Possible to use SSC without ScanCentral SAST?

[jizusun]

Hi comunity,

I'm trying to set up the GitHub action for our internal Fortify SSC.

When I'm using the following setup:

name: Fortify 
on:
  push:
    branches:
      - main 
  pull_request:
    branches: 
      - main 

env:
  FORTIFY_URL: https://fortify.mycorp.com/ssc

jobs:
  build:
    runs-on: [self-hosted, linux, x64, my-corp, ubuntu-latest]
    steps:    
      - name: Check out source code
        uses: actions/checkout@v4  
      - name: Run ScanCentral SAST Scan
        uses: fortify/github-action@v1
        # with:
        #   sast-scan: true
        env:
          SSC_URL: ${{ env.FORTIFY_URL }} 
          SSC_TOKEN: ${{secrets.SSC_TOKEN}}
          # SC_SAST_TOKEN: ${{secrets.SSC_TOKEN}}

I had an error during the execution

/opt/actions-runner/_work/_temp/fortify/fcli/2.1.0/bin/fcli sc-sast session login --ssc-url https://fortify.philips.com/ssc -t *** -c ***
java.lang.IllegalStateException: ScanCentral SAST must be enabled in SSC
    at com.fortify.cli.sc_sast._common.session.helper.SCSastSessionDescriptor.checkScSastIsEnabled(SCSastSessionDescriptor.java:186)
    at com.fortify.cli.sc_sast._common.session.helper.SCSastSessionDescriptor.getScSastUrl(SCSastSessionDescriptor.java:170)
    at com.fortify.cli.ssc.access_control.helper.SSCTokenHelper.run(SSCTokenHelper.java:94)
    at com.fortify.cli.sc_sast._common.session.helper.SCSastSessionDescriptor.getScSastUrl(SCSastSessionDescriptor.java:165)
    at 

Is it possible to use SSC without ScanCentral SAST?

[MikeTheSnowman]

Hello @jizusun . Can you please describe what you wish to accomplish with Fortify SSC?

Please keep in mind that Fortify SSC is a server that is basically used as a centralized location to store your scan results, generate reports, and to facilitate collaborative auditing. SSC by itself does not do any scanning; all SAST scanning is handled by ScanCentral SAST.

[rsenden]

Just to add to the above, the current GitHub Action only supports running scans on ScanCentral SAST. Potentially it could be interesting to add support for running Fortify SCA scans directly on a GitHub Runner, however this is not on our roadmap for the near future for various reasons as detailed below.

Potentially, we could support self-hosted runners that already have Fortify SCA (and license) installed. However, we'd need to implement some mechanism to locate this Fortify SCA installation. For example, do we depend on this installation being on the system PATH, or do we accept some configurable input that allows the workflow to explicitly specify Fortify SCA location?

Alternatively, we could support dynamically downloading and installing Fortify SCA during workflow execution, however:

• There is no public download for Fortify SCA, so we can't easily download and install Fortify SCA during workflow execution. Customers would need to host Fortify SCA on some internal download server, and allow their GitHub Runners to access this download location, without exposing this download location to the full internet.
• We'd need to implement some approach for handling the Fortify license, for example stored as a GitHub secret.
• Fortify SCA installation bundle is relatively large and installation process takes relatively long, so this approach would significantly affect workflow execution time.

Apart from the above, some general considerations:

• Version compatibility might be an issue; depending on Fortify SCA (installer) version, some command-line options and/or features may or may not be available.
• Some Fortify SCA command-line tools and the installer are platform-dependent, so we'd potentially need multiple implementations for each supported platform.
• The workflow would need to wait until the scan has completed; contrary to ScanCentral SAST, we wouldn't be able to just submit a scan request and then continue/terminate workflow execution.

[jizusun]

Just to add to the above, the current GitHub Action only supports running scans on ScanCentral SAST. Potentially it could be interesting to add support for running Fortify SCA scans directly on a GitHub Runner, however this is not on our roadmap for the near future for various reasons as detailed below.

Potentially, we could support self-hosted runners that already have Fortify SCA (and license) installed. However, we'd need to implement some mechanism to locate this Fortify SCA installation. For example, do we depend on this installation being on the system PATH, or do we accept some configurable input that allows the workflow to explicitly specify Fortify SCA location?

Alternatively, we could support dynamically downloading and installing Fortify SCA during workflow execution, however:

• There is no public download for Fortify SCA, so we can't easily download and install Fortify SCA during workflow execution. Customers would need to host Fortify SCA on some internal download server, and allow their GitHub Runners to access this download location, without exposing this download location to the full internet.
• We'd need to implement some approach for handling the Fortify license, for example stored as a GitHub secret.
• Fortify SCA installation bundle is relatively large and installation process takes relatively long, so this approach would significantly affect workflow execution time.

Apart from the above, some general considerations:

• Version compatibility might be an issue; depending on Fortify SCA (installer) version, some command-line options and/or features may or may not be available.
• Some Fortify SCA command-line tools and the installer are platform-dependent, so we'd potentially need multiple implementations for each supported platform.
• The workflow would need to wait until the scan has completed; contrary to ScanCentral SAST, we wouldn't be able to just submit a scan request and then continue/terminate workflow execution.

Oh thank you! I get your point.

We have a GitHub actions internally inside Philips that does something like what you describe, which is downloading the Fortify and license from Artifactory to the runner and run.