Fortify FPR to SARIF

The "What's New in Fortify v20.1" webcast mentioned something about displaying FPR results directly in Git by converting the FPR to SARIF? Can somebody explain this and point me at additional resources for this?

  • We are actively working on integrating Fortify with GitHub; this includes starting Fortify scans from GitHub workflows, and reporting Fortify results back onto the GitHub security dashboard. We have similar efforts going on for other providers like GitLab, but in this post I'll focus on our GitHub integration efforts.

    Current progress can be seen at https://github.com/fortify-actions, which hosts various GitHub Actions that can be called from your GitHub workflows, as well as various example projects that illustrate how to use these actions in sample workflows.

    This is still work in progress; we may be adding, changing or removing actions as we see fit, and we haven't decided on a final location for these actions yet (maybe they will be moved to https://github.com/fortify). So you can play around with these actions, but we do not yet recommend to use these in production environments.

    In particular, reporting Fortify issues back onto the GitHub security dashboard is still very much in progress. We are looking into various options for generating the SARIF file that is used by GitHub to populate the security dashboard, and in fact the GitHub security dashboard itself is still in beta.