The sc-sast-scan section has some incorrect/missing inputs.
1. Replace SC_SAST_CLIENT_AUTH_TOKEN with SC_SAST_TOKEN.
If we inspect the code from /internal/sc-sast-login/action.yml, SC_SAST_CLIENT_AUTH_TOKEN is not being used. Instead SC_SAST_TOKEN is being passed to fcli for client authentication.
Thanks for reporting this! The detailed information you provided made it easy to fix the documentation. The documentation has now been updated in the latest 1.2.0 release of the GitHub Action.
The sc-sast-scan section has some incorrect/missing inputs.
1. Replace
withSC_SAST_CLIENT_AUTH_TOKEN
SC_SAST_TOKEN
.If we inspect the code from
/internal/sc-sast-login/action.yml
,SC_SAST_CLIENT_AUTH_TOKEN
is not being used. InsteadSC_SAST_TOKEN
is being passed to fcli for client authentication.https://github.com/fortify/github-action/blob/8b0076872ea5d24f27ebc292a84a1a76cb8179eb/internal/sc-sast-login/action.yml#L21
If we followed the documentation by not passing in
SC_SAST_TOKEN
, we get the following error:2.
SC_SAST_SENSOR_VERSION
is requiredWhen fcli is invoking
sc-sast scan start
, it was complaining of a missing--sensor-version
paramter.The code snippet is passing
SC_SAST_SENSOR_VERSION
as a parameter to fcli, but was undocumented is the README. https://github.com/fortify/github-action/blob/8b0076872ea5d24f27ebc292a84a1a76cb8179eb/sc-sast-scan/action.yml#L15This is a sample of the correction made when calling
sc-sast-scan@v1
.GHA output
SC SAST in SSC (GMT +8 Timezone)