Fortinet white logo
Fortinet white logo

Running the Security Scan

Running the Security Scan

You can automate a security scan on your application in a CI/CD environment or run a security scan for your application manually in your source code through the CLI terminal.

Automated Scanning

You can integrate scan configurations into your CI/CD tool and automate the application scan testing for the following. Ensure that fdevsec.yaml file is checked into the root folder of your source code. See CI/CD Tools.

Manual Scanning

To run a scan manually, navigate to the root folder of the source code and add the fdevsec.yaml file and run the following command.

docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

In this command a SAST (/fdevsec_sast:latest) scan is run, modify the value to DAST (/fdevsec_dast:latest) if required.

docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

Notes:

  • Verify DAST configuration in fdevsec.yaml file before perfoming the DAST scan.

  • The SAST scanner docker image is bundled with SCA, Secret, IaC and Container scanners.

  • Scanner docker images must be updated using docker pull <image> command to the latest version to use the latest features.

  • If not configured using GUI plugin, the DAST/FortiDAST asset scan configuration details can only be added by logging in to FortiDAST after performing the initial scan.

  • APP ID and ORG ID must not be modified when scan is in progress.

  • FortiDevSec container scans currently cannot scan private images requiring Docker login.

The following image depicts a sample command for SAST.

devopsuser@User1:~/Repos/OWASPBenchmark$ docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest
latest: Pulling from fdevsec_sast
Digest: sha256:8419af98214170eb2dfe7dfbdbc99d4b4b51447a14e7f184aac297ff3e47aef1
Status: Image is up to date for registry.fortidevsec.forticloud.com/fdevsec_sast:latest

registry.fortidevsec.forticloud.com/fdevsec_sast:latest
2022/02/03 06:33:57 Loaded scan config for Org ID: d9d3dc20-9372-4188-884fb18a5c75fe5c
2022/02/03 06:33:57 Languages configured in conf file: [java]
2022/02/03 06:34:02 Scanners configured in conf file: [sast]
2022/02/03 06:34:03 Total enabled scanners: 1
2022/02/03 06:34:03 Running parallel scan as per user config.
Scanning Progress: [##################################################] 100% 1/1
2022/02/03 06:37:25 FortiDevSec SAST scanner done, exiting.

The following image depicts a sample command for DAST.

devopsuser@Dev:~/Repo/OWASPBenchmark$ docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest
latest: Pulling from fdevsec_dast
Digest: sha256:8419af98214170eb2rgt3fbdbc99d4b4b51447a14e7f184aac297ff3e47aef1
Status: Image is up to date for registry.fortidevsec.forticloud.com/fdevsec_dast:latest

2022/02/03 08:37:19 Loaded scan config for Org ID: d9d3dc20-9372-4188-884f-b18a5c75fe5c
2022/02/03 08:37:19 Scanners configured in conf file: [dast]
2022/02/03 08:37:20 Response Status: 202 Accepted
2022/02/03 08:37:20 Total enabled scanners: 0
2022/02/03 08:37:20 No scanners specified.
2022/02/03 08:37:20 FortiDevSec DAST scanner done, exiting.

Downloading the Required Language Scanners

FortiDevSec uses multiple language scanner images to scan your application, you can optionally download these scanner image files on your machine based on the configured or detected languages when you run a scan. This reduces the overhead of downloading all scanner images each time FortiDevSec scans your application. Create a directory on your machine and grant full access. Consider the following example.

mkdir scan
chmod 777 scan

Run the following command to scan your application (indicating the directory) and download the scanner images. This example indicates the directory scan created earlier.

docker run --pull always -ti --rm --mount type=bind,source="$(pwd)",target=/scan --mount type=bind,source="$(pwd)"/<scan>,target=/scanner registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Running the Security Scan

Running the Security Scan

You can automate a security scan on your application in a CI/CD environment or run a security scan for your application manually in your source code through the CLI terminal.

Automated Scanning

You can integrate scan configurations into your CI/CD tool and automate the application scan testing for the following. Ensure that fdevsec.yaml file is checked into the root folder of your source code. See CI/CD Tools.

Manual Scanning

To run a scan manually, navigate to the root folder of the source code and add the fdevsec.yaml file and run the following command.

docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

In this command a SAST (/fdevsec_sast:latest) scan is run, modify the value to DAST (/fdevsec_dast:latest) if required.

docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

Notes:

  • Verify DAST configuration in fdevsec.yaml file before perfoming the DAST scan.

  • The SAST scanner docker image is bundled with SCA, Secret, IaC and Container scanners.

  • Scanner docker images must be updated using docker pull <image> command to the latest version to use the latest features.

  • If not configured using GUI plugin, the DAST/FortiDAST asset scan configuration details can only be added by logging in to FortiDAST after performing the initial scan.

  • APP ID and ORG ID must not be modified when scan is in progress.

  • FortiDevSec container scans currently cannot scan private images requiring Docker login.

The following image depicts a sample command for SAST.

devopsuser@User1:~/Repos/OWASPBenchmark$ docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest
latest: Pulling from fdevsec_sast
Digest: sha256:8419af98214170eb2dfe7dfbdbc99d4b4b51447a14e7f184aac297ff3e47aef1
Status: Image is up to date for registry.fortidevsec.forticloud.com/fdevsec_sast:latest

registry.fortidevsec.forticloud.com/fdevsec_sast:latest
2022/02/03 06:33:57 Loaded scan config for Org ID: d9d3dc20-9372-4188-884fb18a5c75fe5c
2022/02/03 06:33:57 Languages configured in conf file: [java]
2022/02/03 06:34:02 Scanners configured in conf file: [sast]
2022/02/03 06:34:03 Total enabled scanners: 1
2022/02/03 06:34:03 Running parallel scan as per user config.
Scanning Progress: [##################################################] 100% 1/1
2022/02/03 06:37:25 FortiDevSec SAST scanner done, exiting.

The following image depicts a sample command for DAST.

devopsuser@Dev:~/Repo/OWASPBenchmark$ docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest
latest: Pulling from fdevsec_dast
Digest: sha256:8419af98214170eb2rgt3fbdbc99d4b4b51447a14e7f184aac297ff3e47aef1
Status: Image is up to date for registry.fortidevsec.forticloud.com/fdevsec_dast:latest

2022/02/03 08:37:19 Loaded scan config for Org ID: d9d3dc20-9372-4188-884f-b18a5c75fe5c
2022/02/03 08:37:19 Scanners configured in conf file: [dast]
2022/02/03 08:37:20 Response Status: 202 Accepted
2022/02/03 08:37:20 Total enabled scanners: 0
2022/02/03 08:37:20 No scanners specified.
2022/02/03 08:37:20 FortiDevSec DAST scanner done, exiting.

Downloading the Required Language Scanners

FortiDevSec uses multiple language scanner images to scan your application, you can optionally download these scanner image files on your machine based on the configured or detected languages when you run a scan. This reduces the overhead of downloading all scanner images each time FortiDevSec scans your application. Create a directory on your machine and grant full access. Consider the following example.

mkdir scan
chmod 777 scan

Run the following command to scan your application (indicating the directory) and download the scanner images. This example indicates the directory scan created earlier.

docker run --pull always -ti --rm --mount type=bind,source="$(pwd)",target=/scan --mount type=bind,source="$(pwd)"/<scan>,target=/scanner registry.fortidevsec.forticloud.com/fdevsec_sast:latest