Skip to content

fortifyExecuteScan

This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.

Description

This step executes a Fortify scan on the specified project to perform static code analysis and check the source code for security flaws.

The Fortify step triggers a scan locally on your Jenkins within a docker container so finally you have to supply a docker image with a Fortify SCA and Java plus Maven / Gradle or alternatively Python installed into it for being able to perform any scans.

Scanning MTA projects

Build type maven requires a so called aggregator pom which includes all modules to be scanned. If used in a mta-project which includes non-java submodules as maven dependency (e.g. node via frontend-maven-plugin), exclude those by specifying java path explicitly, e.g. java/**/src/main/java/**/*.

Besides triggering a scan the step verifies the results after they have been uploaded and processed by the Fortify SSC. By default the following KPIs are enforced: * All issues must be audited from the Corporate Security Requirements folder. * All issues must be audited from the Audit All folder. * At least one issue per category must be audited from the Spot Checks of Each Category folder. * Nothing needs to be audited from the Optional folder.

Usage

We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.

library('piper-lib-os')

fortifyExecuteScan script: this
piper fortifyExecuteScan

Outputs

Output type Details
influx measurement step_data
  • fortify
  • measurement fortify_data
    • projectID
    • projectName
    • projectVersion
    • projectVersionId
    • violations
    • corporateTotal
    • corporateAudited
    • auditAllTotal
    • auditAllAudited
    • spotChecksTotal
    • spotChecksAudited
    • spotChecksGap
    • suspicious
    • exploitable
    • suppressed

Parameters

Overview - Step

Name Mandatory Additional information
authToken (yes) Vault Secret pass via ENV, Vault or Jenkins credentials (fortifyCredentialsId)
script (yes) Jenkins only reference to Jenkins main pipeline script
serverUrl yes
additionalMvnParameters no
additionalScanParameters no
apiEndpoint no
artifactUrl no
assignees no
autoCreate no
autodetectClasspath no
buildDescriptorExcludeList no
buildDescriptorFile no
buildTool no
commitId no
commitMessage no
considerSuspicious no
convertToSarif no
createResultIssue no
customScanVersion no
deltaMinutes no
exclude no
filterSetTitle no
fprDownloadEndpoint no
fprUploadEndpoint no
githubApiUrl no
githubToken no Vault Secret pass via ENV, Vault or Jenkins credentials (githubTokenCredentialsId)
globalSettingsFile no
installArtifacts no
m2Path no
memory no
modulePath no
mustAuditIssueGroups no
owner no
pollingMinutes no
projectName no
projectSettingsFile no
proxy no
pullRequestMessageRegex no
pullRequestMessageRegexGroup no
pullRequestName no
pythonAdditionalPath no deprecated
pythonInstallCommand no
pythonRequirementsFile no
pythonRequirementsInstallSuffix no
pythonVersion no
quickScan no
reportDownloadEndpoint no
reportTemplateId no
reportType no
reporting no
repository no
spotAuditIssueGroups no
spotCheckMaximum no
spotCheckMinimum no
spotCheckMinimumUnit no
src no
translate no
updateRulePack no
uploadResults no
verbose no activates debug output
verifyOnly no
version no
versioningModel no

Overview - Execution Environment

Orchestrator-specific only

These parameters are relevant for orchestrator usage and not considered when using the command line option.

Name Mandatory Additional information
containerCommand no Jenkins only
containerShell no Jenkins only
dockerEnvVars no
dockerImage no
dockerName no
dockerOptions no
dockerPullImage no
dockerVolumeBind no Jenkins only
dockerWorkspace no Jenkins only
stashContent no Jenkins only

Details

additionalMvnParameters

List of additional maven parameters to be used for Fortify mvn command execution.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_additionalMvnParameters (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

additionalScanParameters

List of additional scan parameters to be used for Fortify sourceanalyzer command execution.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_additionalScanParameters (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

apiEndpoint

Fortify SSC endpoint used for uploading the scan results and checking the audit state

back to overview

Scope Details
Aliases fortifyApiEndpoint
Type string
Mandatory no
Default /api/v1
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

artifactUrl

Path/URL pointing to an additional artifact repository for resolution of additional artifacts during the build

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_artifactUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

assignees

Defines the assignees for the Github Issue created/updated with the results of the scan as a list of login names.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

authToken

The FortifyToken to use for authentication

back to overview

Scope Details
Aliases -
Type string
Mandatory yes
Default $PIPER_authToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: fortifyCredentialsId

Vault paths:
  • $(vaultPath)/fortify
  • $(vaultBasePath)/$(vaultPipelineName)/fortify
  • $(vaultBasePath)/GROUP-SECRETS/fortify

autoCreate

Whether Fortify project and project version shall be implicitly auto created in case they cannot be found in the backend

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

autodetectClasspath

Whether the classpath is automatically determined via build tool i.e. maven or pip or not at all

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildDescriptorExcludeList

List of build descriptors and therefore modules to exclude from the scan and assessment activities.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default - unit-tests/pom.xml
- integration-tests/pom.xml
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildDescriptorFile

Path to the build descriptor file addressing the module/folder to be scanned.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default buildTool=maven: ./pom.xml
buildTool=pip: ./setup.py
buildTool=gradle: ./build.gradle
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

buildTool

Scan type used for the step which can be 'maven', 'pip' or 'gradle'

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default maven
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

commitId

Set the Git commit ID for identifying artifacts throughout the scan.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_commitId (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: git/commitId

commitMessage

Set the Git commit message for identifying pull request merges throughout the scan.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_commitMessage (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: git/commitMessage

considerSuspicious

Whether suspicious issues should trigger the check to fail or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

containerCommand

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Allows to specify start command for container created with dockerImage parameter to overwrite Piper default (/usr/bin/tail -f /dev/null).

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

containerShell

Jenkins-specific: Used for proper environment setup.

Allows to specify the shell to be executed for container with containerName.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

convertToSarif

Convert the proprietary format of Fortify scan results to the open SARIF standard.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

createResultIssue

Whether the step creates a GitHub issue containing the scan results in the originating repo. Since optimized pipelines are headless the creation is implicitly activated for scheduled runs.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: custom/isOptimizedAndScheduled

customScanVersion

Defines a custom version for the Fortify scan which deviates from the typical versioning pattern using version and versioningModel. It allows to set non-numeric versions as well and supersedes the value of version which is calculated automatically. The parameter is also used by other scan steps (e.g. Detect, Sonar, WhiteSource) and thus allows a common custom version across scan tools.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_customScanVersion (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

deltaMinutes

The number of minutes for which an uploaded FPR artifact is considered to be recent and healthy, if exceeded an error will be thrown

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 5
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerEnvVars

Jenkins-specific: Used for proper environment setup.

Environment variables to set in the container, e.g. [http_proxy: "proxy:8080"].

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerImage

Jenkins-specific: Used for proper environment setup.

Name of the docker image that should be used. If empty, Docker is not used and the command is executed directly on the Jenkins system.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default ``
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerName

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Name of the container launching dockerImage. SideCar only: Name of the container in local network.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerOptions

Jenkins-specific: Used for proper environment setup.

Docker options to be set when starting the container.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerPullImage

Jenkins-specific: Used for proper environment setup.

Set this to 'false' to bypass a docker image pull. Useful during development process. Allows testing of images which are available in the local registry only.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerVolumeBind

Jenkins-specific: Used for proper environment setup.

Volumes that should be mounted into the docker container.

back to overview

Scope Details
Aliases -
Type map[string]string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

dockerWorkspace

Jenkins-specific: Used for proper environment setup.

Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variable HOME.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

exclude

A list of directories/files to be excluded from the scan. Wildcards can be used, e.g., '**/Test.java'. If translate is set, this will ignored. The default value for buildTool: 'maven' is ['**/src/test/**/*'], for buildTool: 'pip' it is ['./**/tests/**/*', './**/setup.py'].

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_exclude (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

filterSetTitle

Title of the filter set to use for analysing the results

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default SAP
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

fprDownloadEndpoint

Fortify SSC endpoint for FPR downloads

back to overview

Scope Details
Aliases fortifyFprDownloadEndpoint
Type string
Mandatory no
Default /download/currentStateFprDownload.html
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

fprUploadEndpoint

Fortify SSC endpoint for FPR uploads

back to overview

Scope Details
Aliases fortifyFprUploadEndpoint
Type string
Mandatory no
Default /upload/resultFileUpload.html
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

githubApiUrl

Set the GitHub API URL.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default https://api.github.com
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

githubToken

GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line

back to overview

Scope Details
Aliases access_token
Type string
Mandatory no
Default $PIPER_githubToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references Jenkins credential id:
  id: githubTokenCredentialsId

Vault paths:
  • $(vaultPath)/github
  • $(vaultBasePath)/$(vaultPipelineName)/github
  • $(vaultBasePath)/GROUP-SECRETS/github

globalSettingsFile

Path to the mvn settings file that should be used as global settings file.

back to overview

Scope Details
Aliases maven/globalSettingsFile
Type string
Mandatory no
Default $PIPER_globalSettingsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

installArtifacts

If enabled, it will install all artifacts to the local maven repository to make them available before running Fortify. This is required if any maven module has dependencies to other modules in the repository and they were not installed before.

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

m2Path

Path to the location of the local repository that should be used.

back to overview

Scope Details
Aliases maven/m2Path
Type string
Mandatory no
Default $PIPER_m2Path (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

memory

The amount of memory granted to the translate/scan executions

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default -Xmx4G -Xms512M
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

modulePath

Allows providing the path for the module to scan

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default ./
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

mustAuditIssueGroups

Comma separated list of issue groups that must be audited completely

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default Corporate Security Requirements, Audit All
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

owner

Set the GitHub organization.

back to overview

Scope Details
Aliases githubOrg
Type string
Mandatory no
Default $PIPER_owner (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: github/owner

pollingMinutes

The number of minutes for which an uploaded FPR artifact''s status is being polled to finish queuing/processing, if exceeded polling will be stopped and an error will be thrown

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 30
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

projectName

The project used for reporting results in SSC

back to overview

Scope Details
Aliases fortifyProjectName
Type string
Mandatory no
Default {{list .GroupID .ArtifactID | join "-" | trimAll "-"}}
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

projectSettingsFile

Path to the mvn settings file that should be used as project settings file.

back to overview

Scope Details
Aliases maven/projectSettingsFile
Type string
Mandatory no
Default $PIPER_projectSettingsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

proxy

Proxy URL to be used for communication with the Fortify instance.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_proxy (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pullRequestMessageRegex

Regex used to identify the PR-XXX reference within the merge commit message

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default .*Merge pull request #(\\d+) from.*
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pullRequestMessageRegexGroup

The group number for extracting the pull request id in 'pullRequestMessageRegex'

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 1
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pullRequestName

The name of the pull request branch which will trigger creation of a new version in Fortify SSC based on the master branch version

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_pullRequestName (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pythonAdditionalPath

A list of additional paths which can be used in buildTool: 'pip' for customization purposes

back to overview

Scope Details
Deprecated this is deprecated
Aliases -
Type []string
Mandatory no
Default - ./lib
- .
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pythonInstallCommand

Additional install command that can be run when buildTool: 'pip' is used which allows further customizing the execution environment of the scan

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default {{.Pip}} install --user .
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pythonRequirementsFile

The requirements file used in buildTool: 'pip' to populate the build environment with the necessary dependencies

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_pythonRequirementsFile (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pythonRequirementsInstallSuffix

The suffix for the command used to install the requirements file in buildTool: 'pip' to populate the build environment with the necessary dependencies

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_pythonRequirementsInstallSuffix (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

pythonVersion

Python version to be used in buildTool: 'pip'

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default python3
Possible values - python3
- python2
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

quickScan

Whether a quick scan should be performed, please consult the related Fortify documentation on JAM on the impact of this setting

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

reportDownloadEndpoint

Fortify SSC endpoint for Report downloads

back to overview

Scope Details
Aliases fortifyReportDownloadEndpoint
Type string
Mandatory no
Default /transfer/reportDownload.html
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

reportTemplateId

Report template ID to be used for generating the Fortify report

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 18
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

reportType

The type of report to be generated

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default PDF
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

reporting

Influences whether a report is generated or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

repository

Set the GitHub repository.

back to overview

Scope Details
Aliases githubRepo
Type string
Mandatory no
Default $PIPER_repository (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: github/repository

script

Jenkins-specific: Used for proper environment setup.

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope Details
Aliases -
Type Jenkins Script
Mandatory yes
Default
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

serverUrl

Fortify SSC Url to be used for accessing the APIs

back to overview

Scope Details
Aliases - fortifyServerUrl
- sscUrl (deprecated)
Type string
Mandatory yes
Default $PIPER_serverUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

spotAuditIssueGroups

Comma separated list of issue groups that are spot checked and for which spotCheckMinimum audited issues are enforced

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default Spot Checks of Each Category
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

spotCheckMaximum

The maximum number of issues that must be audited per category in the Spot Checks of each Category folder to avoid an error being thrown. Note that this flag depends on the result of spotCheckMinimum. For example if spotCheckMinimum percentage value exceeds spotCheckMaximum then spotCheckMaximum will be considerd else spotCheckMinimum is considered. If value is less than one, this flag will be ignored.

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 0
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

spotCheckMinimum

The minimum number/percentage of issues that must be audited per category in the Spot Checks of each Category folder to avoid an error being thrown

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 1
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

spotCheckMinimumUnit

The unit for the spotCheckMinimum to apply.

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default number
Possible values - number
- percentage
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

src

A list of source directories to scan. Wildcards can be used, e.g., 'src/main/java/**/*'. If 'translate' is set, this will ignored. The default value for buildTool: 'maven' is ['**/*.xml', '**/*.html', '**/*.jsp', '**/*.js', '**/src/main/resources/**/*', '**/src/main/java/**/*', '**/src/gen/java/cds/**/*', '**/target/main/java/**/*', '**/target/main/resources/**/*', '**/target/generated-sources/**/*'], for buildTool: 'pip' it is ['./**/*'].

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default $PIPER_src (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

stashContent

Jenkins-specific: Used for proper environment setup.

Specific stashes that should be considered for the step execution.

back to overview

Scope Details
Aliases -
Type []string
Mandatory no
Default - buildDescriptor
- deployDescriptor
- tests
- opensourceConfiguration
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

translate

Options for translate phase of Fortify. Most likely, you do not need to set this parameter. See src, exclude. If 'src' and 'exclude' are set they are automatically used. Technical details: It has to be a JSON string of list of maps with required key 'src', and optional keys 'exclude', 'libDirs', 'aspnetcore', and 'dotNetCoreVersion'

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_translate (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

updateRulePack

Whether the rule pack shall be updated and pulled from Fortify SSC before scanning or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

uploadResults

Whether results shall be uploaded or not

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default true
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

verbose

verbose output

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

verifyOnly

Whether the step shall only apply verification checks or whether it does a full scan and check cycle

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

version

Version used in conjunction with versioningModel to identify the Fortify project to be created and used for results aggregation. This is usually determined automatically based on the information in the buildTool specific build descriptor file.

back to overview

Scope Details
Aliases fortifyProjectVersion (deprecated)
Type string
Mandatory no
Default $PIPER_version (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: artifactVersion

versioningModel

The default project versioning model used for creating the version based on the build descriptor version to report results in SSC, can be one of 'major', 'major-minor', 'semantic', 'full'

back to overview

Scope Details
Aliases defaultVersioningModel (deprecated)
Type string
Mandatory no
Default major
Possible values - major
- major-minor
- semantic
- full
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

fortifyCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Secret text' credentials ID containing token to authenticate to Fortify SSC.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages

githubTokenCredentialsId

Jenkins-specific: Used for proper environment setup. See using credentials for details.

Jenkins 'Secret text' credentials ID containing token to authenticate to GitHub.

back to overview

Scope Details
Aliases -
Type string
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages