1- # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps pipeline
2- # The following service connection must be establish before using this job
3- # - FoD_AMS
4- #
5- # The following task parameter must be defined
6- # - ReleaseId
1+ # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps pipeline
2+ # The following pipeline variables must be defined before using SAST stage:
3+ # - $FOD_URL
4+ # - $FOD_CLIENT_ID
5+ # - $FOD_CLIENT_SECRET
6+ # The following pipeline variables are optional and can be defined to enable additional features:
7+ # - $FOD_RELEASE
8+ # - $FOD_PARENT_RELEASE
9+ # - $FOD_DEFAULT_OWNER
10+ # For more information on using Fortify on Demand SAST in Azure DevOps, see the documentation:
11+ # https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-fod.html
712
8- trigger :
9- - main
10-
11- pool :
12- vmImage : ubuntu-latest
1313
14- steps :
15- - task : Maven@3
16- inputs :
17- mavenPomFile : ' pom.xml'
18- publishJUnitResults : true
19- testResultsFiles : ' **/surefire-reports/TEST-*.xml'
20- javaHomeOption : ' JDKVersion'
21- jdkVersionOption : ' 1.11'
22- mavenVersionOption : ' Default'
23- mavenOptions : ' -Xmx3072m'
24- mavenAuthenticateFeed : false
25- effectivePomSkip : false
26- sonarQubeRunAnalysis : false
27- - task : FortifyOnDemandStatic@8
28- inputs :
29- FortifyProjects : ' $(Build.Repository.LocalPath)'
30- FodConnection : ' FoD_AMS' # create Azure DevOps Service connection with name FoD_AMS
31- ReleaseOptions : ' 0'
32- ReleaseId : 00000 # update FoD RELEASE ID
33- EntitlementSelection : ' 1'
34- EntitlementPreference : ' 2'
35- OverrideScanSettings : ' 2'
36- InProgressScanActionType : ' 0'
37- RemediationScanPreference : ' 2'
38- BuildType : ' mvn'
39- PolicyFailAction : ' 0'
14+ trigger :
15+ - none
16+ stages :
17+ - stage : Build
18+ jobs :
19+ - job : Build
20+ displayName : Building IWA Project
21+ pool :
22+ vmImage : ubuntu-latest
23+ steps :
24+ - task : Maven@3
25+ inputs :
26+ mavenPomFile : ' pom.xml'
27+ mavenOptions : ' -Xmx3072m'
28+ javaHomeOption : ' JDKVersion'
29+ jdkVersionOption : ' 1.17'
30+ jdkArchitectureOption : ' x64'
31+ publishJUnitResults : true
32+ testResultsFiles : ' **/surefire-reports/TEST-*.xml'
33+ goals : ' package'
34+ - job : SAST
35+ displayName : Fortify SAST
36+ dependsOn :
37+ - Build
38+ pool :
39+ vmImage : ' ubuntu-latest'
40+ steps :
41+ - checkout : self
42+ persistCredentials : " true"
43+ clean : " true"
44+ - task : Bash@3
45+ displayName : ' Install Fortify CLI via @fortify/setup'
46+ inputs :
47+ targetType : ' inline'
48+ script : |
49+ npx @fortify/setup@v2 env init --tools=fcli:bootstrapped
50+ npx @fortify/setup@v2 env ado
51+ task : Bash@3
52+ displayName : ' Run Fortify on Demand SAST CI Scan'
53+ inputs :
54+ targetType : ' inline'
55+ script : |
56+ set -euo pipefail
57+ fcli action run ci
58+ env :
59+ FOD_URL : $(FOD_URL)
60+ FOD_CLIENT_ID : $(FOD_CLIENT_ID)
61+ FOD_CLIENT_SECRET : $(FOD_CLIENT_SECRET)
62+ # FOD_RELEASE is optional, defaults to <org>/<repo>:<branch>
63+ # FOD_RELEASE: "$(FOD_RELEASE)"
64+ # Uncomment the following line to copy from an existing release
65+ # COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
66+ # Uncomment to set the default Static Assessment type when a new release is created
67+ # SAST_ASSESSMENT_TYPE: "Static Assessment"
68+ # Example of setting extra options for when creating a new release
69+ # SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
70+ DO_SETUP : true
71+ DO_SAST_SCAN : true
72+ # Uncomment to enable Aviator AI audit and remedation
73+ # DO_AVIATOR_AUDIT: true
74+ # SAST_WAIT_EXTRA_OPTS: --timeout 2h
75+ DO_SCA_SCAN : true
76+ DO_WAIT : true
77+ DO_POLICY_CHECK : true
78+ DO_JOB_SUMMARY : true
79+ DO_PR_COMMENT : true
80+ DO_EXPORT : true
0 commit comments