From ee7655d9ffa41bf71a640d615361bae91e0ebe12 Mon Sep 17 00:00:00 2001
From: "Kevin A. Lee" <4321872+kadraman@users.noreply.github.com>
Date: Thu, 26 Feb 2026 16:11:59 +0000
Subject: [PATCH 1/2] Update FoD pipeline to use "fcli action run ci"

[skip ci]
---
 .../azure-pipelines-fortify-sast-fod.yml      | 70 +++++++++++++++----
 1 file changed, 58 insertions(+), 12 deletions(-)

diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
index 02799695..70efc96a 100644
--- a/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
+++ b/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
@@ -4,6 +4,14 @@
 #
 # The following task parameter must be defined 
 #   - ReleaseId
+#
+# The following pipeline variables must be defined:
+#   - FOD_URL
+#   - FOD_CLIENT_ID
+#   - FOD_CLIENT_SECRET
+#   - FOD_RELEASE
+#   - FOD_PARENT_RELEASE
+#   - FOD_DEFAULT_OWNER
 
 trigger:
 - main
@@ -12,6 +20,9 @@ pool:
   vmImage: ubuntu-latest
 
 steps:
+- checkout: self
+  persistCredentials: "true"
+  clean: "true"
 - task: Maven@3
   inputs:
     mavenPomFile: 'pom.xml'
@@ -24,16 +35,51 @@ steps:
     mavenAuthenticateFeed: false
     effectivePomSkip: false
     sonarQubeRunAnalysis: false
-- task: FortifyOnDemandStatic@8
+#- task: FortifyOnDemandStatic@8
+#  inputs:
+#    FortifyProjects: '$(Build.Repository.LocalPath)'
+#    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
+#    ReleaseOptions: '0'
+#    ReleaseId: 00000            # update FoD RELEASE ID
+#    EntitlementSelection: '1'
+#    EntitlementPreference: '2'
+#    OverrideScanSettings: '2'
+#    InProgressScanActionType: '0'
+#    RemediationScanPreference: '2'
+#    BuildType: 'mvn'
+#    PolicyFailAction: '0'
+- task: Bash@3
+  displayName: 'Install Fortify CLI via @fortify/setup'
+  inputs:
+    targetType: 'inline'
+    script: |
+      npx @fortify/setup bootstrap-config
+      npx @fortify/setup env init --tools=fcli:auto,sc-client:auto
+      npx @fortify/setup env ado
+- task: Bash@3
+  displayName: 'Run FoD CI Scan'
   inputs:
-    FortifyProjects: '$(Build.Repository.LocalPath)'
-    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
-    ReleaseOptions: '0'
-    ReleaseId: 00000            # update FoD RELEASE ID
-    EntitlementSelection: '1'
-    EntitlementPreference: '2'
-    OverrideScanSettings: '2'
-    InProgressScanActionType: '0'
-    RemediationScanPreference: '2'
-    BuildType: 'mvn'
-    PolicyFailAction: '0'
+    targetType: 'inline'
+    script: |
+      set -euo pipefail
+      echo "Running FoD CI Scan for release: ${FOD_RELEASE:-}"
+      fcli action run ci
+  env:
+    FOD_URL: $(FOD_URL)
+    FOD_CLIENT_ID: $(FOD_CLIENT_ID)
+    FOD_CLIENT_SECRET: $(FOD_CLIENT_SECRET)
+    FOD_RELEASE: "$(FOD_RELEASE)"
+    COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
+    SAST_ASSESSMENT_TYPE: "Static Assessment"
+    SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
+    #PACKAGE_EXTRA_OPTS: ""
+    DO_SETUP: true
+    DO_SAST_SCAN: true
+    DO_AVIATOR_AUDIT: true
+    DO_SCA_SCAN: true
+    DO_WAIT: true
+    SAST_WAIT_EXTRA_OPTS: --timeout 2h
+    DO_POLICY_CHECK: true
+    DO_JOB_SUMMARY: true
+    DO_PR_COMMENT: true
+    DO_EXPORT: true
\ No newline at end of file

From 7f0c5e4f981b60894d4d2c016dae59cc2bf3f959 Mon Sep 17 00:00:00 2001
From: kadraman <klee2@opentext.com>
Date: Fri, 27 Feb 2026 17:27:00 +0000
Subject: [PATCH 2/2] chore: updated after PR review

---
 .../azure-pipelines-fortify-sast-fod.yml      | 161 +++++++++---------
 1 file changed, 78 insertions(+), 83 deletions(-)

diff --git a/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml b/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
index 70efc96a..9f4b3724 100644
--- a/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
+++ b/devops-integrations/azure/azure-pipelines-fortify-sast-fod.yml
@@ -1,85 +1,80 @@
-# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps  pipeline
-# The following service connection must be establish before using this job
-#   - FoD_AMS
-#
-# The following task parameter must be defined 
-#   - ReleaseId
-#
-# The following pipeline variables must be defined:
-#   - FOD_URL
-#   - FOD_CLIENT_ID
-#   - FOD_CLIENT_SECRET
-#   - FOD_RELEASE
-#   - FOD_PARENT_RELEASE
-#   - FOD_DEFAULT_OWNER
+# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Azure DevOps pipeline
+# The following pipeline variables must be defined before using SAST stage:
+#   - $FOD_URL
+#   - $FOD_CLIENT_ID
+#   - $FOD_CLIENT_SECRET
+# The following pipeline variables are optional and can be defined to enable additional features:
+#   - $FOD_RELEASE
+#   - $FOD_PARENT_RELEASE
+#   - $FOD_DEFAULT_OWNER
+# For more information on using Fortify on Demand SAST in Azure DevOps, see the documentation: 
+# https://fortify.github.io/fcli/v3/ci/ado/script/ast-workflow-fod.html
 
-trigger:
-- main
-
-pool:
-  vmImage: ubuntu-latest
 
-steps:
-- checkout: self
-  persistCredentials: "true"
-  clean: "true"
-- task: Maven@3
-  inputs:
-    mavenPomFile: 'pom.xml'
-    publishJUnitResults: true
-    testResultsFiles: '**/surefire-reports/TEST-*.xml'
-    javaHomeOption: 'JDKVersion'
-    jdkVersionOption: '1.11'
-    mavenVersionOption: 'Default'
-    mavenOptions: '-Xmx3072m'
-    mavenAuthenticateFeed: false
-    effectivePomSkip: false
-    sonarQubeRunAnalysis: false
-#- task: FortifyOnDemandStatic@8
-#  inputs:
-#    FortifyProjects: '$(Build.Repository.LocalPath)'
-#    FodConnection: 'FoD_AMS'    # create Azure DevOps Service connection with name FoD_AMS
-#    ReleaseOptions: '0'
-#    ReleaseId: 00000            # update FoD RELEASE ID
-#    EntitlementSelection: '1'
-#    EntitlementPreference: '2'
-#    OverrideScanSettings: '2'
-#    InProgressScanActionType: '0'
-#    RemediationScanPreference: '2'
-#    BuildType: 'mvn'
-#    PolicyFailAction: '0'
-- task: Bash@3
-  displayName: 'Install Fortify CLI via @fortify/setup'
-  inputs:
-    targetType: 'inline'
-    script: |
-      npx @fortify/setup bootstrap-config
-      npx @fortify/setup env init --tools=fcli:auto,sc-client:auto
-      npx @fortify/setup env ado
-- task: Bash@3
-  displayName: 'Run FoD CI Scan'
-  inputs:
-    targetType: 'inline'
-    script: |
-      set -euo pipefail
-      echo "Running FoD CI Scan for release: ${FOD_RELEASE:-}"
-      fcli action run ci
-  env:
-    FOD_URL: $(FOD_URL)
-    FOD_CLIENT_ID: $(FOD_CLIENT_ID)
-    FOD_CLIENT_SECRET: $(FOD_CLIENT_SECRET)
-    FOD_RELEASE: "$(FOD_RELEASE)"
-    COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
-    SAST_ASSESSMENT_TYPE: "Static Assessment"
-    SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
-    #PACKAGE_EXTRA_OPTS: ""
-    DO_SETUP: true
-    DO_SAST_SCAN: true
-    DO_AVIATOR_AUDIT: true
-    DO_SCA_SCAN: true
-    DO_WAIT: true
-    SAST_WAIT_EXTRA_OPTS: --timeout 2h
-    DO_POLICY_CHECK: true
-    DO_JOB_SUMMARY: true
-    DO_PR_COMMENT: true
-    DO_EXPORT: true
\ No newline at end of file
+trigger:
+- none
+stages:
+- stage: Build
+  jobs:
+    - job: Build
+      displayName: Building IWA Project
+      pool:
+        vmImage: ubuntu-latest
+      steps:
+      - task: Maven@3
+        inputs:
+          mavenPomFile: 'pom.xml'
+          mavenOptions: '-Xmx3072m'
+          javaHomeOption: 'JDKVersion'
+          jdkVersionOption: '1.17'
+          jdkArchitectureOption: 'x64'
+          publishJUnitResults: true
+          testResultsFiles: '**/surefire-reports/TEST-*.xml'
+          goals: 'package'
+    - job: SAST
+      displayName: Fortify SAST
+      dependsOn:
+       - Build
+      pool:
+       vmImage: 'ubuntu-latest'
+      steps:
+        - checkout: self
+          persistCredentials: "true"
+          clean: "true"
+        - task: Bash@3
+          displayName: 'Install Fortify CLI via @fortify/setup'
+          inputs:
+            targetType: 'inline'
+            script: |
+              npx @fortify/setup@v2 env init --tools=fcli:bootstrapped
+              npx @fortify/setup@v2 env ado
+        - task: Bash@3
+          displayName: 'Run Fortify on Demand SAST CI Scan'
+          inputs:
+            targetType: 'inline'
+            script: |
+              set -euo pipefail
+              fcli action run ci
+          env:
+            FOD_URL: $(FOD_URL)
+            FOD_CLIENT_ID: $(FOD_CLIENT_ID)
+            FOD_CLIENT_SECRET: $(FOD_CLIENT_SECRET)
+            # FOD_RELEASE is optional, defaults to <org>/<repo>:<branch>
+            #FOD_RELEASE: "$(FOD_RELEASE)"
+            # Uncomment the following line to copy from an existing release
+            #COPY_FROM_RELEASE: "$(FOD_PARENT_RELEASE)"
+            # Uncomment to set the default Static Assessment type when a new release is created
+            #SAST_ASSESSMENT_TYPE: "Static Assessment"
+            # Example of setting extra options for when creating a new release
+            #SETUP_EXTRA_OPTS: '--sdlc-status Development --app-owner "$(FOD_DEFAULT_OWNER)"'
+            DO_SETUP: true
+            DO_SAST_SCAN: true
+            # Uncomment to enable Aviator AI audit and remedation
+            #DO_AVIATOR_AUDIT: true
+            #SAST_WAIT_EXTRA_OPTS: --timeout 2h
+            DO_SCA_SCAN: true
+            DO_WAIT: true
+            DO_POLICY_CHECK: true
+            DO_JOB_SUMMARY: true
+            DO_PR_COMMENT: true
+            DO_EXPORT: true
\ No newline at end of file