Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiCNAPP Administration Guide

    VS Code

    VS Code

    FortiCNAPP Code Security offers a Visual Studio Code (VS Code) extension for our Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Infrastructure as Code (IAC) tools. This enables you to identify and remediate vulnerabilities in your code prior to committing changes. See Software Composition Analysis (SCA), Static application security testing (SAST), and Infrastructure-as-Code Security.

    You must have an active FortiCNAPP account with Code Security access to use the VS Code Extension. Contact your FortiCNAPP representative for more information.

    Installing the VS Code extension

    You can install the FortiCNAPP Code Security extension directly from the VS Code Marketplace. To install the extension, go to the Extensions tab in VS Code or through the Marketplace using your web browser.

    Using either approach, type Lacework Security or the unique identifier lacework-security.lacework-code-security into the search bar. The extension has a verified blue checkmark by its name.

    Click on the extension in the search results and then click Install.

    Configuring the extension

    After the extension is installed, you must configure it by entering your FortiCNAPP account name, access key, and your secret key. Organization administrators can enter their FortiCNAPP subaccount name as well.

    Collecting your FortiCNAPP data for configuration

    To locate and download your API Secret:

    1. Log in to the console.

    2. Go to Settings > API keys.

    3. Click Service User API keys.

    4. Select or create an API key.

    5. Verify that a service user with Read and Write permissions is assigned for your new or existing API key:

      1. Select an API key, click the edit icon, and then use the toggle and dropdown to select a service user and click Save.

      2. Go to Create API key, then use the toggle and dropdown to select a service user and click Save.

    6. Select your desired key. The API KEY pane displays your FortiCNAPP access key.

    7. Click the download icon.

    8. Open the downloaded .json file to view your API Key, API Secret, and account name.

    The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, see Legacy access control overview.

    Configuring the extension using your FortiCNAPP data

    To enter your FortiCNAPP data to configure the extension, go to the extension settings. Then you can copy and paste the data from your downloaded .json excluding the quotations.

    Running a scan

    Once you have configured the FortiCNAPP security extension, select from the following scan options:

    • Start a scan

    • Start all scans

    • Start SCA scan

    • Start SAST scan

    • Start IaC scan

    Not all of the above options may be available depending on your environment. Before the scan starts, the system will check if your FortiCNAPP CLI, IaC, or SCA component needs to be installed or upgraded. If the system recognizes content that can be installed or upgraded, an option will appear to prompt you on next steps.

    Results

    The extension panel in VS Code displays your scan results. To locate the panel, select the FortiCNAPP security extension in your left sidebar menu.

    Menu item Definition
    Vulnerable Packages The results provide you a list of files (code bases, code objects, etc.) in which vulnerable packages were found. For more information, select a file. The vulnerable packages that you can hover over for additional context around the vulnerability are highlighted.
    Code Weaknesses The results provide you a list of files (code bases, code objects, etc.) in which code weaknesses were found. For more information, select a file.
    Misconfigured IaC Resources The results enumerate a list of files that include a count of misconfigured IaC objects for each file. Each file will contain a set of child nodes that pertain to a specific IaC resource. These child nodes will also have a tally for the number of policies that were violated.

    This information is also available in your VS Code Problems tab. The available options in the left sidebar menu depend on the configuration of your security extension.

    Dependencies

    In the list of files, you can hover over a file to learn if the vulnerable package is a direct or indirect dependency. This helps you determine how the vulnerable package is being introduced. For example, an indirect dependency can indicate that you may not be using the vulnerable package yourself, but one of your direct dependencies relies on a package that is vulnerable.

    Remediation

    For each vulnerability found, we provide suggestions for remediation. For example, some vulnerabilities may be addressed in a new update, so we recommend that you update to a new version that introduced a fix.

    Once you have saved your fixed code, you can run another scan to verify that your fixes have remediated the violations.

    Previous
    Next

    VS Code

    VS Code

    FortiCNAPP Code Security offers a Visual Studio Code (VS Code) extension for our Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Infrastructure as Code (IAC) tools. This enables you to identify and remediate vulnerabilities in your code prior to committing changes. See Software Composition Analysis (SCA), Static application security testing (SAST), and Infrastructure-as-Code Security.

    You must have an active FortiCNAPP account with Code Security access to use the VS Code Extension. Contact your FortiCNAPP representative for more information.

    Installing the VS Code extension

    You can install the FortiCNAPP Code Security extension directly from the VS Code Marketplace. To install the extension, go to the Extensions tab in VS Code or through the Marketplace using your web browser.

    Using either approach, type Lacework Security or the unique identifier lacework-security.lacework-code-security into the search bar. The extension has a verified blue checkmark by its name.

    Click on the extension in the search results and then click Install.

    Configuring the extension

    After the extension is installed, you must configure it by entering your FortiCNAPP account name, access key, and your secret key. Organization administrators can enter their FortiCNAPP subaccount name as well.

    Collecting your FortiCNAPP data for configuration

    To locate and download your API Secret:

    1. Log in to the console.

    2. Go to Settings > API keys.

    3. Click Service User API keys.

    4. Select or create an API key.

    5. Verify that a service user with Read and Write permissions is assigned for your new or existing API key:

      1. Select an API key, click the edit icon, and then use the toggle and dropdown to select a service user and click Save.

      2. Go to Create API key, then use the toggle and dropdown to select a service user and click Save.

    6. Select your desired key. The API KEY pane displays your FortiCNAPP access key.

    7. Click the download icon.

    8. Open the downloaded .json file to view your API Key, API Secret, and account name.

    The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, see Legacy access control overview.

    Configuring the extension using your FortiCNAPP data

    To enter your FortiCNAPP data to configure the extension, go to the extension settings. Then you can copy and paste the data from your downloaded .json excluding the quotations.

    Running a scan

    Once you have configured the FortiCNAPP security extension, select from the following scan options:

    • Start a scan

    • Start all scans

    • Start SCA scan

    • Start SAST scan

    • Start IaC scan

    Not all of the above options may be available depending on your environment. Before the scan starts, the system will check if your FortiCNAPP CLI, IaC, or SCA component needs to be installed or upgraded. If the system recognizes content that can be installed or upgraded, an option will appear to prompt you on next steps.

    Results

    The extension panel in VS Code displays your scan results. To locate the panel, select the FortiCNAPP security extension in your left sidebar menu.

    Menu item Definition
    Vulnerable Packages The results provide you a list of files (code bases, code objects, etc.) in which vulnerable packages were found. For more information, select a file. The vulnerable packages that you can hover over for additional context around the vulnerability are highlighted.
    Code Weaknesses The results provide you a list of files (code bases, code objects, etc.) in which code weaknesses were found. For more information, select a file.
    Misconfigured IaC Resources The results enumerate a list of files that include a count of misconfigured IaC objects for each file. Each file will contain a set of child nodes that pertain to a specific IaC resource. These child nodes will also have a tally for the number of policies that were violated.

    This information is also available in your VS Code Problems tab. The available options in the left sidebar menu depend on the configuration of your security extension.

    Dependencies

    In the list of files, you can hover over a file to learn if the vulnerable package is a direct or indirect dependency. This helps you determine how the vulnerable package is being introduced. For example, an indirect dependency can indicate that you may not be using the vulnerable package yourself, but one of your direct dependencies relies on a package that is vulnerable.

    Remediation

    For each vulnerability found, we provide suggestions for remediation. For example, some vulnerabilities may be addressed in a new update, so we recommend that you update to a new version that introduced a fix.

    Once you have saved your fixed code, you can run another scan to verify that your fixes have remediated the violations.

    Previous
    Next