Integrate with a CI/CD pipeline
FortiCNAPP Code Security is in the process of consolidating into a simplified integration workflow to support all forms of scanning into a single pre-built image. For now, IaC scanning is supported for a handful of CI/CD pipeline services, while scanning controlled with the SCA CLI component, including SCA, SAST, secrets detection and so on, can be embedded to any pipeline.
For IaC scanning, select one of the providers supported for a guided tutorial on embedding IaC scanning into one of the pipelines we support. For SCA, SAST, and Secrets detection; the tutorials are general guidance, but the CLI is designed to be flexible in other deployments.
Your source code is never uploaded or transferred to the FortiCNAPP servers or platform.
Any data that is transferred, such as metadata, scan results, or logs, will be clearly specified. Potentially transferred data is dependent on the scan type, as follows:
-
IaC scans:
-
A full assessment file in JSON format.
-
An IaC findings subset file in JSON format.
-
-
SCA and SAST scans:
-
Four variants of finding files in different JSON formats.
-
A billing metadata file with committer data for a particular repository.
-
This section includes the following topics: