Configuring the Scanner (fdevsec.yaml)
Check-in or add the fdevsec.yaml file into the root folder of the application source code.
Note: Do NOT modify the name and format of this file.
FortiDevSec automatically detects your application languages and runs the relevant scans. However, to run DAST scans additional parameters are required in fdevsec.yaml, these are described later on in this section. You can also optionally add advanced settings to fdevsec.yaml file as per your requirements.
The following is a sample fdevsec.yaml file, the contents of this file vary based on different application scanning requirements.
Note: Ensure that proper indentation is maintained while configuring fdevsec.yaml file.
version: v1
id:
org: 6a4d32db-6751-441a-88fe-9b4793717cde
app: aa8a393b-afc6-47d7-84d2-b7011f1d0012# Optional parameters.
scanners:
- sast
- dast
- secret
- sca
- iac
- containerlanguages:
- python
- javascript
dast:
url: <your.url.com>
full_scan: true #true|falseresource:
serial_scan: true #true|falsefail_pipeline:
risk_rating: <1–9>
The following are the mandatory and optional parameters for fdevsec.yaml.
Parameter |
Description |
---|---|
Mandatory parameters |
|
org | A unique ID associated with your organization. |
app | A unique ID that identifies the applications within the organization. |
Optional Parameters |
|
scanners |
This identifies the type of scanner to test the applications. The supported values are sast, dast, sca, secrets, iac, and container. Notes:
|
languages |
Specify the language that you want to scan. The supported values are java, javascript, python, golang, php, ruby, c++, shell, and c. FortiDevSec automatically detects the language if this parameter is not specified. Note: Specifying languages as javascript also scans NodeJS code. |
dast |
Specify these parameters if you intend running a DAST scan on your application.
|
resource |
When |
fail pipeline |
Specify the
|