Fortify CI Integrations Part 2 (Jenkins, Azure DevOps)

Fortify CI Integrations Part 2 (Jenkins, Azure DevOps)

Fortify CI Integrations Part 2 (Jenkins, Azure DevOps)

Fortify can integrate with virtually any CI/CD tool in the market. In this session, Diogo Rispoli (Fortify Master Solutions Architect), covers Jenkins and Azure DevOps (24:35).

LEARN MORE about Fortify: https://www.microfocus.com/en-us/solu

LEARN MORE about how Micro Focus was named a leader in the Gartner MQ for Application Security Testing: https://software.microfocus.com/en-us

LEARN MORE about how Fortify received the highest score in the Gartner Critical Capabilities for Application Security Testing report for the Enterprise use case AND the Mobile and Client use case: https://www.microfocus.com/en-us/asse

SUBSCRIBE TO FORTIFY UNPLUGGED:    / @fortifyunplugged  

CONNECT with the Fortify Online Community: https://community.microfocus.com/t5/F
- Connect with peers and share your knowledge
- Find solutions and answers to your technical questions
- Stay informed on new releases and product enhancements
- Access downloads, demos, videos and support tips


Content

4 -> Hello hello! My name is Diogo Rispoli, I'm a master  Fortify solutions architect and today we'll be  
11.28 -> talking about ci integrations with Fortify part two  and why this one is the part two? Because we'll  
20 -> be talking about jenkins and azure devops that  weren't covered on uh the first part of this  
28.24 -> session that was about gitlab github and bamboo  among others because there I also discussed some  
36.24 -> I also discussed some strategies that you can  use uh to integrate with virtually any CI/CD
43.52 -> in the market no matter if you're using Fortify on-premise or for file demand the same we'll do  
50.72 -> here I will be covering the native plugins  that we have for jenkins and azure devops  
57.04 -> the integrations uh tips and tricks that you  can use to get your your integration done  
64.72 -> and uh you know show you some samples uh  with the scannings running what you would  
70.88 -> expect or expect on logs and all that good  stuff so without further ado let's get started  
78.48 -> um so first of all we'll be talking about jenkins  jenkins is a CI/CD tool very popular in the market  
86.48 -> I have a lot of customers using jenkins  and on jenkins you can configure tasks  
94.32 -> run you know your your compilation tasks run your  quality assurance checkings and also run your  
103.44 -> static analysis you know with secure purpose  uh so you can definitely uh identify secured  
110.96 -> vulnerabilities and fix those secure vulnerabilities on your software project  
119.6 -> uh we'll be using uh two different projects here  first one will be the famous eight ball eight ball  
125.84 -> is available on the Fortify sca installation simple  folder and also we'll be using the os shepard  
134.32 -> project uh both of them are written in java but if  you look here you have a different projects uh uh  
143.12 -> we use different uh type of projects and we cover  with four or five uh um more than 28 languages  
151.6 -> right now so you can use the same strategy with  different languages different projects that's just  
158.72 -> your choice so let's get started let's take a look  at this eight ball project so this is a pipeline  
167.2 -> style project and uh this is one of the things  that you can do using uh the four or five on  
175.92 -> the four five plugins so you can have a pipeline  style configuration you can also have a more  
182.4 -> traditional view freestyle projects uh configuring  you know each step so i'll be showing you  
188.48 -> uh both cases here i'll be showing you how how  do you achieve that sort of integration and uh  
196 -> after the configuration i'll go back to jenkins  i'll show the plugins i'll show how you set up um  
204.96 -> user credentials uh your ssc url  your fog url and so forth so on so  
213.44 -> scan central desk is a feature that we have on  fordify on-premise solutions where you can package  
222.8 -> your source code and libraries and send them to  be scanned on a centralized farm of servers so  
230.56 -> this is not meant to be uh on-demand solution or  size solution this is for Fortify on-premise  
239.84 -> um going over the configuration of your project  uh what you see uh are you know the regular  
246.32 -> configurations you can use um your your your  github integration whatever style you want  
253.36 -> and you have your pipeline uh just you know for  for demonstration purpose I'm not bringing at  
261.12 -> least to this video so I won't pollute your your  your the way you're do you see the configuration  
268.64 -> I'm not bringing any of the stage here that is  not the four five scan central assessed stage  
276 -> and uh I'll show you before I get there the  pipeline syntax how you can use the pipeline  
283.28 -> syntax to set up uh not only you know for  file on premise but also for fundament  
291.52 -> so when you get here and of course you have to  have the four or five plugins installed you can  
298.72 -> get a simple step that you can use to configure  your job so scrolling scrolling down a little bit  
307.44 -> what you see are you know four or five uh four  five on demand assessments so static assessments  
315.52 -> and Fortify pull results so with Fortify  static assessments you can configure for fundament  
324 -> to upload your source code and libraries to your  for fundamental instance and also you can pull  
331.36 -> for results so you can take any decisions based on  results you will get out of the you know the scan  
340.4 -> you've done with you know for fine demand same  way you see those four uh four file on premise  
348.56 -> for those that that are used to the way of of of  running Fortify uh directly on source analyzer  
357.28 -> you see you have the full three steps there so you  have a Fortify clean a Fortify translate  
366.16 -> and a Fortify scan and also you see a fortify  upload task that's meant to be configured after  
375.2 -> the fact after you run these scans you produce  an fpr file you produce results you'll be able to  
382.88 -> scan those results and upload sorry upload those  results on on your ssc instance um and i'll be  
393.04 -> using a much easier strategy what I'll do I'll  do a Fortify remote analysis what does that  
401.68 -> mean I will as I explained to you before I get to  this stage I will be packaging my source code in  
410.4 -> libraries i'll ship that source code and libraries  to my scan central controller my scan central  
417.84 -> controller will identify an idle uh sensor and  request that sensor to run a static analysis  
427.52 -> not only my sensor will do that but also  after you know it finishes it will bring  
434.72 -> all the results back to my fortify ssc where i can  take results we we also can leverage uh web hooks  
445.76 -> not only here but also in azure devops i won't be  covering web hooks because we'll have a very nice  
451.92 -> session uh with one of our colleagues here that  will cover not only web hooks but some advanced  
459.04 -> use of the fordify apis to get the results  where you want and do things the way you want  
466.64 -> so you can do the full remote analysis with  you know scan central plug-in but you can also  
474.56 -> run a local translation on your jenkins agent and  send what we call an mbs file to be scanned on  
485.36 -> your skin central uh sensors as well i i just  find you know much easier running the full  
493.92 -> translation and scan on my sensors because  i can say some resources uh on my um on my  
503.36 -> agent my jenkins agent side so i don't have to to  use a huge box for my agent or a huge container  
512.8 -> i can have it smaller not only in terms of cpu and  memory but also in terms of hard disk so what i'll  
520.4 -> do i'll click here i'll choose the application  type i have so in my case um will be maven i can  
530 -> define some optional configuration like the  sensor pool an email that i want i would like  
537.84 -> to have notifications i can select a a custom  rule pack i can have some four or five scan filter  
547.12 -> files i won't be using any of those but i'll  definitely upload my results to my 45 security  
555.6 -> center instance when i click here of course this  is a red connected with my sse so it will bring  
561.84 -> you know a lot of projects that i have there for  this project eight ball i'm selecting it ball and  
568.24 -> i'm also getting you know the version i have there  i click on generate script i just cop this here  
577.12 -> and that's it i'll go back to my project  configuration i will configure my project and  
585.76 -> when you get to your pipeline of course you  have to start with all nodes and all that you  
592 -> know that that uh that notation that you have  to use for out the pipeline on j keys but i'll  
598.64 -> define a node i'll define a stage i'll call that  stage scan central sas and i will just copy that  
607.6 -> inform that information i got from the pipeline  syntax um from my pipeline syntax generator  
617.2 -> four five maven upload to ssc name  inversion after that i click on save  
624.72 -> and i'm ready to run my first or not in  this case not my first but i'm ready to run  
632.08 -> my my build process so i click on build i'm  waiting my agent to pick that job i'm clicking  
641.84 -> here and let's watch the execution on the  pipeline so we can see how things goes um  
649.92 -> as you can see you see scan central uh is  running uh i already got you know um a token an  
660.48 -> authentication token uh to uh my ssc in my project  and it's packaging the source code right now  
669.44 -> leveraging um the configurations i have  in place and after that back to the job  
677.6 -> upload the job and submitted that job to my  ssc if you go to our ssc and i just clicked  
688.4 -> the wrong one so let me just open my sse here  um so if you open up my ssc what you see is uh  
698.56 -> on scan central set what you see is a job  that was sent here and if you look at the time  
705.52 -> on my bar and in the time of my skin you see that  job was just submitted so the scan is running  
712.64 -> and after the scan is done you see some  results be included back on your forfy ssc so  
723.44 -> that's one way to uh do the integration real  quick real easy using the pipeline notation  
732.32 -> so let's take a look real quick on the  configurations you have to do a while running  
740 -> your job on jenkins and i apologize i have  to update my jenkins so that's why you seen  
746.48 -> all all those alerts but it doesn't affect the  fact that uh we can still trigger uh your our jobs  
755.04 -> on on jenkins so we go first to manage plugins  to install the plugins and just go over the  
766.72 -> available ones i already done the installation  so i won't be able to show you the installation  
774 -> process but the installation is real simple  you you get the list or you can click on search  
781.28 -> you look for four five and you see both options  you see four file on demand and four file on  
788.08 -> premise so i'll go to the installed one so you can  see what i'm talking about um so scroll scrolling  
796.4 -> down here so i have the four five this is for  four or five on premise the version is the most  
802.16 -> x120.34 and i also have you know down below um the  four final demand uh plugin since i'm i'm showing  
813.52 -> you both i read uh went ahead and installed both  i rebooted the the jenkins server because that  
821.84 -> was required for jenkins by jenkins and i have  i have them available the way i showed you in  
829.76 -> the pipeline notation and also in a freestyle  project if that's the way you want to do it  
837.12 -> just to check i went too far back but  just to check on the things we have to do  
844.96 -> you can go on configure system you can you you and  you find um forfy on premise and on demand because  
855.92 -> i have both installed what you have to do is for  for fine demand configure the for fundamental url  
866.24 -> and the four fundament api url and also an api  token in secret but you can also on top of this  
874.72 -> use a personal access token for authentication  that i personally don't recommend  
879.92 -> because you have that um your pipelines tied to a  personal account and if that account gets locked  
888.88 -> or anything else or that you know particular  person leaves your organization for example  
894.88 -> you will end up having to reconfigure this  so i just prefer using the api key in secret  
902.72 -> that will be available for everybody in the  organization you can refresh those on-demand  
909.6 -> you also find up here um four or five on premise  so let me just look at four five on premise so  
919.44 -> yeah you so it was down below sorry about that  so you see four five a four five assessment and  
927.04 -> on four five assessment you have to uh pass uh  the ssc url an authentication token and also the  
938.64 -> scan template you'll be using any timeouts and  after that uh if you're using scan central uh  
945.68 -> controller without ssc you have to do the same  configuration for your skin central controller  
956 -> in my case here since my ssc is uh integrated with  my scan central controller uh as soon as my the  
964.56 -> tool pink ssc it will receive all the information  required to close the connection with the scan  
972.72 -> central controller the one that will be receiving  all the jobs just to make sure things are working  
979.84 -> i'll go here i'll test the connection for ssc  and uh going up there for the ford file on demand  
987.44 -> i'll also click here test the connection um  so this this is telling me i'm good to go  
995.44 -> before i i i go to f to the next  integration i'll show you how  
1007.28 -> we can do configuration and integration  in a freestyle project for for file demand
1016.72 -> so you have all the steps your configuration  with your source code management tool  
1022.64 -> your build triggers all the configuration you have  for your projects uh in my case i'm i'm also using  
1028.96 -> uh for for connect on fod my uh a maven project  this maven project has some targets especially  
1038.16 -> this one being a very big project i'm using the  test the the tag skip tests uh and this is because  
1046.24 -> you know tests sometimes are designed uh and they  fail and it prevents my build my build process to  
1054.64 -> move forward and my my end goal here  is not have my source code compiled but  
1060.96 -> but having them uh you know packaged to be  scanned by four find demand same way you  
1068.4 -> have a release id a bsi token and a source code  locator a source code locator is meant to be used  
1075.76 -> when you have your project in a particular folder  inside your jenkins home for that project since my  
1085.76 -> my my source code is the root folder of my  my jenkins home for this project i'm not  
1093.44 -> changing anything and how do i find the release  id so let's take a look on ford foundaman  
1101.04 -> um and of course i want to stay logged in on my  ssc let's take a look on my four front demand  
1109.52 -> where my session was already dropped  so let's authenticate real quick here
1118.48 -> and i'm using you know a tenant where you  i can run some you know lab tests this is  
1130.16 -> a lab environment for me but you see everything  exactly the same on your for find the main tenant  
1138.4 -> so if you look here you have this  project that's called juice shop  
1144.4 -> oh i'm not using juice shop i'm using  shepard so let's take a look at shepard
1153.6 -> you can go to release tree you can  click here you'll be doing a static scan  
1163.6 -> and we'll be doing all the configuration  you need uh to run an assessment  
1172.08 -> but on the bottom of that configuration you'll  find two different information a release id a  
1178.88 -> build server integration token i only recommend  you use a build server integration token if you  
1187.44 -> have a very particular use case for that will be  sunsetting uh this information uh any point in  
1195.12 -> time and the release id is the best substitute for  this bsi token and what's the problem with the bsi  
1201.6 -> token i cannot change any of this configurations  without changing my bsi token and with the release  
1210.32 -> id i can change all the configurations regarding  my static scan details and i still have the same  
1218.16 -> release id for that particular release on four  five so release id is a more stable way to go  
1226.64 -> and that's the way i would recommend you going uh  if you need to do some configuration so you just  
1233.12 -> copy it and you go back to your fog project  and you paste it here and you're good to go  
1242.08 -> so it's one or the other no changes on source  code location but you still have some entitlement  
1248.8 -> options this is something really particular  to fog is that's the way your skin will react  
1256.4 -> or your your fog tendon will react when asked to  run a scan so first of all use um use the type of  
1269.28 -> scan i'll be doing there's a difference between  subscription and single scan subscription i have  
1275.28 -> unlimited skins during the subscription period  in a single skin allows me only two skins one  
1282.88 -> skin today a full scan and within 30 days you can  repeat that skin what we call a remediation skin  
1291.68 -> so since i have a subscription i will be running  a subscription scan no remediation scan and i also  
1300.48 -> can take decisions when i get you know i request  a scan and i already have another scan running uh  
1308.64 -> for this particular version in project and release  so my my action here is if i have something runny  
1318.08 -> i will quill uh you know a new scan request but  you can cancel the scan that's happening you can  
1327.04 -> do nothing or you can kill so i'll kill it and  also um this is uh the the action i'll be taking  
1337.04 -> after i run the scans in this case i'll just  provide a warning because uh my team here the the  
1344.24 -> the team doesn't have the maturity uh  to you know fail the build scan yet  
1351.04 -> i click on save and i'll click on build now when  i click on build now what i'll have on my logs  
1360 -> on my console output is jenkins running its tasks  and after the fact we'll package the search code  
1369.2 -> and we'll ship that source code uh over uh for fun  demand to be scanned so let's wait a little bit  
1377.04 -> and watch the execution here yeah and  looks like oh no i'm just i'm just um  
1384.08 -> compiling and creating assembling that package and  after that is where i'll start the fog upload so  
1395.12 -> i'm creating a zip file with source code  and libraries and after it's done uh i'll  
1402.96 -> connect with for foundament in our upload and our  trigger scan so looks like the uploads has started
1413.28 -> yeah so uploading um i have checked requests so  we will blood piece by piece and after it finished  
1420.88 -> uh i'll be waiting uh for um for the results  back to take a decision to get a warning or  
1429.76 -> even uh to fail the build based on the policies  i have in place on ford fund demand in the level  
1437.52 -> of risk i am tolerating as an organization  so let's at least wait for the upload to  
1447.44 -> finish this project takes an average 10 to 15  minutes to get skinned um so that's why you know  
1455.44 -> things since i'm just looking for a warning  i'm not doing any pooling here i just uploaded  
1462.4 -> in a strategy of uh trigger and uh forget  or fire and forget um so that's it for um  
1473.44 -> jenkins uh and now let's move to our uh azure  devops integrations so this is ssc this is  
1485.76 -> azure devops on azure devops on my organization i  have two different i have more than two different  
1493.44 -> projects but the ones that i'll be using for our  demo purpose will be you know or eight ball using  
1500.56 -> a local agent because i want to make sure my agent  can communicate with my skin central controller  
1509.28 -> and communicate back with my ssc instance and  i will also be using for fog um i'll be using  
1519.6 -> the juice chart the juice shop project the  oasp juice shop project written in javascript  
1527.2 -> first of all before we get even to  the configuration of the pipeline  
1532.4 -> i have to set up a connection with uh with  ssc so i'll go ahead on my project settings  
1542.4 -> i'll look for service connections and i will add  or i'll add clicking on new service connection  
1551.44 -> i'll add some configuration so i will be  uh using a generic type of configuration  
1559.84 -> um so select it here and you see four five here  there's a difference right on four five you'll  
1567.36 -> be doing a connection for for found domain but  we'll be covering this on the juice shop project  
1574.88 -> so you have the generic configuration for  for the service endpoint connection i will be  
1581.76 -> uh providing uh the server url so go back to  my ssc i'll copy my server url apologize and  
1592.16 -> i will i can use username and password or or  the way i prefer the most i'll go back to my ssc  
1600.24 -> administration users token management and  i create a new ci token with a ci token  
1612.72 -> i can communicate my in this case i'm using scan  central so i'll go ahead i'll use a different  
1619.84 -> type of token i'll use a scan central controller  token this one fits better to our purpose so um
1630.48 -> i'll define some name here so ago demo  and i'll save it here i'll create my token  
1641.92 -> i will close it here i'll go back paste my token  on this particular uh field uh so you don't have  
1653.28 -> to use a username but you can have the talk on  the password if you leave your username blank  
1659.52 -> it will identify automatically that what you're  using is a token i will also uh use a service  
1666 -> connection name sc ago 2 just you know to make it  uh you know different from the ones that i have  
1675.44 -> and i can go ahead and save it i'll be using the  ssc because that's the one i generated before  
1683.04 -> on our samples uh when we get there to the  configuration steps but you can definitely  
1688.4 -> i could definitely use any of those here uh  just you know as as a a way to trigger and  
1696.88 -> get these skins going so i'll be looking at the  project i will go directly to pipelines i have  
1705.44 -> read this project set up and i can come here and  edit my azure pipeline emo file you can use the  
1715.04 -> yaml file notation i'm all over the emo file the  pipeline notation so i just love them so that's  
1721.68 -> why i think most of the people are just using  that the most so that's why i'm focusing here  
1727.2 -> but you can definitely use those plugins i'll be  showing you uh using a a regular uh traditional  
1735.6 -> old style view so how do i add a four or five task  here i'll just come here i'll look at at four five  
1748 -> tasks so four five uh scan central test assessment  it could be a four or five static code analyzer um  
1759.76 -> let me see what i have here oh i have a four or  five stat code analyzer so i'm doing a local scan  
1766.16 -> but you can definitely go ahead and so i'll click  here oh what i did so i'll click here enter and  
1776.72 -> i will add a four five scan central controller i  can def define i scan central controller client  
1786.24 -> token in my variables and this is meant to  authenticate my skin central client to my skin  
1795.2 -> central controller in my case here i'm not doing  any authentication so i can leave it the way it is  
1803.28 -> my scan central controller url would be  my in the same machine that I have ssc  
1811.44 -> so just to make sure everything is running and  working i'll get here i can i can use this one  
1819.28 -> go back to my pipelines and i'll put my scan  central controller i can also uh define my  
1827.2 -> ssc url so since i have it here i will do  both but i just need especially in this case  
1836.56 -> if i define the ssc url that will  be enough and i can also define  
1843.84 -> a scan central ci token using variables and  i can get this information here if i will  
1851.36 -> i can just also come here and insert this token  directly here so this is when you're doing uh  
1860 -> those things for um using skin central uh and  i can definitely upload define an application  
1867.76 -> version an application name here uh i will define  the build tool i'll be using i can find some  
1876 -> advanced adoptions for build command build file  i can skip the build i can include or exclude  
1883.36 -> the testing uh exclu including the testing can  bring some sort of noise to your final results  
1890 -> so that's one thing that i don't recommend much  uh you can also have some future templates issue  
1897.92 -> templates custom roll packs and other advanced  options here so i can wait the scan to finish  
1904.88 -> i can just make it quiet find forget options so  forth so on so this would be you know a nice way  
1913.44 -> to integrate and after i do everything i just  click on add and i'll have a test going on my
1924.4 -> so just complaining about identitation i'll just  come here fix those things and see if i see i  
1933.52 -> still have some issues running or working but  you know we can definitely take care of those  
1941.92 -> and clean them so this would be um to run  scans i'm probably missing something else
1953.28 -> okay
1964.96 -> so let's talk about azure devops so  azure devops is also um a devops ci  
1975.6 -> with this similar capabilities and features that  you see on jenkins a very a very popular tool  
1983.76 -> many organizations are using azure devops in  their daily operations so here we'll have two  
1992.32 -> different strategies first of all i'll use the  80 ball project with a local agent so we can see  
2001.2 -> a different strategy while running 45 using the  source analyzer and i will also have a juice the  
2009.2 -> juice shop os project uh triggering a scan on for  fine demand so let's move ahead and see how those  
2018.96 -> things work before we start the configuration of  the pipeline one important thing we have to do is  
2026.96 -> create a service connection so you can go to your  project settings select service connections in for  
2035.6 -> fordify you will be using for fortify on-premise  ssc you'll be using a generic type of connection  
2045.28 -> you can see a four five connection up here  but uh for uh the four five connection is  
2052.08 -> meant to be used for fog i'll be covering the four  five connection later in this presentation so you  
2059.52 -> click on generic uh you click on next uh you will  bring your ssc server url so i will stay logged in  
2069.12 -> because we will be using ssc i will add the ssc  uh url i don't need a username because i'll be  
2081.2 -> using a token you will go ahead and will create  a new type of token that we call ci token and  
2090.88 -> yci token in this case because i'll be using the  source analyzer to upload uh the results genera to  
2101.12 -> generate and upload the results on ssc uh we'll be  marking here an azure devops demo uh i will save  
2112.88 -> i will cop a copy the the right token and this  one is the decoder token not the encoded token  
2122.72 -> i'll go back to my service connection i will just  add that token on the password slash token field  
2131.6 -> i will add a name here so ssego3 um that the name  doesn't matter but it's important you use the  
2140.64 -> name that you be you you know meaningful for you  and your organization you can click on save this  
2149.92 -> service connection information you'll be used  here and you're good to go to go back to your  
2155.52 -> project to your pipeline and define an sca  type of connection or type of scanning here  
2165.6 -> i'll be using the azure pipeline notation i love  the yaml files but you if you're used to the most  
2174.4 -> traditional way to do things or to see things on  on azure devops that's not an issue the same tasks  
2181.84 -> you can configure for the azure pipelines will  also be available for you on your uh traditional  
2190.4 -> view uh on on azure devops and to search the tasks  here i'll just look for four or five uh see some  
2200.64 -> different options so you see scan central sas  that's the same strategy we used on jenkins  
2209.44 -> you also see a scan central desk if you're looking  to trigger a skin using a web inspect um you see  
2220.4 -> four file on demand static assessment and dynamic  assessment i'll be covering on the second part of  
2226.88 -> this presentation and the one we'll be using the  four five star code analyzer uh installation oh  
2233.52 -> sorry assessment if you don't have on your agent  and you wanna leverage the installation step here  
2242 -> you can also do in this case since i'm using a  self-hosted agent i have all the the capabilities  
2249.04 -> i need inside my agent i'm not worried about have  to stall for phi sca so uh if you don't have the  
2258.48 -> four five sca license there it's not required i  already have mine there i installed everything  
2265.76 -> so i i don't have to worry about this um my build  id for this uh scan uh will would be eight ball  
2276.08 -> uh i'll be running an update on my rule  packs so this will make my sca connection  
2284.16 -> of my sca instance connect on my sse that's the  way i configured it and uh we'll we'll update  
2292.48 -> the roll packs uh first thing f before you  know the scanning process after that i'll run  
2299.44 -> a four five sca clean i'll run a four five sca  translation this is a maven project so i'll be  
2308.8 -> uh choosing a java here um i can define a class  path in my case i'll do different i will be using  
2319.12 -> other and i will define so i i'll have a clue  here so i'll define the information for the  
2326.32 -> translation step uh from my maven plugin for the  four five maven plugin i'll just add it here um  
2335.52 -> i don't have to be to put in build up option  tools um i will my maven will take care of the  
2344.88 -> translation steps so i don't have to worry with  anything else and i will be running the four five  
2351.84 -> scan locally and after that if i can definitely  set up skin central here but i'll keep it local  
2359.76 -> and after that i can also define a task  to upload uh the results back on my  
2370.08 -> sse so if i click here i will select that service  connection i will select eight ball as as my  
2379.44 -> sorry this is not the way it's there  i'll select eight ball the version is one  
2385.76 -> i don't need a proxy neither a username or  password and the only thing i'll do after that  
2392.96 -> is click on add and that  information will be filled here  
2400.88 -> after i do this the second thing i have to  do is just you know click on run and when  
2408.72 -> i run what i'll do i will scan the source code  leveraging um so let's watch the logs leveraging  
2416.64 -> um all the things i have on my agent if you see  here is a local agent it's starting checking out  
2424.72 -> the source code from from azure um it's running  um the maven steps uh prior to the four or five  
2432.08 -> ca so compilation and now i'm getting uh the  four phi um four five is running checking on um  
2443.36 -> clean cleaning the project running they  scan leveraging my maven plugin and  
2450.48 -> after that i'll have my skins and i'll upload  that that results those results on my ssc
2464.88 -> so let's give it some time to run to finish  and to bring the information back um to our  
2472.4 -> um through our logs here so yeah so i run i'm  running the scan um and i have a build successful  
2482.96 -> uh sorry i run translate i had a build success  for and i will be using the source analyzer to  
2490.72 -> scan and to generate what what i  call an eight ball dot fpr file  
2497.52 -> after this scan is done i will be uploading  the results on ssc so you see on ssc  
2508.4 -> the new the new information regarding the  last analysis you did so let's give it  
2515.36 -> a minute to show before you know we finish this  and we can we can move forward so now i see  
2522.4 -> if the four or five clients uploading the fpr so  leveraging all the information sca is looking good  
2531.2 -> i'm not taking any decisions based on the results  just because my organization doesn't have you know  
2536.72 -> all the mature needed to break the build but you  know after the after this you're good to go and  
2543.92 -> if you go back to your ssc what you see is an  analysis on your project so let's go ahead take  
2553.84 -> a look oh it required my attention because i'm  using a new version of sca on that particular loco  
2565.6 -> on that self-hosted agent so that's why i  got a warning say um you have to but it it  
2574.24 -> went ahead and uploaded even with the version  so i probably uh accepted this uh before so  
2582.88 -> this happens right now and everything is looking  good um results are there um if you look at the
2593.92 -> yeah so results are here everything is  here already run my um audit the system  
2600.88 -> to help me uh tagging the issue so i'm good to go
2608.48 -> same so similar fashion uh you see on the juice  shop but on juice shop uh my pipelines are using  
2618.8 -> so let's let's before get there let's create  a token let's create a connection uh service  
2624.96 -> connection here not a token but a service  connection so click on service connection  
2630.96 -> uh i will be creating so i can edit this but  i'll be creating a new one so you guys can see  
2636.88 -> uh you look at four five and will populate um  you can have both right basic authentication  
2645.52 -> this will require username and password i just  prefer a token based authentication i'll get my my  
2655.52 -> fog url so like i'll get it here just to  make my life easier i will also select my api
2669.52 -> and i believe is this oh it's different api ams  
2678.08 -> for file.com and i'll go on my  fog instance so just show you
2692.96 -> how to get there
2697.92 -> and i go under administration
2702 -> settings security api and i get  an api i can create a new one  
2712.4 -> i'll add a key i'll give it a name doesn't  matter what name i'll have just choose a demo
2724.64 -> for the roles i will be giving secured leads so i  can make sure i'll have all the um all the roles  
2735.2 -> i need to trigger skin take decisions and all that  good stuff pull results and all the good stuff so  
2741.92 -> i can click on save i get the secret the secret  will be shown showed once so let me go ahead  
2750.56 -> back there paste my secret and i'll close it here  because i also have to look for my juice shop demo
2765.28 -> so i'm getting there and copy the api key
2773.76 -> go back to my service connection uh  let me see if i define a name here  
2778.72 -> oh no the name is down here  um and i will be defining uh
2785.36 -> fog am ams 2 so you can use on your project and  after that i will while configuring my pipeline  
2800.4 -> i'll be able to get this and make it  work i'll go here i'll edit my pipeline  
2808.88 -> same way i did so i have the steps here i'm not  using a self-hosted agent i'm using a microsoft  
2818.24 -> hosted agent uh using the ubuntu image you can  use any image if you uh you want uh so here are  
2828.24 -> the tests to run install node.js run the the  the scripts and also i'll be looking same way  
2838.24 -> we did for on-premise i'll look for four five  four five on demand static assessment uh source  
2846.8 -> code location this is just a dot you don't have to  worry about because everything here on my project  
2855.52 -> is uh on the root folder release id release id is  a very interesting information you have to bring  
2863.04 -> from fod so how do you find a release id so you go  to your project um so go back to your applications
2874.16 -> you click here and you look for your project so  i'm looking for juice shop i'll open drill shop  
2882.4 -> and i'll run a scan over this release nine so  i click here on static i open my scan setup  
2893.04 -> i'll check all the information i have and i'll get  the release id here you can use the bsi token but  
2901.2 -> psi token is not recommended anymore  and the main reason is because the  
2909.2 -> the the release id is a much more stable  type of information with the ci token  
2915.92 -> uh if with the bsi token anytime you change  any configuration on the scan setup this token  
2923.52 -> will change so release id would be the the most  recommended method for you to um to tie your uh  
2931.12 -> your azure devops project with the things you're  doing on uh your your um your for fun domain  
2940.16 -> i'll go ahead get that release id i'll get the  connection i will look at the entitlement options  
2946.96 -> something similar we saw on jenkins so i'll be  using subscriptions because i have a subscription  
2954.32 -> i will look for an action uh if this if i have  any scanning process in progress running on fog  
2962.4 -> i will do i won't do any remediation scans i want  a full scans because i have a a subscription for  
2970.96 -> that project and uh i will just complete  the build task and have a warning i won't  
2978.16 -> break the build my my my organization here  just doesn't have the maturity there but uh  
2984.24 -> if you are willing to break the build this  will leverage uh your your star rating on fog  
2992.16 -> to take that decision so i would recommend  if you're playing issue to break the build  
2998.08 -> look over your star rating configuration on on on  fog make sure you have everything uh good to go  
3007.92 -> when you click on add you have you know this  configuration uh add to your azure devops uh  
3015.36 -> azure dash pipeline email file and the next thing  you have to do is run a new new pipeline watch the  
3026.4 -> execution here um um sometimes takes a little bit  longer because i'm using a self-host agent but you  
3034.32 -> know i'm having my job initialized it's running  um and looks like it's almost good to go so let's  
3044.24 -> give it a minute or two uh to get there in the  steps we have so yeah i installed the node.js i  
3051.92 -> checked out the juice shop i'm installing npm you  know the libraries and after that i'll get to the  
3060 -> four fundaments step so let's give some time  to that test to finish for that test to finish
3074.88 -> this this will take the time you know based  on your project and configuration sometimes it  
3080.64 -> takes longer sometimes it takes you know quicker  to finish you also can have you know some sort  
3087.52 -> of configurations that will save you time so you  can do different configurations i'm just doing the  
3093.68 -> basic basic ones here just for the demo purpose  and why i had you know the compilations the steps  
3102 -> uh defined on azure devops it is because they are  required to get everything done anything done on  
3110.24 -> azure devops after you get to the four five um  you go past that npm installed step you will  
3120 -> get to the four five on the main uh scanning  process and for fundament uh will will have  
3128.96 -> uh you you create a zip file and  you upload that zip file on your  
3137.68 -> fog then for skin yeah so let me let  me give you the full thought here
3149.12 -> so it's about finish yeah binary is fine  so yeah those are the last steps for this  
3157.04 -> and we'll move to the next uh  for fundament on the main steps
3174.32 -> since this one is taking a little bit too  long i want to show you how the four final  
3179.52 -> demand steps looks like so i'll go ahead and  look for you know a similar job that i run  
3186.32 -> after this i can see the jobs logs here so after  the installation wow it took you know a good time  
3196.24 -> and on four front demand when i run this for the  first time it took around 24 minutes to finish  
3202.96 -> so i uploaded i authenticated and uploaded  on fog and after i uploaded i started this i  
3211.92 -> waited for the scan to run and finish and it took  around 20 minutes to run the scan that's the usual  
3219.52 -> time we have for this project um and in the end  of the process I found 208 critical  
3230.48 -> issues but since this project's not configured  as production they started hating uh allowed me  
3239.36 -> to pass on the polis I had on FoD. So that's  it for today thank you for watching this video  
3250.72 -> I hope you liked it and you can also subscribe  to our Fortify Unplugged channel on YouTube  
3259.04 -> to get more information around the  Fortify products new features, how to's and everything else that  we have there thank you for watching

Source: https://www.youtube.com/watch?v=7nUytfCmBAY