{"id":30704142,"url":"https://github.com/fortify/github-action","last_synced_at":"2026-02-24T13:04:24.379Z","repository":{"id":196153380,"uuid":"694614049","full_name":"fortify/github-action","owner":"fortify","description":"Fortify GitHub Actions","archived":false,"fork":false,"pushed_at":"2026-02-23T15:12:21.000Z","size":5053,"stargazers_count":19,"open_issues_count":16,"forks_count":13,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-23T23:19:38.395Z","etag":null,"topics":["fortify","fortify-integration","fortify-on-demand","fortify-sc-sast","github-actions","security"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fortify.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-09-21T10:53:50.000Z","updated_at":"2026-01-24T04:17:30.000Z","dependencies_parsed_at":"2023-09-25T10:37:24.491Z","dependency_job_id":"2d9f5163-8c7a-4226-8932-b0c35dfe6f35","html_url":"https://github.com/fortify/github-action","commit_stats":null,"previous_names":["fortify-ps/github-action","fortify/github-action"],"tags_count":37,"template":false,"template_full_name":null,"purl":"pkg:github/fortify/github-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Fgithub-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Fgithub-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Fgithub-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Fgithub-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fortify","download_url":"https://codeload.github.com/fortify/github-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fortify%2Fgithub-action/sbom","scorecard":{"id":407464,"data":{"date":"2025-08-11","repo":{"name":"github.com/fortify/github-action","commit":"84dd815b4834cd63f93b75542efba9fb244d4cdd"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.2,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/13 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":8,"reason":"10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish.yml:5","Warn: no topLevel permission defined: .github/workflows/update-repo-docs.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/fortify/github-action/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/fortify/github-action/publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/fortify/github-action/publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/fortify/github-action/publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/fortify/github-action/publish.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-repo-docs.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/fortify/github-action/update-repo-docs.yml/main?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   4 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 17 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T21:44:33.090Z","repository_id":196153380,"created_at":"2025-08-18T21:44:33.090Z","updated_at":"2025-08-18T21:44:33.090Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29783615,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T10:45:18.109Z","status":"ssl_error","status_checked_at":"2026-02-24T10:45:09.911Z","response_time":75,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fortify","fortify-integration","fortify-on-demand","fortify-sc-sast","github-actions","security"],"created_at":"2025-09-02T17:48:54.858Z","updated_at":"2026-02-24T13:04:24.373Z","avatar_url":"https://github.com/fortify.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fortify GitHub Action \n\n\n\u003c!-- START-INCLUDE:p.marketing-intro.md --\u003e\n\n[Fortify Application Security](https://www.microfocus.com/en-us/solutions/application-security) provides your team with solutions to empower [DevSecOps](https://www.microfocus.com/en-us/cyberres/use-cases/devsecops) practices, enable [cloud transformation](https://www.microfocus.com/en-us/cyberres/use-cases/cloud-transformation), and secure your [software supply chain](https://www.microfocus.com/en-us/cyberres/use-cases/securing-the-software-supply-chain). As the sole Code Security solution with over two decades of expertise and acknowledged as a market leader by all major analysts, Fortify delivers the most adaptable, precise, and scalable AppSec platform available, supporting the breadth of tech you use and integrated into your preferred toolchain. We firmly believe that your great code [demands great security](https://www.microfocus.com/cyberres/application-security/developer-security), and with Fortify, go beyond 'check the box' security to achieve that.\n\n\u003c!-- END-INCLUDE:p.marketing-intro.md --\u003e\n\n\n\n\u003c!-- START-INCLUDE:repo-intro.md --\u003e\n\nThe `fortify/github-action` GitHub Action allows for easy integration of OpenText Fortify Application Security Testing (AST) into your GitHub Action workflows by bootstrapping the latest [fcli v3 release](https://github.com/fortify/fcli/releases/v3) using the [`@fortify/setup` NPM component](https://www.npmjs.com/package/@fortify/setup), and then running the `fcli action run ci` command. \n\nAs such, this GitHub Action automatically benefits from new features and bug fixes as they are introduced in fcli, although there are options to use a fixed fcli version in case you need more stability. At the time of writing, the fcli `ci` action provides out-of-the-box support for Static Application Security Testing (SAST) and Software Composition Analysis (SCA); support for Dynamic or Mobile Application Security Testing (DAST \u0026 MAST) may be added in the future.\n\nApart from the top-level `fortify/github-action` for running the fcli-based `ci` workflow, this repository also provides the `fortify/github-action/setup` GitHub Action. This action allows for setting up fcli and other Fortify tools like ScanCentral Client for use in a custom GitHub Actions workflow, for example for implementing a fully customized AST scan workflow or some other automation workflow that needs to interact with Fortify products.\n\n\n\u003c!-- START-INCLUDE:repo-usage-text.md --\u003e\n\n### Quick Start\n\n#### OpenText Core Application Security (Fortify on Demand)\n\n```yaml\nname: Fortify on Demand Scan\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\njobs:\n  fortify:\n    runs-on: ubuntu-latest\n    # permissions:               # When overriding default permissions, following are required:\n    #   contents: read           # Required for checkout action\n    #   security-events: write   # Required for publishing security reports to GitHub Security tab\n    #   pull-requests: write     # Required if DO_PR_COMMENT is set to true\n    steps:\n      - uses: actions/checkout@v4            # Check out source code\n      - uses: actions/setup-\u003cbuild-tool\u003e@vX  # Set up build tool(s) required to build your project\n      - uses: fortify/github-action@v3       # Run Fortify scans\n        env:\n          FOD_URL: ${{ vars.FOD_URL }}\n          FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}\n          FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}\n          # FOD_RELEASE: MyApp:main        # Optional: defaults to repo:branch\n          # FCLI_BOOTSTRAP_VERSION: v3.15  # Optional if you prefer stability over latest\n```\n\n#### OpenText Application Security (Fortify Software Security Center)\n\n```yaml\nname: Fortify SSC Scan\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\njobs:\n  fortify:\n    runs-on: ubuntu-latest\n    # permissions:               # When overriding default permissions, following are required:\n    #   contents: read           # Required for checkout action\n    #   security-events: write   # Required for publishing security reports to GitHub Security tab\n    #   pull-requests: write     # Required if DO_PR_COMMENT is set to true\n    steps:\n      - uses: actions/checkout@v4            # Check out source code\n      - uses: actions/setup-\u003cbuild-tool\u003e@vX  # Set up build tool(s) required to build your project\n      - uses: fortify/github-action@v3       # Run Fortify scans\n        env:\n          SSC_URL: ${{ vars.SSC_URL }}\n          SSC_TOKEN: ${{ secrets.SSC_TOKEN }}\n          SC_SAST_TOKEN: ${{ secrets.SC_SAST_TOKEN }}\n          # SSC_APPVERSION: MyApp:main  # Optional: defaults to repo:branch\n```\n\n#### Custom workflow\n\n```yaml\nname: Custom Fortify Workflow\non: [push]\n\njobs:\n  custom-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: fortify/github-action/setup@v3\n        with:\n          fcli: bootstrapped               # Set up bootstrapped fcli version. May also specify specific version, but\n                                           # then fcli may be downloaded twice (bootstrap version and requested version).\n        env:\n          FCLI_BOOTSTRAP_VERSION: v3.15.0  # Defaults to latest v3.x.y, pin to specific version for stability\n      - name: Run custom fcli commands\n        run: |\n          fcli fod session login ...\n          # Your custom workflow here\n          fcli fod session logout ...\n```\n\n### Detailed Documentation\n\nGiven that these GitHub Actions are just thin wrappers around `@fortify/setup` and `fcli`, detailed usage documentation is available on the fcli documentation website:\n\n* [`fortify/github-action` for OpenText Application Security Code (Fortify on Demand)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-fod.html)\n* [`fortify/github-action` for OpenText Software Security Center (Fortify SSC)](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/ast-action-ssc.html)\n* [`fortify/github-action/setup`](https://fortify.github.io/fcli/v3/ci/github/v3.0.x/setup-action.html)\n\n\u003c!-- END-INCLUDE:repo-usage-text.md --\u003e\n\n\n\u003c!-- END-INCLUDE:repo-intro.md --\u003e\n\n\n## Resources\n\n\n\u003c!-- START-INCLUDE:repo-resources.md --\u003e\n\n* **Contributing Guidelines**: [CONTRIBUTING.md](CONTRIBUTING.md)\n* **Code of Conduct**: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)\n* **License**: [LICENSE.txt](LICENSE.txt)\n\n\u003c!-- END-INCLUDE:repo-resources.md --\u003e\n\n\n\n\u003c!-- START-INCLUDE:h2.support.md --\u003e\n\n## Support\n\nFor general assistance, please join the [Fortify Community](https://community.opentext.com/cybersec/fortify/) to get tips and tricks from other users and the OpenText team.\n \nOpenText customers can contact our world-class [support team](https://www.opentext.com/support/opentext-enterprise/) for questions, enhancement requests and bug reports. You can also raise questions and issues through your OpenText Fortify representative like Customer Success Manager or Technical Account Manager if applicable.\n\nYou may also consider raising questions or issues through the [GitHub Issues page](https://github.com/fortify/github-action/issues) (if available for this repository), providing public visibility and allowing anyone (including all contributors) to review and comment on your question or issue. Note that this requires a GitHub account, and given public visibility, you should refrain from posting any confidential data through this channel. \n\n\u003c!-- END-INCLUDE:h2.support.md --\u003e\n\n\n---\n\n*[This document was auto-generated from README.template.md; do not edit by hand](https://github.com/fortify/shared-doc-resources/blob/main/USAGE.md)*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffortify%2Fgithub-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffortify%2Fgithub-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffortify%2Fgithub-action/lists"}