Support for build failure criteria for FoD SAST and open source scans

[fortifysoftware]

There currently doesn't seem to be a way to specify build failure criteria for FoD SAST and open source scans. (For instance, fail the build if any critical SAST or OSS issues are detected.) Are there any plans to add this feature any time soon?

Related to this, I've noticed that the endpoint GET /api/v3/releases/{releaseId}, for which fcli fod rel get {releaseId} relies, lacks open source issue counts. However, they can easily be deduced with some simple arithmetic. For example:

ossCritical = critical - staticCritical - dynamicCritical - mobileCritical

[rsenden]

@fortifysoftware, there are several internal discussions (not necessarily related to fcli/GitHub Action) regarding the ability to break the build or avoid pull requests from being merged based on certain criteria. Even though this seems like a simple question, there are many aspects to be considered to properly implement something like this. I'll share some details on this by email.

As for the open source issue counts, we shouldn't be doing such calculations on the client side; maybe FoD introduces yet another scan type in the future, causing such calculations to show inaccurate numbers. Please submit an FoD enhancement request to get OSS issue counts added in REST responses.

[rsenden]

@fortifysoftware We've recently introduced 'fcli actions' that allow for running customizable operations, one of the use cases is to provide a customizable check-policy action that allows for configuring certain pass/fail criteria, returning a non-zero exit code if the output of any of the checks is 'fail'. We plan on adding support for this in the GitHub Action, current idea is to provide something like a CHECK_POLICY_ACTION environment variable (which might point to a local file or URL); if defined, the GitHub Action would run fcli fod/ssc action run ${CHECK_POLICY_ACTION} once scan results have been published to FoD/SSC. If any of the checks fail, the non-zero exit code would fail the build (maybe we should have an additional input to specify whether the non-zero exit code would cause a failure or just a build warning).