Configuring the Scanner (fdevsec.yaml)
Check-in or add the fdevsec.yaml file into the root folder of the application source code.
Note: Do NOT modify the name and format of this file.
FortiDevSec automatically detects your application languages and runs the relevant scans. However, to run DAST scans additional parameters are required in fdevsec.yaml, these are described later on in this section. You can also optionally add advanced settings to fdevsec.yaml file as per your requirements.
You can also configure the scanner using command line arguments. See Command Line Arguments. However, you can configure the scanner either by using the fdevsec.yaml file or command-line arguments, but not both simultaneously. |
The following is a sample fdevsec.yaml file, the contents of this file vary based on different application scanning requirements.
Note: Ensure that proper indentation is maintained while configuring fdevsec.yaml file.
version: v1
id:
org: 6a4d32db-6751-441a-88fe-9b4793717cde
app: aa8a393b-afc6-47d7-84d2-b7011f1d0012# Optional parameters.
scanners:
- sast
- dast
- secret
- sca
- iac
- containerlanguages:
- python
- javascriptexclude_path:
- <directory path or name that must be excluded>dast:
url: <your.url.com>
full_scan: true #true|falseresource:
serial_scan: true #true|falsefail_pipeline:
risk_rating: <1–9>
The following are the mandatory and optional parameters for fdevsec.yaml.
Parameter |
Description |
---|---|
Mandatory parameters |
|
org | A unique ID associated with your organization. |
app | A unique ID that identifies the applications within the organization. |
Optional Parameters |
|
scanners |
This identifies the type of scanner to test the applications. The supported values are sast, dast, sca, secrets, iac, and container. Notes:
|
languages |
Specify the language that you want to scan. The supported values are java, javascript, python, golang, php, ruby, c++, shell, c# and c. FortiDevSec automatically detects the language if this parameter is not specified. Notes:
|
exclude_path |
Specify the directory path or name that must be excluded from the scan. Exclude path is supported for Golang and Python languages. |
dast |
Specify these parameters if you intend running a DAST scan on your application.
|
resource |
When |
fail_pipeline |
Specify the
|