Fortify ScanCentral SAST scan : how to initiate it (old release 22.2.0)

The Fortify Hosted SaaS solution is based on Fortify Scan Central SAST, Fortify ScanCentral DAST and, optionally, Fortify Source Components Analysis (Sonatype SCA) architectures.

A Fortify ScanCentral SAST scan is a Fortify Hosted SaaS remote scan and it can be initiated by using:

1. Fortify CI/CD integration - plugins, extensions and templates
2. Fortify IDE Complete plugin
3. Fortify ScanCentral SAST Client CLI (payload package + scan start)
4. Fortify ScanCentral SAST Client CLI (payload package only) + Fortify CLI (scan start)

Here you find more details:

1. Fortify CI/CD integration - plugins, extensions and templates
   • Application Security Integration Ecosystem
     • AzureDevOps
       • Micro Focus Fortify - Visual Studio Marketplace
       • Fortify Azure DevOps Extension - Documentation | Micro Focus
     • Jenkins
       • Fortify | Jenkins plugin
       • Fortify Jenkins Plugin - Documentation | Micro Focus
     • GitHub
       • Fortify ScanCentral Scan · Actions · GitHub Marketplace
       • Export Fortify vulnerability data · Actions · GitHub Marketplace
     • GitLab
       • Fortify / Fortify GitLab CI Templates · GitLab
       • fortifydocker/fortify-ci-tools - Docker Image | Docker Hub
     • BitBucket
       • fortifysoftware / fortify-scan — Bitbucket
     • AWS 
       • CloudDevSecOpsTemplates/AWS
     • Google Cloud
       • CloudDevSecOpsTemplates/GCP/SAST 
     • Oracle Cloud Infrastructure (OCI) 
       • CloudDevSecOpsTemplates/OCI
2. Fortify IDE Complete plugin
   • Eclipse
     1. About Installing the Eclipse Complete Plugin (microfocus.com)- Fortify_SCA_and_Apps_XX.X.X installation file (available in the Fortify Hosted Support Hub - <sca_install_dir>/plugins/eclipse directory.
     2. About Scanning with Fortify ScanCentral SAST (microfocus.com)

        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

          • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).

          • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

   • Visual Studio
     1. Installation (microfocus.com) -  Fortify_SCA_and_Apps_XX.X.X installation file (available in the Fortify Hosted Support Hub ).
     2. About Scanning with Fortify ScanCentral SAST (microfocus.com)
        
        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

        • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).

        • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

   • Visual Code
     1. Fortify Extension for Visual Studio Code - Visual Studio Marketplace
        1. Installing the Fortify Extension for Visual Studio Code (microfocus.com)
     2. Performing an Analysis Remotely with Fortify ScanCentral SAST (microfocus.com)

        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

          • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).

          • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

   • JetBrains (IntelliJ IDEA, AndroidStudio, PyCharm, WebStorm)
     1. Installing the Fortify Analysis Plugin (microfocus.com)- Fortify_SCA_and_Apps_XX.X.X installation file (available in the Fortify Hosted Support Hub) - <sca_install_dir>/plugins/IntelliJAnalysis directory.
     2. Scanning with Fortify ScanCentral SAST (microfocus.com)
        

        • There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.

          • Installing ScanCentral SAST Clients (microfocus.com) –  Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).

          • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.

3. Fortify ScanCentral SAST Client CLI (payload package + scan start)
   • Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).
     • the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
   • Submitting Scan Requests (microfocus.com) by using a Fortify SSC CIToken (SSC API Token Best Practices – Micro Focus (cyberreshelp.com)) for uploading the SAST results to Fortify SSC
     • Fortify ScanCentral SAST Command-Line Options (microfocus.com)
       
       • Example 1 (no build tool integration):
         • scancentral -url <Your Fortify SCSAST Controller URL> start -bt none -upload -uptoken <Your Fortify SSC CIToken> --application <Your application name> --application-version <Your application version>
       • Example 2 (maven build tool integration):
         • scancentral -url <Your Fortify SCSAST Controller URL> start -bt mvn -upload -uptoken <Your Fortify SSC CIToken> --application <Your application name> --application-version <Your application version>
4. Fortify ScanCentral SAST Client CLI (payload package only) + Fortify CLI (scan start) 

   • 1_SET VARIABLES - Fortify Command Line Interface (FCLI) : The universal Fortify CLI

                     set FCLI_DEFAULT_SSC_URL=https://xxx.xxx.xxx.xxx/

                     set FCLI_DEFAULT_SSC_USER=userxxx

                     set FCLI_DEFAULT_SSC_PASSWORD=xxx

                     set FCLI_DEFAULT_SSC_CI_TOKEN=xxx-xxx-xxx-xxx-xxx

                     set FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN=xxx

                     set SSC_APPLICATION_NAME=xxx

                     set SSC_APPLICATION_VERSION=xxx

   • 2_SSC LOGIN - Fortify Command Line Interface (FCLI) : The universal Fortify CLI

                     fcli ssc session login

   • 3_SAST PAYLOAD PACKAGING WITH SCANCENTRAL

     • Example (package without build integration): scancentral package -bt none -o package.zip
     • Example (package with maven integration):  scancentral package -bt mvn -o package.zip

   • 4_FCLI SAST SCAN START - Fortify Command Line Interface (FCLI) : The universal Fortify CLI

     • fcli sc-sast scan start --package-file=package.zip --appversion=%SSC_APPLICATION_NAME%:%SSC_APPLICATION_VERSION%