true
    steps:
      - uses: actions/checkout@v4            # Check out source code
      - uses: actions/setup-<build-tool>@vX  # Set up build tool(s) required to build your project
        # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts
        # to GitHub artifact storage (see artifact storage section below for alternative options)
      - uses: fortify/github-action@v3
        name: Run Fortify Scan
        env:
          FOD_URL: ${{ vars.FOD_URL }}
          FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
          FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
          # FOD_RELEASE: MyApp:main        # Optional: defaults to repo:branch
          # FCLI_BOOTSTRAP_VERSION: v3.15  # Optional if you prefer stability over latest

name: Fortify SSC Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  fortify:
    runs-on: ubuntu-latest
    # permissions:               # When overriding default permissions, following are required:
    #   contents: read           # Required for checkout action
    #   security-events: write   # Required for publishing security reports to GitHub Security tab
    #   pull-requests: write     # Required if DO_PR_COMMENT is set to true
    steps:
      - uses: actions/checkout@v4            # Check out source code
      - uses: actions/setup-<build-tool>@vX  # Set up build tool(s) required to build your project
        # Bootstrap fcli, run the fcli-based Fortify CI workflow, and upload any debug artifacts
        # to GitHub artifact storage (see artifact storage section below for alternative options)
      - uses: fortify/github-action@v3
        name: Run Fortify Scan
        env:
          SSC_URL: ${{ vars.SSC_URL }}
          SSC_TOKEN: ${{ secrets.SSC_TOKEN }}
          SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }}
          # SSC_APPVERSION: MyApp:main  # Optional: defaults to repo:branch

name: Custom Fortify Workflow
on: [push]

jobs:
  custom-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: fortify/github-action/setup@v3
        with:
          fcli: bootstrapped               # Set up bootstrapped fcli version. May also specify specific version, but
                                           # then fcli may be downloaded twice (bootstrap version and requested version).
        env:
          FCLI_BOOTSTRAP_VERSION: v3.15.0  # Defaults to latest v3.x.y, pin to specific version for stability
      - name: Run custom fcli commands
        run: |
          fcli fod session login ...
          # Your custom workflow here
          fcli fod session logout ...

If debugging is enabled (either via the debug: true action input or by re-running the workflow with GitHub's "Enable debug logging" option), debug artifacts are collected during the scan and uploaded after the scan completes.

The top-level fortify/github-action action uploads debug artifacts to GitHub.com artifact storage using actions/upload-artifact@v7. If this doesn't match your environment, the following sub-actions provide alternatives:

Given that these GitHub Actions are just thin wrappers around @fortify/setup and fcli, detailed usage documentation is available on the fcli documentation website:

• fortify/github-action (default — GitHub.com artifact upload): FoD | SSC
• fortify/github-action/with-github-artifacts (explicit GitHub.com artifact upload): FoD | SSC
• fortify/github-action/with-ghes-artifacts (GHES-compatible artifact upload): FoD | SSC
• fortify/github-action/without-artifacts (custom artifact upload): FoD | SSC
• fortify/github-action/setup

• Contributing Guidelines: CONTRIBUTING.md
• Code of Conduct: CODE_OF_CONDUCT.md
• License: LICENSE.txt

For general assistance, please join the Fortify Community to get tips and tricks from other users and the OpenText team.

OpenText customers can contact our world-class support team for questions, enhancement requests and bug reports. You can also raise questions and issues through your OpenText Fortify representative like Customer Success Manager or Technical Account Manager if applicable.

You may also consider raising questions or issues through the GitHub Issues page (if available for this repository), providing public visibility and allowing anyone (including all contributors) to review and comment on your question or issue. Note that this requires a GitHub account, and given public visibility, you should refrain from posting any confidential data through this channel.

This document was auto-generated from README.template.md; do not edit by hand