Dear stackoverflow users and DevSecOps'ers,
I went across Fortify: How to get issue(vulnarability) list under a project using fortify rest api while searching for a solution to my problem. But it doesn't help and addresses different aspect.
Desire: I want to query Fortify API (or CLI) automatically in my development pipeline after each scan was performed to get list of issues (vulnerability) and fail builds if any issue is found.
Problem: Fortify API accepts token, that expires in let's say 24h. In order to generate token I need user credentials. It's fine to log in manually and generate the token if I want to query API from my postman or console... but I want to have scan each code change that is hooked to my CI/CD tools, and if something found - break the build.
- I can't store my user credentials and use them in the pipeline, as it's inappropriate.
- I can't have a service account or anything, that is a non-real-user to log-in or access API
- No options to have a permanent token
What is your advice on how to tackle this?
I just recently had that issue too, what we did is to generate a CIToken which expires in a year. Here is the token type description:
"This multi-use token specification is designed to be used with the Fortify continuous integration plugins that automatically upload an FPR to Software Security Center as part of the build process, and download vulnerability statistics for the application version being built."
Not a permanent token but better than 24h expiration token.