fcli icon indicating copy to clipboard operation
fcli copied to clipboard
verified publisher icon fortify

FCLI - Start remote scan without build tool integration

Open facilmovagit opened this issue 7 months ago • 1 comments

Question

Hi

Regarding: scan without build tool integration

Is it possible to start a remote scan, using 'fcli sc-sast scan start' and specifying that the scan should be performed without build tool integration ?

This is possible using scancentral. See details bellow:

Pipeline commands for remote scans ( translation + scan on the sensor machine).

Pipeline type 1 - uses the scancentral binary to start the scan

# Start scan
- scancentral -debug -sscurl $FCLI_DEFAULT_SSC_URL -ssctoken $REST_TOKEN start -upload -application $SSC_APP -version $SSC_PV -uptoken $REST_TOKEN  -block -o --build-tool none -f scan.fpr

This aproach allows us to specify "--build-tool none"

Pipelien type 2 - uses fcli binary to start the scan ( We are using the docker image fortifydocker/fortify-ci-tools:6.2.0-jdk-21 )

# Start scan
- fcli sc-sast scan start --publish-to="$APP_VERSION" --sensor-version="$SC_SAST_SENSOR_VERSION" --package-file=package.zip --store=ScanId

Using fcli to start the scan, is it possible to specify the "build tool none" parameter?

We checked fcli documentation (https://fortify.github.io/fcli/v3.5.2/manpage/fcli-sc-sast-scan-start.html) and couldnt find how to use this parameter.

Thanks in advance.

facilmovagit avatar Jun 06 '25 11:06 facilmovagit

Hi @facilmovagit,

The scancentral command that you listed combines two steps in a single command:

  • Packaging the source code
  • Submitting the packaged source code to ScanCentral SAST Controller

The fcli command command that you listed only runs the second step, submitting the packaged source code to the Controller. Packaging options like --build-tool are only relevant for packaging, hence the fcli command doesn't provide this option.

Depending on your pipeline configuration, there should be a separate invocation of a scancentral package command; this is where you'd want to pass the --build-tool none option. Once the scancentral package command has packaged the source code, you'd then use the fcli command to submit that package (independent of whether the package was generated with or without build tool integration).

rsenden avatar Jun 06 '25 12:06 rsenden