azure-pipelines-fortify-sast-scancentral.yml

# Integrate Fortify ScanCentral Static AppSec Testing (SAST) into your Azure DevOps pipeline
# The following pipeline variables must be defined before using SAST stage
#   - $_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN
#   - $_FCLI_DEFAULT_SSC_USER
#   - $_FCLI_DEFAULT_SSC_PASSWORD
#   - $_FCLI_DEFAULT_SSC_CI_TOKEN
#   - $_FCLI_DEFAULT_SSC_URL
#   - $_SSC_APP_VERSION_ID

trigger:
- none
stages:
- stage: Build
  jobs:
    - job: Build
      displayName: Building IWA Project
      pool:
        vmImage: ubuntu-latest
      steps:
      - task: Maven@4
        displayName: 'Maven pom.xml'
        inputs:
          mavenPomFile: 'pom.xml'
          mavenOptions: '-Xmx3072m'
          javaHomeOption: 'JDKVersion'
          jdkVersionOption: '1.17'
          jdkArchitectureOption: 'x64'
          publishJUnitResults: true
          testResultsFiles: '**/surefire-reports/TEST-*.xml'
          goals: 'package'
    - job: SAST
      displayName: Fortify SAST
      dependsOn:
       - Build
      pool:
       vmImage: ubuntu-latest
      container:
        image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
        options: "--add-host=$(_SSC_HOST)"
        env:
          FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN: $(_FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN)
          FCLI_DEFAULT_SSC_USER: $(_FCLI_DEFAULT_SSC_USER)
          FCLI_DEFAULT_SSC_PASSWORD: $(_FCLI_DEFAULT_SSC_PASSWORD)
          FCLI_DEFAULT_SSC_CI_TOKEN: $(_FCLI_DEFAULT_SSC_CI_TOKEN)
          FCLI_DEFAULT_SSC_URL: $(_FCLI_DEFAULT_SSC_URL)
          SSC_APP_VERSION_ID: $(_SSC_APP_VERSION_ID)
          SC_SAST_SENSOR_VERSION: 24.2
      steps:
      - script: |
          echo Setting connection with Fortify Platform
          echo "$(_SSC_HOST_ENTRY)" >> /etc/hosts
          #Use --insecure switch if the SSL certificate is self generated.
          fcli ssc session login
          fcli sc-sast session login
          
          scancentral package -bt mvn -o package.zip
          fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id

          fcli sc-sast scan wait-for ::Id:: --interval=30s
          fcli ssc issue count --appversion=$SSC_APP_VERSION_ID

          echo Terminating connection with Fortify Platform
          fcli sc-sast session logout
          fcli ssc session logout  
        displayName: Scan Central Scan
        continueOnError: false