Fcli unable to create sc-sast session

Hello, i'm trying to integrate Fortify SSC into my gitlab pipeline but i didn't work for me. 

this is my pipeline script :

fortify-sast-scancentral:
 image: fortifydocker/fortify-ci-tools:latest
 variables:
   SC_SAST_SENSOR_VERSION: '23.1'
 script:
   - fcli ssc session login --url=$FCLI_DEFAULT_SSC_URL --ci-token=$FCLI_DEFAULT_SSC_CI_TOKEN
   - fcli sc-sast session login  --client-auth-token=$FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN --ssc-url=$FCLI_DEFAULT_SSC_URL
   - scancentral package -bt none -o package.zip
   - fcli ssc appversion create FcliTestApp:v1 --issue-template "Prioritized High Risk Issue Template" --auto-required-attrs --skip-if-exists --store myVersion:id
   - fcli sc-sast scan start --package-file=package.zip --sensor-version=$SC_SAST_SENSOR_VERSION --appversion {?myVersion:id} --store '?' --no-upload
   - fcli sc-sast scan wait-for '?' --interval=30s
   - fcli sc-sast session logout
   - fcli ssc session logout  
this the error that appears : 
  • Verified Answer

    +1  

    First, I always worry that the SC-SAST Login could be using an incorrect value.  Please check that the Value used for $FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN is the special password created and used in the configuration file of the ScanCentral SAST Controller. This "shared secret" is known as the client_auth_token in our product guides, and needs to be shared to the users of the ScanCentral Client (and FCLI). It is just a text password created by the SCSAST installation user/admin, not an actual Auth Token generated on the SSC Server nor the SCSAST Controller.  I just wanted to be sure you had not inadvertently used a CIToken Value from the SSC Server for that entry in your command.

    e.g. fcli sc-sast session login --session=my_sc-sast_session --client-auth-token=$FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN --ssc-url=$FCLI_DEFAULT_SSC_URL

    Secondly, I believe the SC-SAST Session Login command requires you add either your SSC Username\Password or an SSC Server Token.  For that Token you would use a CIToken, or a custom token ("Scans Only") generated for your pipeline use.

    Synopsis

    fcli sc-sast session login -c[=<clientAuthToken>] [--session=<sessionName>] [[-h] [--env-prefix=<envPrefix>] [--log-file=<logFile>] [--log-level=<logLevel>]] ] [--store=_variableName _ ] [--to-file=<outputFile>_]] ([-k] [--socket-timeout=<socketTimeout>] [--connect-timeout=<connectTimeout>] --ssc-url=<url>) ((-u=<user> -p[=<password>] [--expire-in=<expireIn>]) | -t[=<token>])

    e.g. fcli sc-sast session login --session=my_sc-sast_session --client-auth-token=$FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN --ssc-url=$FCLI_DEFAULT_SSC_URL -t=$FCLI_DEFAULT_SSC_CI_TOKEN

  • 0 in reply to   

    Thank you, it works