- Do not ingrain API tokens in the source code (even in a private repository). API tokens in code may accidentally be exposed. Store tokens in environment variables or use key management systems.
- Never keep API tokens (keys) or secrets on CI/CD config files or other config files stored in clear text format.
- Use password managers, and rotate tokens at specific intervals.
- Follow role-based access management, and the option to consider is segmenting secrets based on access levels.
- Ensure API keys are not inadvertently passed on during builds for pull requests via your CI/CD pipelines.
- The practice of least privilege: Give access only to requisite API keys. Using least privilege, you can reduce the impact of a compromised API key. To accommodate the "least privileged token," token types are divided based on the token's purpose.
- Irrespective of token type capability definitions, tokens are restricted by token owner roles /permissions.
AnalysisDownloadToken
Max Usages: Unlimited
Max Days to Live:90
This multi-use token specification should be used to facilitate authentication to Software Security Center (SSC) when a user wishes to programmatically download a Fortify project report (FPR), and list all application versions associated with the user.
AnalysisUploadToken
Max Usages:Unlimited
Max Days to Live:90
This multi-use token specification is used to facilitate authentication to Software Security Center (SSC) when a user wishes to programmatically upload a Fortify project report (FPR) to an application version for multiple uploads, and list all application versions associated with the user.
AuditToken
Max Usages:Unlimited
Max Days to Live:90
This multi-use token specification should be used to facilitate authentication to Software Security Center (SSC) when a user wishes to programmatically review issues and perform audit actions.
CIToken
Max Usages:Unlimited
Max Days to Live:365
This multi-use token specification is designed to be used with the Fortify continuous integration plugins that automatically upload an FPR to Software Security Center as part of the build process, and download vulnerability statistics for the application version being built.
PurgeProjectVersionToken
Max Usages:Unlimited
Max Days to Live:1
This multi-use token specification provides the capability to programmatically request a list of all application versions, and to purge application versions from SSC.
ReportFileTransferToken
Max Usages:1
Max Days to Live:1
Single-use token specification that is not usually created manually. Automation scripts should create it programmatically using the /fileTokens endpoint to support downloading an existing report within an authenticated session.
ReportToken
Max Usages: Unlimited
Max Days to Live:90
This multi-use token specification provides the capability to programmatically retrieve existing reports, generate new reports, and delete existing reports.
ScanCentralCtrlToken
Max Usages:Unlimited
Max Days to Live:90
This token specification is used with the Fortify ScanCentral CLI tools. See Fortify ScanCentral documentation for further information on its use.
ToolsConnectToken
Max Usages: Unlimited
Max Days to Live:90
Use this token with the Fortify Static Code Analyzer Applications (including Audit Workbench, IDE plugins, and utilities) that connect to applications for collaborative auditing, remediation, and uploading of scan results.
UnifiedLoginToken
Max Usages: Unlimited
Max Days to Live:1
This token specification provides the capability to access most of the REST API endpoint. Intended for short-run automation lasting less than a day.