Running the Security Scan
You can automate a security scan on your application in a CI/CD environment or run a security scan for your application manually in your source code through the CLI terminal.
Automated Scanning
You can integrate scan configurations into your CI/CD tool and automate the application scan testing for the following. Ensure that fdevsec.yaml file is checked into the root folder of your source code. See CI/CD Tools.
Manual Scanning
To run a scan manually, navigate to the root folder of the source code and add the fdevsec.yaml file and run the following command.
docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest
In this command a SAST (/fdevsec_sast:latest
) scan is run, modify the value to DAST (/fdevsec_dast:latest
) if required.
docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest
Note:
-
The SAST scanner docker image is bundled with SCA, Secret, IaC and Container scanners.
-
Scanner docker images must be updated using
docker pull <image>
command to the latest version to use the latest features. -
Ensure that the java source code is compiled before performing Java SAST scan.
-
The DAST/FortiDAST asset scan configuration details can only be added by logging in to FortiDAST after performing the initial scan.
The following image depicts a sample command for SAST.
devopsuser@User1:~/Repos/OWASPBenchmark$ docker run --rm --mount
type=bind,source="$PWD",target=/scan
registry.fortidevsec.forticloud.com/fdevsec_sast:latest
2022/02/03 06:33:57 Loaded scan config for Org ID: d9d3dc20-9372-4188-884fb18a5c75fe5c
2022/02/03 06:33:57 Languages configured in conf file: [java]
2022/02/03 06:34:02 Scanners configured in conf file: [sast]
2022/02/03 06:34:03 Total enabled scanners: 1
2022/02/03 06:34:03 Running parallel scan as per user config.
Scanning Progress: [##################################################] 100% 1/1
2022/02/03 06:37:25 FortiDevSec SAST scanner done, exiting.
The following image depicts a sample command for DAST.
devopsuser@Dev:~/Repo/OWASPBenchmark$ docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest
2022/02/03 08:37:19 Loaded scan config for Org ID: d9d3dc20-9372-4188-884f-b18a5c75fe5c
2022/02/03 08:37:19 Scanners configured in conf file: [dast]
2022/02/03 08:37:20 Response Status: 202 Accepted
2022/02/03 08:37:20 Total enabled scanners: 0
2022/02/03 08:37:20 No scanners specified.
2022/02/03 08:37:20 FortiDevSec DAST scanner done, exiting.
Downloading the Required Language Scanners
FortiDevSec uses multiple language scanner images to scan your application, you can optionally download these scanner image files on your machine based on the configured or detected languages when you run a scan. This reduces the overhead of downloading all scanner images each time FortiDevSec scans your application. Create a directory on your machine and grant full access. Consider the following example.
mkdir scan
chmod 777 scan
Run the following command to scan your application (indicating the directory) and download the scanner images. This example indicates the directory scan
created earlier.
docker run -ti --rm --mount type=bind,source="$(pwd)",target=/scan --mount type=bind,source="$(pwd)"/<scan>,target=/scanner registry.fortidevsec.forticloud.com/fdevsec_sast:latest