fortify · SangameshV · Mar 29, 2026
diff --git a/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/release-issues.yaml b/fcli-core/fcli-fod/src/main/resources/com/fortify/cli/fod/actions/zip/release-issues.yaml
@@ -0,0 +1,47 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev-2.x.json
+
+author: Fortify
+usage:
+  header: (PREVIEW) List issues for FoD release
+  description: |
+    This action lists issues for the given FoD release and writes the output as JSON
+    to stdout, stderr, or a file.
+
+config:
+  output: immediate
+  rest.target.default: fod
+
+cli.options:
+  release:
+    names: --release, --rel
+    description: Required release id or <appName>:[<microserviceName>:]<releaseName>
+    required: true
+  query:
+    names: --query, -q
+    description: Optional issue query expression
+    required: false
+  embed:
+    names: --embed
+    description: Optional comma-separated embedded data to include
+    required: false
+  include:
+    names: --include
+    description: Optional comma-separated include flags
+    required: false
+  file:
+    names: --file, -f
+    description: Output target (stdout, stderr, or file path)
+    required: false
+    default: stdout
+
+steps:
+  - run.fcli:
+      issues:
+        cmd: fod issue ls --rel "${cli.release}" ${#opt("-q", cli.query)} ${#opt("--embed", cli.embed)} ${#opt("--include", cli.include)}
+        records.collect: true
+
+  - out.write:
+      ${cli.file}: ${issues.records}
+
+  - if: ${!{'stdout','stderr'}.contains(cli.file)}
+    log.info: Output written to ${cli.file}
diff --git a/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/appversion-issues.yaml b/fcli-core/fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/appversion-issues.yaml
@@ -0,0 +1,51 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev-2.x.json
+
+author: Fortify
+usage:
+  header: (PREVIEW) List issues for SSC application version
+  description: |
+    This action lists issues for the given SSC application version and writes the output
+    as JSON to stdout, stderr, or a file.
+
+config:
+  output: immediate
+  rest.target.default: ssc
+
+cli.options:
+  appversion:
+    names: --appversion, --av
+    description: SSC application version id or <appName>:<versionName>
+    required: true
+  filterset:
+    names: --filterset, --fs
+    description: Optional filter set name or id
+    required: false
+  query:
+    names: --query, -q
+    description: Optional issue query expression
+    required: false
+  embed:
+    names: --embed
+    description: Optional comma-separated embedded data to include
+    required: false
+  include:
+    names: --include
+    description: Optional comma-separated include flags
+    required: false
+  file:
+    names: --file, -f
+    description: Output target (stdout, stderr, or file path)
+    required: false
+    default: stdout
+
+steps:
+  - run.fcli:
+      issues:
+        cmd: ssc issue ls --av "${cli.appversion}" ${#opt("--fs", cli.filterset)} ${#opt("-q", cli.query)} ${#opt("--embed", cli.embed)} ${#opt("--include", cli.include)}
+        records.collect: true
+
+  - out.write:
+      ${cli.file}: ${issues.records}
+
+  - if: ${!{'stdout','stderr'}.contains(cli.file)}
+    log.info: Output written to ${cli.file}
diff --git a/...main/resources/com/fortify/cli/ssc/actions/zip/aviator-apply-remediations-appversion.yaml b/...main/resources/com/fortify/cli/ssc/actions/zip/aviator-apply-remediations-appversion.yaml
@@ -0,0 +1,95 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev-2.x.json
+
+author: Fortify
+usage:
+  header: (PREVIEW) Apply Aviator remediations from SSC appversion to source code
+  description: |
+    This action applies Aviator auto-remediations to source code for a given SSC application version.
+    If --artifact is not provided, the action first runs Aviator audit to generate and upload an
+    audited artifact, then applies remediations from that artifact.
+
+config:
+  output: immediate
+  rest.target.default: ssc
+  run.fcli.status.log.default: true
+  run.fcli.status.check.default: true
+
+cli.options:
+  appversion:
+    names: --appversion, --av
+    description: SSC application version id or <appName>:<versionName>
+    required: true
+  sourceDir:
+    names: --source-dir, -s
+    description: Source code directory where remediations should be applied
+    required: false
+    default: .
+  artifact:
+    names: --artifact
+    description: Optional existing SSC artifact id; if specified, audit step is skipped
+    required: false
+  app:
+    names: --app
+    description: Optional Aviator application name override for audit step
+    required: false
+  tagMapping:
+    names: --tag-mapping
+    description: Optional path to tag-mapping YAML file for audit step
+    required: false
+  prepare:
+    names: --prepare
+    description: Run aviator ssc prepare for the specified appversion before audit
+    required: false
+    type: boolean
+    default: false
+  noFilterset:
+    names: --no-filterset
+    description: Ignore SSC filter set during audit step
+    required: false
+    type: boolean
+    default: false
+  filterset:
+    names: --filterset, --fs
+    description: Optional filter set name or id for audit step
+    required: false
+  refresh:
+    names: --refresh
+    description: Refresh SSC metrics before auditing
+    required: false
+    type: boolean
+    default: true
+  refreshTimeout:
+    names: --refresh-timeout
+    description: Refresh timeout, for example 60s, 5m, 1h
+    required: false
+    default: 60s
+  skipWait:
+    names: --skip-wait
+    description: Skip waiting for SSC artifact processing after audit upload
+    required: false
+    type: boolean
+    default: false
+
+steps:
+  - var.set:
+      auditArtifactStoreVar: aviator_remediate_${#action.runID().replace('-','_')}
+
+  - if: ${#isBlank(cli.artifact) && cli.prepare}
+    run.fcli:
+      PREPARE: aviator ssc prepare --av "${cli.appversion}"
+
+  - if: ${#isBlank(cli.artifact)}
+    run.fcli:
+      AUDIT:
+        cmd: aviator ssc audit --av "${cli.appversion}" ${#opt("--app", cli.app)} ${#opt("--tag-mapping", cli.tagMapping)} ${cli.noFilterset?"--no-filterset":""} ${#opt("--fs", cli.filterset)} --refresh=${cli.refresh} --refresh-timeout="${cli.refreshTimeout}" --store ${auditArtifactStoreVar}
+
+  - if: ${#isBlank(cli.artifact) && !cli.skipWait}
+    run.fcli:
+      WAIT: ssc artifact wait-for ::${auditArtifactStoreVar}::
+
+  - var.set:
+      remediationArtifactRef: ${#isBlank(cli.artifact)?'::'+auditArtifactStoreVar+'::':cli.artifact}
+
+  - run.fcli:
+      APPLY_REMEDIATIONS:
+        cmd: aviator ssc apply-remediations --artifact "${remediationArtifactRef}" --source-dir "${cli.sourceDir}"
diff --git a/...fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aviator-audit-appversion.yaml b/...fcli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/aviator-audit-appversion.yaml
@@ -0,0 +1,77 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev-2.x.json
+
+author: Fortify
+usage:
+  header: (PREVIEW) Run Aviator audit for SSC application version
+  description: |
+    This action runs Aviator audit for a single SSC application version,
+    optionally prepares Aviator tags first, and waits for uploaded artifact processing.
+
+config:
+  output: immediate
+  rest.target.default: ssc
+  run.fcli.status.log.default: true
+  run.fcli.status.check.default: true
+
+cli.options:
+  appversion:
+    names: --appversion, --av
+    description: SSC application version id or <appName>:<versionName>
+    required: true
+  app:
+    names: --app
+    description: Optional Aviator application name override
+    required: false
+  tagMapping:
+    names: --tag-mapping
+    description: Optional path to tag-mapping YAML file
+    required: false
+  prepare:
+    names: --prepare
+    description: Run aviator ssc prepare for the specified appversion before auditing
+    required: false
+    type: boolean
+    default: false
+  noFilterset:
+    names: --no-filterset
+    description: Ignore SSC filter set during auditing
+    required: false
+    type: boolean
+    default: false
+  filterset:
+    names: --filterset, --fs
+    description: Optional filter set name or id
+    required: false
+  refresh:
+    names: --refresh
+    description: Refresh SSC metrics before auditing
+    required: false
+    type: boolean
+    default: true
+  refreshTimeout:
+    names: --refresh-timeout
+    description: Refresh timeout, for example 60s, 5m, 1h
+    required: false
+    default: 60s
+  skipWait:
+    names: --skip-wait
+    description: Skip waiting for SSC artifact processing after audit upload
+    required: false
+    type: boolean
+    default: false
+
+steps:
+  - var.set:
+      artifactStoreVar: aviator_audit_${#action.runID().replace('-','_')}
+
+  - if: ${cli.prepare}
+    run.fcli:
+      PREPARE: aviator ssc prepare --av "${cli.appversion}"
+
+  - run.fcli:
+      AUDIT:
+        cmd: aviator ssc audit --av "${cli.appversion}" ${#opt("--app", cli.app)} ${#opt("--tag-mapping", cli.tagMapping)} ${cli.noFilterset?"--no-filterset":""} ${#opt("--fs", cli.filterset)} --refresh=${cli.refresh} --refresh-timeout="${cli.refreshTimeout}" --store ${artifactStoreVar}
+
+  - if: ${!cli.skipWait}
+    run.fcli:
+      WAIT: ssc artifact wait-for ::${artifactStoreVar}::
diff --git a/...cli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/sourceanalyzer-local-scan.yaml b/...cli-ssc/src/main/resources/com/fortify/cli/ssc/actions/zip/sourceanalyzer-local-scan.yaml
@@ -0,0 +1,86 @@
+# yaml-language-server: $schema=https://fortify.github.io/fcli/schemas/action/fcli-action-schema-dev-2.x.json
+
+author: Fortify
+usage:
+  header: (PREVIEW) Run local SourceAnalyzer scan and upload to SSC
+  description: |
+    This action performs a local Fortify SourceAnalyzer scan against the given source directory,
+    writes an FPR file, and optionally uploads the resulting artifact to SSC.
+
+config:
+  output: immediate
+  rest.target.default: ssc
+  run.fcli.status.log.default: true
+  run.fcli.status.check.default: true
+
+cli.options:
+  appversion:
+    names: --appversion, --av
+    description: SSC application version id or <appName>:<versionName> to upload scan results to
+    required: true
+  sourceDir:
+    names: --source-dir, -s
+    description: Source directory to scan
+    required: false
+    default: .
+  buildId:
+    names: --build-id, -b
+    description: SourceAnalyzer build id
+    required: false
+    default: fcli-local-scan
+  fprFile:
+    names: --fpr-file, -f
+    description: Output FPR file path
+    required: false
+    default: sourceanalyzer.fpr
+  sourceAnalyzerVersion:
+    names: --sourceanalyzer-version, -v
+    description: |
+      SourceAnalyzer version, installation path, latest, or auto.
+      Defaults to SOURCEANALYZER_HOME or SOURCEANALYZER_VERSION env vars, then auto.
+    required: false
+    default: ${#ifBlank(#env('SOURCEANALYZER_HOME'),#ifBlank(#env('SOURCEANALYZER_VERSION'),'auto'))}
+  toolDefinitions:
+    names: --tool-definitions
+    description: Custom tool definitions for resolving SourceAnalyzer versions and download URLs
+    required: false
+  upload:
+    names: --upload
+    description: Upload generated FPR to SSC
+    required: false
+    type: boolean
+    default: true
+  skipWait:
+    names: --skip-wait
+    description: Skip waiting for SSC artifact processing after upload
+    required: false
+    type: boolean
+    default: false
+  extraTranslateOpts:
+    names: --extra-translate-opts
+    description: Extra options to pass to the SourceAnalyzer translate phase
+    required: false
+  extraScanOpts:
+    names: --extra-scan-opts
+    description: Extra options to pass to the SourceAnalyzer scan phase
+    required: false
+
+steps:
+  - var.set:
+      resolvedFprFile: ${#resolveAgainstCurrentWorkDir(cli.fprFile)}
+      artifactStoreVar: sa_local_scan_${#action.runID().replace('-','_')}
+
+  - run.fcli:
+      SETUP_TOOLS: fcli tool env init "--tools=sourceanalyzer:${cli.sourceAnalyzerVersion}" ${#opt("--tool-definitions", cli.toolDefinitions)}
+      TRANSLATE:
+        cmd: fcli tool sourceanalyzer run --workdir ${cli.sourceDir} -- -b "${cli.buildId}" ${cli.extraTranslateOpts}
+      SCAN:
+        cmd: fcli tool sourceanalyzer run --workdir ${cli.sourceDir} -- -b "${cli.buildId}" -scan -f "${resolvedFprFile}" ${cli.extraScanOpts}
+
+  - if: ${cli.upload}
+    run.fcli:
+      UPLOAD: fcli ssc artifact upload --av "${cli.appversion}" -f "${resolvedFprFile}" --store ${artifactStoreVar}
+
+  - if: ${cli.upload && !cli.skipWait}
+    run.fcli:
+      WAIT: fcli ssc artifact wait-for ::${artifactStoreVar}::