From 803c661a607a5c4ef3452f8c0ed1d2dc12600e4f Mon Sep 17 00:00:00 2001
From: Ruud Senden <8635138+rsenden@users.noreply.github.com>
Date: Tue, 4 Jun 2024 07:54:33 +0200
Subject: [PATCH] feat: Add ability to run and import Debricked scans into SSC
 (closes #41)

---
 README.md                                     | 49 +++++++++++++++----
 action.yml                                    | 10 +++-
 doc-resources/env-sc-sast-login.md            |  2 -
 doc-resources/env-sc-sast-scan.md             |  9 ++++
 doc-resources/env-ssc-login.md                |  2 -
 doc-resources/repo-readme.md                  |  5 +-
 internal/fod-login/action.yml                 |  5 +-
 internal/run-script/README.md                 | 34 +++++++++++++
 internal/run-script/action.yml                | 31 +++++++-----
 internal/run-script/js/action.yml             | 19 +++++++
 internal/run-script/js/main.js                |  3 ++
 .../run-script/{ => js}/package-lock.json     |  0
 internal/run-script/js/post.js                |  3 ++
 internal/run-script/js/util.js                | 12 +++++
 internal/run-script/main.js                   | 22 ---------
 .../scripts/common.sh}                        | 11 ++---
 .../scripts}/fod-login.sh                     | 14 ++----
 internal/run-script/scripts/fod-logout.sh     |  8 +++
 .../scripts/sc-sast-and-debricked-scan.sh     | 33 +++++++++++++
 .../scripts}/sc-sast-login.sh                 | 14 ++----
 internal/run-script/scripts/sc-sast-logout.sh |  8 +++
 .../scripts}/ssc-login.sh                     | 14 ++----
 .../scripts}/ssc-logout.sh                    | 14 ++----
 internal/sc-sast-login/action.yml             |  5 +-
 internal/sc-sast-login/sc-sast-logout.sh      | 16 ------
 internal/ssc-login/action.yml                 |  5 +-
 sc-sast-scan/README.md                        | 22 +++++++--
 sc-sast-scan/action.yml                       | 12 ++---
 28 files changed, 246 insertions(+), 136 deletions(-)
 create mode 100644 internal/run-script/README.md
 create mode 100644 internal/run-script/js/action.yml
 create mode 100644 internal/run-script/js/main.js
 rename internal/run-script/{ => js}/package-lock.json (100%)
 create mode 100644 internal/run-script/js/post.js
 create mode 100644 internal/run-script/js/util.js
 delete mode 100644 internal/run-script/main.js
 rename internal/{fod-login/fod-logout.sh => run-script/scripts/common.sh} (52%)
 mode change 100755 => 100644
 rename internal/{fod-login => run-script/scripts}/fod-login.sh (64%)
 create mode 100755 internal/run-script/scripts/fod-logout.sh
 create mode 100755 internal/run-script/scripts/sc-sast-and-debricked-scan.sh
 rename internal/{sc-sast-login => run-script/scripts}/sc-sast-login.sh (50%)
 create mode 100755 internal/run-script/scripts/sc-sast-logout.sh
 rename internal/{ssc-login => run-script/scripts}/ssc-login.sh (58%)
 rename internal/{ssc-login => run-script/scripts}/ssc-logout.sh (58%)
 delete mode 100755 internal/sc-sast-login/sc-sast-logout.sh

diff --git a/README.md b/README.md
index 96075d0..77281c9 100644
--- a/README.md
+++ b/README.md
@@ -65,7 +65,10 @@ This action assumes the standard software packages as provided by GitHub-hosted
 **`sast-scan`** - OPTIONAL    
 When set to true, the action will run a SAST scan on either Fortify on Demand (if the `FOD_URL` environment variable has been specified), or on ScanCentral SAST (if the `SSC_URL` environment variable has been specified). This includes packaging the source code, running the scan, and optionally reporting SAST scan results back into GitHub. 
 
-If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan.
+If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan, or to run a Debricked-only scan (see below).
+
+**`debricked-sca-scan`** - OPTIONAL    
+(Not applicable to Fortify on Demand) When set to true, the action will run a Debricked Software Composition Analysis (SCA) scan. This is only effective when `sast-scan` is also set to `true` and the `SSC_URL` environment variable has been specified, in which case both a ScanCentral SAST scan and Debricked scan will be performed and published to SSC.
 
 ### Action environment variable inputs
 
@@ -158,10 +161,6 @@ This environment variable allows for overriding the default tool definitions, po
 <!-- START-INCLUDE:env-sc-sast-scan.md -->
 
 
-
-<!-- START-INCLUDE:env-sc-sast-login.md -->
-
-
 <!-- START-INCLUDE:env-ssc-connection.md -->
 
 **`SSC_URL`** - REQUIRED   
@@ -176,6 +175,18 @@ Required when authenticating with SSC user credentials.
 <!-- END-INCLUDE:env-ssc-connection.md -->
 
 
+
+<!-- START-INCLUDE:env-ssc-login.md -->
+
+**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL    
+Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.3.0//manpage/fcli-ssc-session-login.html).
+
+<!-- END-INCLUDE:env-ssc-login.md -->
+
+
+
+<!-- START-INCLUDE:env-sc-sast-login.md -->
+
 **`SC_SAST_TOKEN`** - REQUIRED    
 Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.
 
@@ -185,6 +196,12 @@ Extra ScanCentral SAST login options, for example for disabling SSL checks or ch
 <!-- END-INCLUDE:env-sc-sast-login.md -->
 
 
+**`DO_DEBRICKED_SCAN`** - OPTIONAL    
+If set to `true`, this action will run both ScanCentral SAST and Debricked Software Composition Analysis (SCA) scans and publish both results to SSC. This is equivalent to setting the `debricked-sca-scan` input on the top-level `fortify/github-action` action.
+
+**`DEBRICKED_TOKEN`** - REQUIRED*       
+Required when performing a Debricked Software Composition Analysis scan; see the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.
+
 
 <!-- START-INCLUDE:env-ssc-appversion.md -->
 
@@ -742,10 +759,6 @@ This action assumes the standard software packages as provided by GitHub-hosted
 <!-- START-INCLUDE:env-sc-sast-scan.md -->
 
 
-
-<!-- START-INCLUDE:env-sc-sast-login.md -->
-
-
 <!-- START-INCLUDE:env-ssc-connection.md -->
 
 **`SSC_URL`** - REQUIRED   
@@ -760,6 +773,18 @@ Required when authenticating with SSC user credentials.
 <!-- END-INCLUDE:env-ssc-connection.md -->
 
 
+
+<!-- START-INCLUDE:env-ssc-login.md -->
+
+**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL    
+Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.3.0//manpage/fcli-ssc-session-login.html).
+
+<!-- END-INCLUDE:env-ssc-login.md -->
+
+
+
+<!-- START-INCLUDE:env-sc-sast-login.md -->
+
 **`SC_SAST_TOKEN`** - REQUIRED    
 Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.
 
@@ -769,6 +794,12 @@ Extra ScanCentral SAST login options, for example for disabling SSL checks or ch
 <!-- END-INCLUDE:env-sc-sast-login.md -->
 
 
+**`DO_DEBRICKED_SCAN`** - OPTIONAL    
+If set to `true`, this action will run both ScanCentral SAST and Debricked Software Composition Analysis (SCA) scans and publish both results to SSC. This is equivalent to setting the `debricked-sca-scan` input on the top-level `fortify/github-action` action.
+
+**`DEBRICKED_TOKEN`** - REQUIRED*       
+Required when performing a Debricked Software Composition Analysis scan; see the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.
+
 
 <!-- START-INCLUDE:env-ssc-appversion.md -->
 
diff --git a/action.yml b/action.yml
index 038a169..ae118d4 100644
--- a/action.yml
+++ b/action.yml
@@ -6,13 +6,19 @@ inputs:
     description: 'Run a SAST scan, takes either true or false (default)'
     default: 'false'
     required: false
+  debricked-sca-scan:
+    description: 'Run a Debricked Software Composition Analysis, takes either true or false (default)'
+    default: 'false'
+    required: false
 runs:
   using: composite
   steps:
     - uses: fortify/github-action/fod-sast-scan@feat-1.3.0
-      if: inputs['sast-scan']=='true' && env.FOD_URL
+      if: inputs['sast-scan']=='true' && env.FOD_URL 
     - uses: fortify/github-action/sc-sast-scan@feat-1.3.0
-      if: inputs['sast-scan']=='true' && env.SSC_URL  
+      if: inputs['sast-scan']=='true' && env.SSC_URL 
+      env:
+        DO_DEBRICKED_SCAN: inputs['debricked-sca-scan']
         
 branding:
   icon: 'shield'
diff --git a/doc-resources/env-sc-sast-login.md b/doc-resources/env-sc-sast-login.md
index 527caff..3f93b91 100644
--- a/doc-resources/env-sc-sast-login.md
+++ b/doc-resources/env-sc-sast-login.md
@@ -1,5 +1,3 @@
-{{include:env-ssc-connection.md}}
-
 **`SC_SAST_TOKEN`** - REQUIRED    
 Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.
 
diff --git a/doc-resources/env-sc-sast-scan.md b/doc-resources/env-sc-sast-scan.md
index 693169d..6a6455a 100644
--- a/doc-resources/env-sc-sast-scan.md
+++ b/doc-resources/env-sc-sast-scan.md
@@ -1,6 +1,15 @@
+{{include:env-ssc-connection.md}}
+
+{{include:env-ssc-login.md}}
 
 {{include:env-sc-sast-login.md}}
 
+**`DO_DEBRICKED_SCAN`** - OPTIONAL    
+If set to `true`, this action will run both ScanCentral SAST and Debricked Software Composition Analysis (SCA) scans and publish both results to SSC. This is equivalent to setting the `debricked-sca-scan` input on the top-level `fortify/github-action` action.
+
+**`DEBRICKED_TOKEN`** - REQUIRED*       
+Required when performing a Debricked Software Composition Analysis scan; see the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.
+
 {{include:env-ssc-appversion.md}}
 
 {{include:env-package.md}}
diff --git a/doc-resources/env-ssc-login.md b/doc-resources/env-ssc-login.md
index f93dba5..89e4eea 100644
--- a/doc-resources/env-ssc-login.md
+++ b/doc-resources/env-ssc-login.md
@@ -1,4 +1,2 @@
-{{include:env-ssc-connection.md}}
-
 **`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL    
 Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation]({{var:fcli-doc-base-url}}/manpage/fcli-ssc-session-login.html).
\ No newline at end of file
diff --git a/doc-resources/repo-readme.md b/doc-resources/repo-readme.md
index 6d42ae9..63c1322 100644
--- a/doc-resources/repo-readme.md
+++ b/doc-resources/repo-readme.md
@@ -39,7 +39,10 @@ The primary `fortify/github-action` action currently allows for running SAST sca
 **`sast-scan`** - OPTIONAL    
 When set to true, the action will run a SAST scan on either Fortify on Demand (if the `FOD_URL` environment variable has been specified), or on ScanCentral SAST (if the `SSC_URL` environment variable has been specified). This includes packaging the source code, running the scan, and optionally reporting SAST scan results back into GitHub. 
 
-If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan.
+If not specified or when set to false, no SAST scan will be performed. For now, this means that the action will complete without doing any work. Future versions of this action may provide additional inputs, for example allowing you to run a dynamic application security testing (DAST) scan instead of a SAST scan, or to run a Debricked-only scan (see below).
+
+**`debricked-sca-scan`** - OPTIONAL    
+(Not applicable to Fortify on Demand) When set to true, the action will run a Debricked Software Composition Analysis (SCA) scan. This is only effective when `sast-scan` is also set to `true` and the `SSC_URL` environment variable has been specified, in which case both a ScanCentral SAST scan and Debricked scan will be performed and published to SSC.
 
 ### Action environment variable inputs
 
diff --git a/internal/fod-login/action.yml b/internal/fod-login/action.yml
index 96282f3..fe6a9e6 100644
--- a/internal/fod-login/action.yml
+++ b/internal/fod-login/action.yml
@@ -10,9 +10,8 @@ runs:
     - uses: fortify/github-action/internal/run-script@feat-1.3.0
       if: ${{ !env._FOD_LOGGED_IN }}
       with:
-        cwd: ${{ github.action_path }}
-        script: ./fod-login.sh
-        post: ./fod-logout.sh
+        script: fod-login.sh
+        post: fod-logout.sh
           
 branding:
   icon: 'shield'
diff --git a/internal/run-script/README.md b/internal/run-script/README.md
new file mode 100644
index 0000000..751bf10
--- /dev/null
+++ b/internal/run-script/README.md
@@ -0,0 +1,34 @@
+# fortify/github-action/internal/run-script
+
+This action can run any of the scripts located in the `scripts` directory of this action, including the ability to run post-job scripts, for example to handle session logout.
+
+```yaml
+    - uses: fortify/github-action/internal/run-script@v1
+      with:
+        script: <script name>
+        post:   <post-job script name>
+```
+
+Originally, the idea was to have these scripts located in each individual action directory, for example having `ssc-login.sh` and `ssc-logout.sh` scripts located in the `internal/ssc-login` directory. However, this proved to be difficult/impossible:
+
+- As scripts need to be run using `bash` (also on Windows), we need to convert `${{github.action_path}}` (which may include drive letter and backslashes on Windows) to `bash` format; an example of how this can be done is shown in `action.yml`.
+- GitHub lazily evaluates action inputs when running the post-job actions, but doesn't re-run any steps used to generate those inputs.
+
+So, suppose we'd generate a `BASH_ACTION_PATH` environment variable that contains `${{github.action_path}}` in `bash` format, we'd expect to be able to use something like:
+
+```yaml
+    - uses: fortify/github-action/internal/run-script/js@feat-1.3.0
+      with: 
+        script: ${{ env.BASH_ACTION_PATH }}/ssc-login.sh
+        post:   ${{ env.BASH_ACTION_PATH }}/ssc-logout.sh
+```
+
+This works fine for `script:`, but the `post:` script would use whatever the value of `BASH_ACTION_PATH` is during post-job execution. So, if we'd run both `ssc-login` and `sc-sast-login` actions, the post-job action would try to run `..../internal/sc-sast-login/ssc-logout.sh`, which would fail because of the incorrect directory name.
+
+Several work-arounds were tried, but failed. Only way that this would likely work is to have the calling action pass something like a static action id, which would then be used by this action to set a `POST_<id>_SCRIPT=${{inputs.POST}}` environment variable. During post-job execution, we wouldn't look at any actual inputs, but instead just execute the script identified in the `POST_<id>_SCRIPT` environment variable.
+
+Apart from hosting the scripts together with the action that executes them, another advantage of such an id is that we can also provide out-of-the-box support for run-once actions, like the various `login` actions; this is currently handled by setting an environment variable in the `*-login.sh` and `*-logout.sh` scripts. As we may also have scripts that may need to be run multiple times, we should control this through a `run-once: true|false` input.
+
+Disadvantage, apart from slightly more complex implementation, is that each caller of this `run-script` action would also need to provide the value of `${{ github.action_path }}` as an input to this action, in order to have this action determine appropriate script location.
+
+
diff --git a/internal/run-script/action.yml b/internal/run-script/action.yml
index 144470c..f0cfc31 100644
--- a/internal/run-script/action.yml
+++ b/internal/run-script/action.yml
@@ -1,6 +1,6 @@
 name: Run a script with optional post-job cleanup
-
 description: 'Action to execute a bash script, optionally executing another script on job completion.'
+author: Fortify
 
 inputs:
   script:
@@ -9,15 +9,22 @@ inputs:
   post:
     description: 'Script to run on job completion'
     required: false
-  cwd:
-    description: 'Script working directory'
-    required: false
-  key:
-    description: 'Name of the state variable used to detect the post step.'
-    required: false
-    default: POST
-
 runs:
-  using: 'node20'
-  main: 'main.js'
-  post: 'main.js'
+  using: composite
+  steps:
+    # Define directory where scripts are located. This MUST be a static path which doesn't
+    # change during job execution, otherwise post-job scripts will fail. As such, all scripts
+    # must be in the same directory; we can't use github.action_path from the calling action.
+    # See README.md for details.
+    - run: echo "_RUN_SCRIPTS_DIR=$(pwd)/scripts" >> $GITHUB_ENV
+      shell: bash
+      working-directory: ${{ github.action_path }}
+    - uses: fortify/github-action/internal/run-script/js@feat-1.3.0
+      with: 
+        dir:    ${{ env._RUN_SCRIPTS_DIR }}
+        script: ${{ inputs.script }}
+        post:   ${{ inputs.post }}
+
+branding:
+  icon: 'shield'
+  color: 'blue'
diff --git a/internal/run-script/js/action.yml b/internal/run-script/js/action.yml
new file mode 100644
index 0000000..1eafef1
--- /dev/null
+++ b/internal/run-script/js/action.yml
@@ -0,0 +1,19 @@
+name: JavaScript action to run a script with optional post-job cleanup
+
+description: 'Action to execute a bash script, optionally executing another script on job completion. This action should not be used directly, but through internal/run-script.'
+
+inputs:
+  script:
+    description: 'Script to run'
+    required: true
+  post:
+    description: 'Script to run on job completion'
+    required: false
+  dir:
+    description: 'Directory where scripts are located, set automatically by internal/run-script action'
+    required: true
+
+runs:
+  using: 'node20'
+  main: 'main.js'
+  post: 'post.js'
diff --git a/internal/run-script/js/main.js b/internal/run-script/js/main.js
new file mode 100644
index 0000000..c2f8fa8
--- /dev/null
+++ b/internal/run-script/js/main.js
@@ -0,0 +1,3 @@
+const util = require("./util");
+
+util.run(process.env.INPUT_SCRIPT);
diff --git a/internal/run-script/package-lock.json b/internal/run-script/js/package-lock.json
similarity index 100%
rename from internal/run-script/package-lock.json
rename to internal/run-script/js/package-lock.json
diff --git a/internal/run-script/js/post.js b/internal/run-script/js/post.js
new file mode 100644
index 0000000..b394c66
--- /dev/null
+++ b/internal/run-script/js/post.js
@@ -0,0 +1,3 @@
+const util = require("./util");
+
+util.run(process.env.INPUT_POST);
diff --git a/internal/run-script/js/util.js b/internal/run-script/js/util.js
new file mode 100644
index 0000000..f502fde
--- /dev/null
+++ b/internal/run-script/js/util.js
@@ -0,0 +1,12 @@
+const { spawn } = require("child_process");
+
+exports.run = function(script) {
+  if ( script ) {
+      const scriptDir = process.env.INPUT_DIR;
+      const subprocess = spawn(`bash -c -o pipefail -v 'export UTIL_DIR=${scriptDir}; ${scriptDir}/${script}'`, 
+        { stdio: "inherit", shell: true });
+      subprocess.on("exit", (exitCode) => {
+        process.exitCode = exitCode;
+      });
+  }
+}
diff --git a/internal/run-script/main.js b/internal/run-script/main.js
deleted file mode 100644
index f6b3775..0000000
--- a/internal/run-script/main.js
+++ /dev/null
@@ -1,22 +0,0 @@
-const { spawn } = require("child_process");
-const { appendFileSync } = require("fs");
-const { EOL } = require("os");
-
-function run(script) {
-  if ( script ) {
-      const cwd = process.env.INPUT_CWD || process.cwd;
-      const subprocess = spawn(`bash -c -o pipefail -v ${script}`, { stdio: "inherit", shell: true,  cwd: cwd });
-      subprocess.on("exit", (exitCode) => {
-        process.exitCode = exitCode;
-      });
-  }
-}
-
-const key = process.env.INPUT_KEY.toUpperCase();
-
-if ( process.env[`STATE_${key}`] !== undefined ) { // Are we in the 'post' step?
-  run(process.env.INPUT_POST);
-} else { // Otherwise, this is the main step
-  appendFileSync(process.env.GITHUB_STATE, `${key}=true${EOL}`);
-  run(process.env.INPUT_SCRIPT);
-}
diff --git a/internal/fod-login/fod-logout.sh b/internal/run-script/scripts/common.sh
old mode 100755
new mode 100644
similarity index 52%
rename from internal/fod-login/fod-logout.sh
rename to internal/run-script/scripts/common.sh
index b93d33f..a033a0f
--- a/internal/fod-login/fod-logout.sh
+++ b/internal/run-script/scripts/common.sh
@@ -1,6 +1,4 @@
 #!/bin/bash
-
-### Start common code
 if [ -n "$RUNNER_DEBUG" ]; then
   set -v -x
 fi
@@ -8,9 +6,8 @@ if [ -z "$FCLI_CMD" ]; then
   echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
   exit 1;
 fi
-### End common code
 
-if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
-  echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
-  ${FCLI_CMD} fod session logout || exit 1
-fi
\ No newline at end of file
+function run {
+  echo RUN: "$@"
+  "$@" 
+}
diff --git a/internal/fod-login/fod-login.sh b/internal/run-script/scripts/fod-login.sh
similarity index 64%
rename from internal/fod-login/fod-login.sh
rename to internal/run-script/scripts/fod-login.sh
index 98ee373..8b6c9c4 100755
--- a/internal/fod-login/fod-login.sh
+++ b/internal/run-script/scripts/fod-login.sh
@@ -1,14 +1,5 @@
 #!/bin/bash
-
-### Start common code
-if [ -n "$RUNNER_DEBUG" ]; then
-  set -v -x
-fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
-### End common code
+. ${UTIL_DIR}/common.sh
 
 if [ -z "$FOD_URL" ]; then
   echo "ERROR: FOD_URL environment variable must be set"; exit 1;
@@ -21,5 +12,6 @@ else
   echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"
   exit 1;
 fi
-${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} || exit 1
+run ${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} \
+  || exit 1
 echo '_FOD_LOGGED_IN=true' >> $GITHUB_ENV 
\ No newline at end of file
diff --git a/internal/run-script/scripts/fod-logout.sh b/internal/run-script/scripts/fod-logout.sh
new file mode 100755
index 0000000..405c9e2
--- /dev/null
+++ b/internal/run-script/scripts/fod-logout.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+. ${UTIL_DIR}/common.sh
+
+if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
+  echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
+  run ${FCLI_CMD} fod session logout \
+    || exit 1
+fi
\ No newline at end of file
diff --git a/internal/run-script/scripts/sc-sast-and-debricked-scan.sh b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh
new file mode 100755
index 0000000..b2dad30
--- /dev/null
+++ b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+. ${UTIL_DIR}/common.sh
+
+# This script assumes that fcli and Debricked CLI have already been installed,
+# and that any necessary fcli sessions have been created.
+# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ...
+
+if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
+  run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \
+    || exit 1
+fi
+if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
+  # Debricked may return non-zero exit code on automation rule failures, in which case
+  # we still want to run subsequent steps, hence we temporarily ignore the exit code,
+  run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \
+    || FAIL_ON_EXIT=true
+  run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \
+    || exit 1
+fi
+if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
+  if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
+    run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \
+      || exit 1
+  fi
+  if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then 
+    run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \
+      || exit 1
+  fi
+fi
+if [ "${FAIL_ON_EXIT}" == "true" ]; then
+  echo "Earlier failures detected"
+  exit 1
+fi
diff --git a/internal/sc-sast-login/sc-sast-login.sh b/internal/run-script/scripts/sc-sast-login.sh
similarity index 50%
rename from internal/sc-sast-login/sc-sast-login.sh
rename to internal/run-script/scripts/sc-sast-login.sh
index 65200df..dbe761f 100755
--- a/internal/sc-sast-login/sc-sast-login.sh
+++ b/internal/run-script/scripts/sc-sast-login.sh
@@ -1,14 +1,5 @@
 #!/bin/bash
-
-### Start common code
-if [ -n "$RUNNER_DEBUG" ]; then
-  set -v -x
-fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
-### End common code
+. ${UTIL_DIR}/common.sh
 
 if [ -z "$SSC_URL" ]; then
   echo "ERROR: SSC_URL environment variable must be set"; exit 1;
@@ -19,5 +10,6 @@ fi
 if [ -z "SSC_TOKEN" ]; then
   echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
 fi
-${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}
+run ${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS} \
+  || exit 1
 echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV 
\ No newline at end of file
diff --git a/internal/run-script/scripts/sc-sast-logout.sh b/internal/run-script/scripts/sc-sast-logout.sh
new file mode 100755
index 0000000..dea2b55
--- /dev/null
+++ b/internal/run-script/scripts/sc-sast-logout.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+. ${UTIL_DIR}/common.sh
+
+if [[ "${_SC_SAST_LOGGED_IN}" == "true" ]]; then
+  echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
+  run ${FCLI_CMD} sc-sast session logout --no-revoke-token \
+    || exit 1
+fi
\ No newline at end of file
diff --git a/internal/ssc-login/ssc-login.sh b/internal/run-script/scripts/ssc-login.sh
similarity index 58%
rename from internal/ssc-login/ssc-login.sh
rename to internal/run-script/scripts/ssc-login.sh
index 8de7917..b8b506a 100755
--- a/internal/ssc-login/ssc-login.sh
+++ b/internal/run-script/scripts/ssc-login.sh
@@ -1,14 +1,5 @@
 #!/bin/bash
-
-### Start common code
-if [ -n "$RUNNER_DEBUG" ]; then
-  set -v -x
-fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
-### End common code
+. ${UTIL_DIR}/common.sh
 
 if [ -z "$SSC_URL" ]; then
   echo "ERROR: SSC_URL environment variable must be set"; exit 1;
@@ -20,5 +11,6 @@ elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
 else
   echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
 fi
-${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS}
+run ${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS} \
+  || exit 1
 echo '_SSC_LOGGED_IN=true' >> $GITHUB_ENV 
\ No newline at end of file
diff --git a/internal/ssc-login/ssc-logout.sh b/internal/run-script/scripts/ssc-logout.sh
similarity index 58%
rename from internal/ssc-login/ssc-logout.sh
rename to internal/run-script/scripts/ssc-logout.sh
index e2254ed..0818f46 100755
--- a/internal/ssc-login/ssc-logout.sh
+++ b/internal/run-script/scripts/ssc-logout.sh
@@ -1,14 +1,5 @@
 #!/bin/bash
-
-### Start common code
-if [ -n "$RUNNER_DEBUG" ]; then
-  set -v -x
-fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
-### End common code
+. ${UTIL_DIR}/common.sh
 
 if [[ "${_SSC_LOGGED_IN}" == "true" ]]; then
   echo '_SSC_LOGGED_IN=false' >> $GITHUB_ENV
@@ -19,5 +10,6 @@ if [[ "${_SSC_LOGGED_IN}" == "true" ]]; then
   else
     echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
   fi
-  ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" || exit 1
+  run ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" \
+    || exit 1
 fi
\ No newline at end of file
diff --git a/internal/sc-sast-login/action.yml b/internal/sc-sast-login/action.yml
index e012961..d902cb2 100644
--- a/internal/sc-sast-login/action.yml
+++ b/internal/sc-sast-login/action.yml
@@ -14,9 +14,8 @@ runs:
     - uses: fortify/github-action/internal/run-script@feat-1.3.0
       if: ${{ !env._SC_SAST_LOGGED_IN }}
       with:
-        cwd: ${{ github.action_path }}
-        script: ./sc-sast-login.sh
-        post: ./sc-sast-logout.sh
+        script: sc-sast-login.sh
+        post: sc-sast-logout.sh
             
 branding:
   icon: 'shield'
diff --git a/internal/sc-sast-login/sc-sast-logout.sh b/internal/sc-sast-login/sc-sast-logout.sh
deleted file mode 100755
index bdf95fa..0000000
--- a/internal/sc-sast-login/sc-sast-logout.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-### Start common code
-if [ -n "$RUNNER_DEBUG" ]; then
-  set -v -x
-fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
-### End common code
-
-if [[ "${_SC_SAST_LOGGED_IN}" == "true" ]]; then
-  echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
-  ${FCLI_CMD} sc-sast session logout --no-revoke-token || exit 1
-fi
\ No newline at end of file
diff --git a/internal/ssc-login/action.yml b/internal/ssc-login/action.yml
index 982c58d..013edb0 100644
--- a/internal/ssc-login/action.yml
+++ b/internal/ssc-login/action.yml
@@ -10,9 +10,8 @@ runs:
     - uses: fortify/github-action/internal/run-script@feat-1.3.0
       if: ${{ !env._SSC_LOGGED_IN }}
       with:
-        cwd: ${{ github.action_path }}
-        script: ./ssc-login.sh
-        post: ./ssc-logout.sh
+        script: ssc-login.sh
+        post: ssc-logout.sh
 branding:
   icon: 'shield'
   color: 'blue'
diff --git a/sc-sast-scan/README.md b/sc-sast-scan/README.md
index a30d8b6..1011331 100644
--- a/sc-sast-scan/README.md
+++ b/sc-sast-scan/README.md
@@ -42,10 +42,6 @@ This action assumes the standard software packages as provided by GitHub-hosted
 <!-- START-INCLUDE:env-sc-sast-scan.md -->
 
 
-
-<!-- START-INCLUDE:env-sc-sast-login.md -->
-
-
 <!-- START-INCLUDE:env-ssc-connection.md -->
 
 **`SSC_URL`** - REQUIRED   
@@ -60,6 +56,18 @@ Required when authenticating with SSC user credentials.
 <!-- END-INCLUDE:env-ssc-connection.md -->
 
 
+
+<!-- START-INCLUDE:env-ssc-login.md -->
+
+**`EXTRA_SSC_LOGIN_OPTS`** - OPTIONAL    
+Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see [`fcli ssc session login` documentation](https://fortify.github.io/fcli/v2.3.0//manpage/fcli-ssc-session-login.html).
+
+<!-- END-INCLUDE:env-ssc-login.md -->
+
+
+
+<!-- START-INCLUDE:env-sc-sast-login.md -->
+
 **`SC_SAST_TOKEN`** - REQUIRED    
 Required: ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller.
 
@@ -69,6 +77,12 @@ Extra ScanCentral SAST login options, for example for disabling SSL checks or ch
 <!-- END-INCLUDE:env-sc-sast-login.md -->
 
 
+**`DO_DEBRICKED_SCAN`** - OPTIONAL    
+If set to `true`, this action will run both ScanCentral SAST and Debricked Software Composition Analysis (SCA) scans and publish both results to SSC. This is equivalent to setting the `debricked-sca-scan` input on the top-level `fortify/github-action` action.
+
+**`DEBRICKED_TOKEN`** - REQUIRED*       
+Required when performing a Debricked Software Composition Analysis scan; see the [Generate access token](https://docs.debricked.com/product/administration/generate-access-token) section in the Debricked documentation for details on how to generate this token.
+
 
 <!-- START-INCLUDE:env-ssc-appversion.md -->
 
diff --git a/sc-sast-scan/action.yml b/sc-sast-scan/action.yml
index 00cbc83..b149a2f 100644
--- a/sc-sast-scan/action.yml
+++ b/sc-sast-scan/action.yml
@@ -8,15 +8,15 @@ runs:
       with:
         export-path: false
         fcli: action-default
+        debricked-cli: ${{ env.DO_DEBRICKED_SCAN=='true' && 'action-default' || 'skip' }}
+    - uses: fortify/github-action/internal/ssc-login@feat-1.3.0
     - uses: fortify/github-action/internal/sc-sast-login@feat-1.3.0
     - uses: fortify/github-action/package@feat-1.3.0
-    - uses: fortify/github-action/internal/run@feat-1.3.0
+    - uses: fortify/github-action/internal/run-script@feat-1.3.0
       with:
-        cmd: '"${FCLI_CMD}" sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}'
-    - uses: fortify/github-action/internal/run@feat-1.3.0
-      if: env.DO_WAIT == 'true' || env.DO_EXPORT == 'true'
-      with:
-        cmd: '"${FCLI_CMD}" sc-sast scan wait-for ::sc_sast_scan::'
+        script: sc-sast-and-debricked-scan.sh
+      env: 
+        DO_SC_SAST_SCAN: true
     - if: env.DO_EXPORT == 'true'
       uses: fortify/github-action/ssc-export@feat-1.3.0