Fortinet black logo

User Guide

22.2.0
22.3.0
22.2.0

Manual Application Scanning

Manual Application Scanning

This tutorial aims to run a security scan for your application manually in your source code through the CLI terminal. Ensure that the Prerequisite is met, see section Scanning an Application for more details.

Adding a New Application

Login into the FortiDevSec portal and add a new application for your organization.

  1. Click on the New Application tab and enter the application name.
  2. Click Next and the App Setup information is displayed, copy the Application UUID and Org ID.

You can optionally configure the risk ratings for your application. See section Adding a New Application for detailed procedure.

Writing the fdevsec.yaml

Add the fdevsec.yaml file into the root folder of your source code. This tutorial uses only the mandatory parameters in the configuration file, you can add optional (advanced) parameters to make your scan more precise.

The App ID and the Org ID are the only mandatory parameters.

version: v1
id:
org: 6a4d32db-6751-441a-88fe-9b4793717cde
app: aa8a393b-afc6-47d7-84d2-b7011f1d0012

The application languages are automatically detected and FortiDevSec runs the appropriate scans, namely, SAST, SCA, and Secret.

See section Configuring the Scanner (fdevsec.yaml) for detailed procedure.

Running the Scan

Navigate to the root folder of the source code and run this command.

docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest.

Use the SAST command for static source scan and use DAST for dynamic application scan. See section Running the Security Scan for detailed procedure.

Viewing the Scan Result

The dashboard of the FortiDevSec portal lists the applications, click on your application to view and analyze comprehensive details of the detected vulnerabilities.

See section Viewing the Scan Result for more details.

Previous
Next

Manual Application Scanning

This tutorial aims to run a security scan for your application manually in your source code through the CLI terminal. Ensure that the Prerequisite is met, see section Scanning an Application for more details.

Adding a New Application

Login into the FortiDevSec portal and add a new application for your organization.

  1. Click on the New Application tab and enter the application name.
  2. Click Next and the App Setup information is displayed, copy the Application UUID and Org ID.

You can optionally configure the risk ratings for your application. See section Adding a New Application for detailed procedure.

Writing the fdevsec.yaml

Add the fdevsec.yaml file into the root folder of your source code. This tutorial uses only the mandatory parameters in the configuration file, you can add optional (advanced) parameters to make your scan more precise.

The App ID and the Org ID are the only mandatory parameters.

version: v1
id:
org: 6a4d32db-6751-441a-88fe-9b4793717cde
app: aa8a393b-afc6-47d7-84d2-b7011f1d0012

The application languages are automatically detected and FortiDevSec runs the appropriate scans, namely, SAST, SCA, and Secret.

See section Configuring the Scanner (fdevsec.yaml) for detailed procedure.

Running the Scan

Navigate to the root folder of the source code and run this command.

docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest.

Use the SAST command for static source scan and use DAST for dynamic application scan. See section Running the Security Scan for detailed procedure.

Viewing the Scan Result

The dashboard of the FortiDevSec portal lists the applications, click on your application to view and analyze comprehensive details of the detected vulnerabilities.

See section Viewing the Scan Result for more details.

Previous
Next