Fortinet black logo

User Guide

24.1.a
24.1.a
24.1.0
23.4.a
23.4.0
23.3.0
23.2.a
23.2.0
23.1.a
23.1.0
22.4.a
22.4.0
22.1.0

Command Line Arguments

Command Line Arguments

The FortiDevSec allows you to configure scanner by providing command line arguments. To pass command line arguments to the FortiDevSec scanner, append main s to the scanner run command, followed by the desired arguments.

Command Format:

<fortidevsec sast/dast run command> main s --arg1 value1 --arg2 value2

Example:

Following is an example command to run a SAST scan with the specified arguments.

docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest main s --org-id 9df9dc0f-0000-4cf7-8d91-81e194fdd727 --app-id 613a0004-b08f-40e1-a5c8-6702f2b5027b -l python -l java -l c -S=true --scanner sast --scanner sca

where,

  • docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest is a command to run a SAST scan from the application root folder. See Running the Security Scan.

  • main s is used to enable arguments.

  • --org-id 9df9dc0f-0000-4cf7-8d91-81e194fdd727 specifies the organization for the scan.

  • --app-id 613a0004-b08f-40e1-a5c8-6702f2b5027b specifies the application for the scan.

  • -l python -l java -l c configures the scanner to analyze Python, Java, and C languages.

  • -S=true enables serial scan mode.

  • --scanner sast --scanner sca specifies the use of both the SAST and SCA scanners.

Notes:

  • The command provided is an example and may need adjustments based on your specific environment and requirements.

  • Arguments are case-sensitive.

  • Multiple arguments can be combined in a single command.

  • --org-id and --app-id are mandatory arguments.

Available Arguments:

The following are the mandatory and optional arguments. Replace value with actual value based on your environment. Run --help command for a comprehensive list of available arguments and their descriptions.

Argument Format

Description

Mandatory arguments

--org-id value or -o value A unique ID associated with your organization.
--app-id value or -a value A unique ID that identifies the applications within the organization.

Optional arguments

--scanner value or -s value

This identifies the type of scanner to test the applications. The supported values are sast, dast, sca, secrets, iac, and container.

Notes:

  • If this parameter is unspecified, FortiDevSec runs only static scans.
  • To run DAST scan, use DAST image with the url parameter specified in the configuration file.
--language value or -l value

Specify the language that you want to scan. The supported values are java, javascript, python, golang, php, ruby, c++, shell, c# and c.

FortiDevSec automatically detects the language if this parameter is not specified.

Note: Specifying languages as javascript also scans NodeJS code.

--exclude_path value or -e value

Specify the directory path or name that must be excluded from the scan. Exclude path is supported for Golang and Python languages.

--url value or -u value

--fullscan value or -f value

Specify these arguments if you intend running a DAST scan on your application.

  • --url - The URL where your application is hosted.
  • --fullscan - The supported values are true and false. The default value for --fullscan is true.
    When set to true, a full DAST scan is run and when set to false, a basic scan is run.
    Note: You can configure the FortiDAST scanner with specific parameters for testing your asset (URL). For details on scanner configuration see the FortiDAST documentation.

--serial-scan value or -S value

When --serial-scan is set to true, the scans run consecutively and when set to false, multiple scans run parallel. The default value of --serial-scan is true.

--risk_rating value or -r value

Specify the --risk_value argument if you intend to fail CI/CD pipeline based on your risk tolerance level. If the resulting risk rating value after scan is greater than or equal to the defined value, the CI/CD pipeline fails. The CI/CD pipeline tool will automatically detect the failure and will stop the pipeline process.

  • --risk_value - The supported value is a number in the range of 1–9; 1 indicates the lowest and 9 the highest risk rating level.
Previous
Next

Command Line Arguments

The FortiDevSec allows you to configure scanner by providing command line arguments. To pass command line arguments to the FortiDevSec scanner, append main s to the scanner run command, followed by the desired arguments.

Command Format:

<fortidevsec sast/dast run command> main s --arg1 value1 --arg2 value2

Example:

Following is an example command to run a SAST scan with the specified arguments.

docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest main s --org-id 9df9dc0f-0000-4cf7-8d91-81e194fdd727 --app-id 613a0004-b08f-40e1-a5c8-6702f2b5027b -l python -l java -l c -S=true --scanner sast --scanner sca

where,

  • docker run --pull always --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest is a command to run a SAST scan from the application root folder. See Running the Security Scan.

  • main s is used to enable arguments.

  • --org-id 9df9dc0f-0000-4cf7-8d91-81e194fdd727 specifies the organization for the scan.

  • --app-id 613a0004-b08f-40e1-a5c8-6702f2b5027b specifies the application for the scan.

  • -l python -l java -l c configures the scanner to analyze Python, Java, and C languages.

  • -S=true enables serial scan mode.

  • --scanner sast --scanner sca specifies the use of both the SAST and SCA scanners.

Notes:

  • The command provided is an example and may need adjustments based on your specific environment and requirements.

  • Arguments are case-sensitive.

  • Multiple arguments can be combined in a single command.

  • --org-id and --app-id are mandatory arguments.

Available Arguments:

The following are the mandatory and optional arguments. Replace value with actual value based on your environment. Run --help command for a comprehensive list of available arguments and their descriptions.

Argument Format

Description

Mandatory arguments

--org-id value or -o value A unique ID associated with your organization.
--app-id value or -a value A unique ID that identifies the applications within the organization.

Optional arguments

--scanner value or -s value

This identifies the type of scanner to test the applications. The supported values are sast, dast, sca, secrets, iac, and container.

Notes:

  • If this parameter is unspecified, FortiDevSec runs only static scans.
  • To run DAST scan, use DAST image with the url parameter specified in the configuration file.
--language value or -l value

Specify the language that you want to scan. The supported values are java, javascript, python, golang, php, ruby, c++, shell, c# and c.

FortiDevSec automatically detects the language if this parameter is not specified.

Note: Specifying languages as javascript also scans NodeJS code.

--exclude_path value or -e value

Specify the directory path or name that must be excluded from the scan. Exclude path is supported for Golang and Python languages.

--url value or -u value

--fullscan value or -f value

Specify these arguments if you intend running a DAST scan on your application.

  • --url - The URL where your application is hosted.
  • --fullscan - The supported values are true and false. The default value for --fullscan is true.
    When set to true, a full DAST scan is run and when set to false, a basic scan is run.
    Note: You can configure the FortiDAST scanner with specific parameters for testing your asset (URL). For details on scanner configuration see the FortiDAST documentation.

--serial-scan value or -S value

When --serial-scan is set to true, the scans run consecutively and when set to false, multiple scans run parallel. The default value of --serial-scan is true.

--risk_rating value or -r value

Specify the --risk_value argument if you intend to fail CI/CD pipeline based on your risk tolerance level. If the resulting risk rating value after scan is greater than or equal to the defined value, the CI/CD pipeline fails. The CI/CD pipeline tool will automatically detect the failure and will stop the pipeline process.

  • --risk_value - The supported value is a number in the range of 1–9; 1 indicates the lowest and 9 the highest risk rating level.
Previous
Next