Fortify ScanCentral SAST scan : how to initiate it

The Fortify Hosted SaaS solution is based on Fortify ScanCentral SAST and Fortify ScanCentral DAST architectures.

A Fortify ScanCentral SAST scan is a Fortify Hosted SaaS remote scan and it can be initiated by using:

1. Fortify CI/CD integration - plugins, extensions and templates
2. Fortify IDE Complete plugin
3. Fortify ScanCentral SAST Client CLI (payload package + scan start)
4. Fortify ScanCentral SAST Client CLI (payload package only) + Fortify CLI (scan start)

Here you find more details:

1. Fortify CI/CD integration - plugins, extensions and templates
   • Application Security Integration Ecosystem
     • AzureDevOps
       • Micro Focus Fortify - Visual Studio Marketplace
       • Fortify Azure DevOps Extension - Documentation | Micro Focus
     • Jenkins
       • Fortify | Jenkins plugin
       • Fortify Jenkins Plugin - Documentation | Micro Focus
     • GitHub
       • Fortify ScanCentral Scan · Actions · GitHub Marketplace
       • Export Fortify vulnerability data · Actions · GitHub Marketplace
     • GitLab
       • Fortify / Fortify GitLab CI Templates · GitLab
       • fortifydocker/fortify-ci-tools - Docker Image | Docker Hub
     • BitBucket
       • fortifysoftware / fortify-scan — Bitbucket
     • AWS 
       • CloudDevSecOpsTemplates/AWS
     • Google Cloud
       • CloudDevSecOpsTemplates/GCP/SAST 
     • Oracle Cloud Infrastructure (OCI) 
       • CloudDevSecOpsTemplates/OCI
2. Fortify IDE Complete plugin
   • Eclipse
     1. About Installing the Eclipse Complete Plugin (microfocus.com)- Fortify_SCA_and_Apps_XX.X.X installation file (available in the Fortify Hosted Support Hub - <sca_install_dir>/plugins/eclipse directory.
     2. About Scanning with Fortify ScanCentral SAST (microfocus.com)

        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

          • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).

          • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

   • Visual Studio
     1. Installation (microfocus.com) -  Fortify_SCA_and_Apps_XX.X.X installation file (available in the Fortify Hosted Support Hub ).
     2. About Scanning with Fortify ScanCentral SAST (microfocus.com)
        
        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

        • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).

        • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

   • Visual Code
     1. Fortify Extension for Visual Studio Code - Visual Studio Marketplace
        1. Installing the Fortify Extension for Visual Studio Code (microfocus.com)
     2. Performing an Analysis Remotely with Fortify ScanCentral SAST (microfocus.com)

        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

          • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).

          • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

   • JetBrains (IntelliJ IDEA, AndroidStudio, PyCharm, WebStorm)
     1. Installing the Fortify Analysis Plugin (microfocus.com)- Fortify_SCA_and_Apps_XX.X.X installation file (available in the Fortify Hosted Support Hub) - <sca_install_dir>/plugins/IntelliJAnalysis directory.
     2. Scanning with Fortify ScanCentral SAST (microfocus.com)
        

        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

          • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).

          • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

3. Fortify ScanCentral SAST Client CLI (payload package + scan start)
   • Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).
     • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
   • Submitting Scan Requests (microfocus.com) by using a Fortify SSC CIToken (SSC API Token Best Practices – Micro Focus (cyberreshelp.com)) for uploading the SAST results to Fortify SSC
     • Fortify ScanCentral SAST Command-Line Options (microfocus.com)
       
       • Example 1 (no build tool integration):
         • scancentral -url <Your Fortify SCSAST Controller URL> start -bt none -upload -uptoken <Your Fortify SSC CIToken> --application <Your application name> --application-version <Your application version>
       • Example 2 (maven build tool integration):
         • scancentral -url <Your Fortify SCSAST Controller URL> start -bt mvn -upload -uptoken <Your Fortify SSC CIToken> --application <Your application name> --application-version <Your application version>
4. Fortify ScanCentral SAST Client CLI (payload package only) + Fortify CLI (scan start) 

   • 1_SET VARIABLES - Fortify Command Line Interface (FCLI) : The universal Fortify CLI

                     set FCLI_DEFAULT_SSC_URL=https://xxx.xxx.xxx.xxx/

                     set FCLI_DEFAULT_SSC_USER=userxxx

                     set FCLI_DEFAULT_SSC_PASSWORD=xxx

                     set FCLI_DEFAULT_SSC_CI_TOKEN=xxx-xxx-xxx-xxx-xxx

                     set FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN=xxx

                     set SSC_APPLICATION_NAME=xxx

                     set SSC_APPLICATION_VERSION=xxx

   • 2_SSC LOGIN - Fortify Command Line Interface (FCLI) : The universal Fortify CLI

                     fcli ssc session login

   • 3_SAST PAYLOAD PACKAGING WITH SCANCENTRAL

     • Example (package without build integration): scancentral package -bt none -o package.zip
     • Example (package with maven integration):  scancentral package -bt mvn -o package.zip

   • 4_FCLI SAST SCAN START - Fortify Command Line Interface (FCLI) : The universal Fortify CLI

     • fcli sc-sast scan start --package-file=package.zip --appversion=%SSC_APPLICATION_NAME%:%SSC_APPLICATION_VERSION%