Add Fortify security scanning to CI/CD pipeline

MikeTheSnowman · MikeTheSnowman · commit 20171eea453f · 2025-07-24T09:11:12.000+10:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -461,4 +461,23 @@ jobs:
           git add .
           git commit -m "Update documentation for ${{ needs.build.outputs.release_tag }}"
           git push
-          
+          
+  fortify_scan:
+    name: Fortify Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Fortify on Demand SAST & SCA Scan
+        uses: fortify/github-action@v2
+        with:
+          sast-scan: true # Enables Fortify's native SAST and SCA. Chosen to satisfy 'sca:true' despite 'sast:false' as no separate SCA-only parameter is available.
+          debricked-sca-scan: false # As per Debricked SCA: Disabled
+        env:
+          FOD_URL: https://ams.fortify.com
+          FOD_TENANT: FranklinBank24
+          FOD_PAT: ${{ secrets.FOD_PAT }}
+          FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
+          FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
+          FOD_PASSWORD: ${{ secrets.FOD_PAT }} # Included as per example, using FOD_PAT secret
