rsenden
commented
2 months ago Hi,
The fortify/github-action/setup action automatically supports all tool versions listed in our default tool definitions, which gets automatically updated on a daily basis (with some manual work needed for ScanCentral Client; latest supported version is 24.2.0 which I believe is the latest version). There's no need to use custom tool definitions unless you want the setup action to download the various tools from some internal artifact repository (useful for GitHub Enterprise installations where actions are not allowed to download software from public internet sites).
The workflow-style actions like fortify/github-action/fod-sast-scan or fortify/github-action/sc-sast-scan use fixed tool versions (as defined in constants.ts) to avoid these actions from breaking if new tool versions introduce any breaking changes. You currently can't override these (might be good to support overrides though); we need to release a new version of those actions to upgrade the underlying tool versions.
I'm working on updating our GitHub Actions to introduce some new features, and also update underlying tool versions; I hope to have this available in the next 1-2 months but can't give any guarantee.
crance
Question
In
sc-sast-scanandfod-sast-scan, tools eg:sc-clientused inpackageaction is using version 23.2.1 instead of latest version.https://github.com/fortify/github-action/blob/6375519eb64590a413c417f4860be2f0d558197f/package/action.yml#L7-L10
https://github.com/fortify/github-action/blob/6375519eb64590a413c417f4860be2f0d558197f/setup/src/constants.ts#L20-L22
Can we override the
sc-clientversion when usingsc-sast-scanandfod-sast-scanaction, without hosting a separate tool definition zip? I would also want to know how to override versions of other tools especiallyfcliThanks