fortify / fcli

fcli is a command-line utility for interacting with various Fortify products
https://fortify.github.io/fcli/
Other
31 stars 20 forks source link

security-gate-check #620

Closed PedroGarciaOT closed 2 weeks ago

PedroGarciaOT commented 4 weeks ago

Enhancement Request

It would be great to have a boolean command that would tell me if the project is compliant or not.

For Fortify on Demand, it would be nice if the security gate matches the compliance requirements and star rating of the policy assigned to the application.

My suggestion for FoD is: fcli fod security-gate-check --release='ReleaseId'

For Fortify Software Security Center, it would be nice if the security gate replaced the need to use expressions to check the issue count is greater than zero or the need to use a custom query to get a boolean value to fail the pipeline.

My suggestion for SSC is:
fcli ssc security-gate-check --version='AppVersionId'

MikeTheSnowman commented 3 weeks ago

Hey @PedroGarciaOT , this was one of the primary use cases that fcli's action capability is meant to address. Please have a look at the sample policy with fcli fod action get check-policy.

For usage in your pipeline, you'd just run: fcli fod action run check-policy --release <appName>:<versionName>

And if you're doing this on a micro-service release: fcli fod action run check-policy --release <appName>:<microserviceName>:<versionName>

The general idea here is that you can customize, then make your custom policy available to other people and pipelines via:

Resources:

PedroGarciaOT commented 2 weeks ago

That will work for now.