Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    24.3.0
    24.3.a
    24.3.0
    24.2.0
    24.1.a
    24.1.0
    23.4.a
    23.4.0
    23.3.0
    23.2.a
    23.2.0
    23.1.a
    23.1.0
    22.4.a
    22.4.0
    22.1.0

    Configuring the Scanner (fdevsec.yaml)

    Configuring the Scanner (fdevsec.yaml)

    Check-in or add the fdevsec.yaml file into the root folder of the application source code.

    Note: Do NOT modify the name and format of this file.

    FortiDevSec automatically detects your application languages and runs the relevant scans. However, to run DAST scans additional parameters are required in fdevsec.yaml, these are described later on in this section. You can also optionally add advanced settings to fdevsec.yaml file as per your requirements.

    You can also configure the scanner using command line arguments. See Command Line Arguments.

    However, you can configure the scanner either by using the fdevsec.yaml file or command-line arguments, but not both simultaneously.

    The following is a sample fdevsec.yaml file, the contents of this file vary based on different application scanning requirements.

    Note: Ensure that proper indentation is maintained while configuring fdevsec.yaml file.

    version: v1

    id:
      org: 6a4d32db-6751-441a-88fe-9b4793717cde
      app: aa8a393b-afc6-47d7-84d2-b7011f1d0012        

    # Optional parameters.
    scanners:
      - sast
      - dast
      - secret
      - sca
      - iac
      - container       

    languages:
      - python
      - javascript

    exclude_path:
      - <directory path or name that must be excluded>

    dast:
      url: <your.url.com>
      full_scan: true #true|false

    resource:
      serial_scan: true #true|false

    fail_pipeline:
      risk_rating: <1–9>

    The following are the mandatory and optional parameters for fdevsec.yaml.

    Parameter

    Description

    Mandatory parameters

    org A unique ID associated with your organization.
    app A unique ID that identifies the applications within the organization.

    Optional Parameters

    scanners

    This identifies the type of scanner to test the applications. The supported values are sast, dast, sca, secrets, iac, and container.

    Notes:

    • If this parameter is unspecified, FortiDevSec runs only static scans.
    • To run DAST scan, use DAST image with the url parameter specified in the configuration file.
    languages

    Specify the language that you want to scan. The supported values are java, javascript, python, golang, php, ruby, c++, shell, c#, c, and typescript.

    FortiDevSec automatically detects the language if this parameter is not specified.

    Notes:

    • Specifying languages as javascript also scans NodeJS code.

    • If rails framework is not found in the source code repo, ruby scanner will not generate results.

    exclude_path

    Specify the directory path or name that must be excluded from the scan. Exclude path is supported for all scanners except dast and container.
    dast

    Specify these parameters if you intend running a DAST scan on your application.

    • url - The URL where your application is hosted.
    • full_scan - The supported values are true and false. The default value for full_scan is true.
      When set to true, a full DAST scan is run and when set to false, a basic scan is run.
      Note: You can configure the FortiDAST scanner with specific parameters for testing your asset (URL). For details on scanner configuration see the FortiDAST documentation.

    resource

    When serial_scan is set to true, the scans run consecutively and when set to false, multiple scans run parallel. The default value of serial_scan is true.

    fail_pipeline

    Specify the risk_value parameter if you intend to fail CI/CD pipeline based on your risk tolerance level. If the resulting risk rating value after scan is greater than or equal to the defined value, the CI/CD pipeline fails. The CI/CD pipeline tool will automatically detect the failure and will stop the pipeline process.

    • risk_value - The supported value is a number in the range of 1–9; 1 indicates the lowest and 9 the highest risk rating level.
    Previous
    Next

    Configuring the Scanner (fdevsec.yaml)

    Configuring the Scanner (fdevsec.yaml)

    Check-in or add the fdevsec.yaml file into the root folder of the application source code.

    Note: Do NOT modify the name and format of this file.

    FortiDevSec automatically detects your application languages and runs the relevant scans. However, to run DAST scans additional parameters are required in fdevsec.yaml, these are described later on in this section. You can also optionally add advanced settings to fdevsec.yaml file as per your requirements.

    You can also configure the scanner using command line arguments. See Command Line Arguments.

    However, you can configure the scanner either by using the fdevsec.yaml file or command-line arguments, but not both simultaneously.

    The following is a sample fdevsec.yaml file, the contents of this file vary based on different application scanning requirements.

    Note: Ensure that proper indentation is maintained while configuring fdevsec.yaml file.

    version: v1

    id:
      org: 6a4d32db-6751-441a-88fe-9b4793717cde
      app: aa8a393b-afc6-47d7-84d2-b7011f1d0012        

    # Optional parameters.
    scanners:
      - sast
      - dast
      - secret
      - sca
      - iac
      - container       

    languages:
      - python
      - javascript

    exclude_path:
      - <directory path or name that must be excluded>

    dast:
      url: <your.url.com>
      full_scan: true #true|false

    resource:
      serial_scan: true #true|false

    fail_pipeline:
      risk_rating: <1–9>

    The following are the mandatory and optional parameters for fdevsec.yaml.

    Parameter

    Description

    Mandatory parameters

    org A unique ID associated with your organization.
    app A unique ID that identifies the applications within the organization.

    Optional Parameters

    scanners

    This identifies the type of scanner to test the applications. The supported values are sast, dast, sca, secrets, iac, and container.

    Notes:

    • If this parameter is unspecified, FortiDevSec runs only static scans.
    • To run DAST scan, use DAST image with the url parameter specified in the configuration file.
    languages

    Specify the language that you want to scan. The supported values are java, javascript, python, golang, php, ruby, c++, shell, c#, c, and typescript.

    FortiDevSec automatically detects the language if this parameter is not specified.

    Notes:

    • Specifying languages as javascript also scans NodeJS code.

    • If rails framework is not found in the source code repo, ruby scanner will not generate results.

    exclude_path

    Specify the directory path or name that must be excluded from the scan. Exclude path is supported for all scanners except dast and container.
    dast

    Specify these parameters if you intend running a DAST scan on your application.

    • url - The URL where your application is hosted.
    • full_scan - The supported values are true and false. The default value for full_scan is true.
      When set to true, a full DAST scan is run and when set to false, a basic scan is run.
      Note: You can configure the FortiDAST scanner with specific parameters for testing your asset (URL). For details on scanner configuration see the FortiDAST documentation.

    resource

    When serial_scan is set to true, the scans run consecutively and when set to false, multiple scans run parallel. The default value of serial_scan is true.

    fail_pipeline

    Specify the risk_value parameter if you intend to fail CI/CD pipeline based on your risk tolerance level. If the resulting risk rating value after scan is greater than or equal to the defined value, the CI/CD pipeline fails. The CI/CD pipeline tool will automatically detect the failure and will stop the pipeline process.

    • risk_value - The supported value is a number in the range of 1–9; 1 indicates the lowest and 9 the highest risk rating level.
    Previous
    Next