I was working on some source code with Fortify on Demand, and get a few of these pop ups (C# project):
ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST
Code Flagged: public JsonResult NamesList(GetNamesForGroupsRequest request)
Above the noted line of code was a [HttpGet], not a POST.
methinks this is a false positive, again...
I'd suggest it probably is a false positive if you aren't modifying the data. The Fortify explanation for that states (my emphasis)
ASP.NET MVC controller actions that modify data by writing, updating, or deleting could benefit from being restricted to accept the POST verb. This increases the difficulty of cross-site request forgery because accidental clicking of links will not cause the action to execute.
From your method signature, it looks like you are returning data based on the request rather than modifying it, so I think in your case, it could be considered a false positive.