From 20171eea453f5cfaf205b3a7fc330a5fecae7e76 Mon Sep 17 00:00:00 2001
From: Mike Snowden <5297545+MikeTheSnowman@users.noreply.github.com>
Date: Thu, 24 Jul 2025 09:11:12 +1000
Subject: [PATCH] Add Fortify security scanning to CI/CD pipeline

---
 .github/workflows/ci.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d961eae243..4c1208bbf5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -461,4 +461,23 @@ jobs:
           git add .
           git commit -m "Update documentation for ${{ needs.build.outputs.release_tag }}"
           git push
-          
\ No newline at end of file
+          
+  fortify_scan:
+    name: Fortify Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Fortify on Demand SAST & SCA Scan
+        uses: fortify/github-action@v2
+        with:
+          sast-scan: true # Enables Fortify's native SAST and SCA. Chosen to satisfy 'sca:true' despite 'sast:false' as no separate SCA-only parameter is available.
+          debricked-sca-scan: false # As per Debricked SCA: Disabled
+        env:
+          FOD_URL: https://ams.fortify.com
+          FOD_TENANT: FranklinBank24
+          FOD_PAT: ${{ secrets.FOD_PAT }}
+          FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
+          FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
+          FOD_PASSWORD: ${{ secrets.FOD_PAT }} # Included as per example, using FOD_PAT secret
\ No newline at end of file