Fortify ScanCentral SAST scan : how to initiate it – Micro Focus

The Fortify Hosted SaaS solution is based on Fortify ScanCentral SAST and Fortify ScanCentral DAST architectures.

A Fortify ScanCentral SAST scan is a Fortify Hosted SaaS remote scan and it can be initiated by using:

Fortify CI/CD integration - plugins, extensions and templates
Fortify IDE Complete plugin
Fortify ScanCentral SAST Client CLI

Here you find more details:

Fortify CI/CD integration - plugins, extensions and templates
- Application Security Integration Ecosystem | CyberRes (microfocus.com)
  - AzureDevOps
    - Micro Focus Fortify - Visual Studio Marketplace
    - Fortify Azure DevOps Extension - Documentation | Micro Focus
  - Jenkins
    - Fortify | Jenkins plugin
    - Fortify Jenkins Plugin - Documentation | Micro Focus
  - GitHub
    - Fortify ScanCentral Scan · Actions · GitHub Marketplace
    - Export Fortify vulnerability data · Actions · GitHub Marketplace
  - GitLab
    - Fortify / Fortify GitLab CI Templates · GitLab
    - fortifydocker/fortify-ci-tools - Docker Image | Docker Hub
  - BitBucket
    - fortifysoftware / fortify-scan — Bitbucket
  - AWS
    - CloudDevSecOpsTemplates/AWS at main · fortify/CloudDevSecOpsTemplates (github.com)
  - Google Cloud
    - CloudDevSecOpsTemplates/GCP/SAST at main · fortify/CloudDevSecOpsTemplates (github.com)
  - Oracle Cloud Infrastructure (OCI)
    - CloudDevSecOpsTemplates/OCI at main · fortify/CloudDevSecOpsTemplates (github.com)
Fortify IDE Complete plugin
- Eclipse
  1. About Installing the Eclipse Complete Plugin (microfocus.com)- Fortify_SCA_and_Apps_XX.X.X installation file (provided by the Fortify Hosted team) - <sca_install_dir>/plugins/eclipse directory.
  2. About Scanning with Fortify ScanCentral SAST (microfocus.com)
    - There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
      - Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (provided by the Fortify Hosted team)
      - the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
- Visual Studio
  1. Installation (microfocus.com) - Fortify_SCA_and_Apps_XX.X.X installation file (provided by the Fortify Hosted team)
  2. About Scanning with Fortify ScanCentral SAST (microfocus.com)
    - There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
    - Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (provided by the Fortify Hosted team)
    - the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
- Visual Code
  1. Fortify Extension for Visual Studio Code - Visual Studio Marketplace
    1. Installing the Fortify Extension for Visual Studio Code (microfocus.com)
  2. Performing an Analysis Remotely with Fortify ScanCentral SAST (microfocus.com)
    - There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
      - Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (provided by the Fortify Hosted team)
      - the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
- JetBrains (IntelliJ IDEA, AndroidStudio, PyCharm, WebStorm)
  1. Installing the Fortify Analysis Plugin (microfocus.com)- Fortify_SCA_and_Apps_XX.X.X installation file (provided by the Fortify Hosted team) - <sca_install_dir>/plugins/IntelliJAnalysis directory.
  2. Scanning with Fortify ScanCentral SAST (microfocus.com)
    - There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
      - Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (provided by the Fortify Hosted team)
      - the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
Fortify ScanCentral SAST Client CLI
1. Installing ScanCentral SAST Clients (microfocus.com) – Fortify_ScanCentral_Client_XX.X.X_x64.zip (provided by the Fortify Hosted team)
  - the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
2. Submitting Scan Requests (microfocus.com) by using a Fortify SSC CIToken (SSC API Token Best Practices – Micro Focus (cyberreshelp.com)) for uploading the SAST results to Fortify SSC
  - Fortify ScanCentral SAST Command-Line Options (microfocus.com)
    - Example 1 (no build tool integration): scancentral -url https://scsastctrl.xxxxx.fortifyhosted.com/scancentral-ctrl/start -bt none -upload -uptoken 26ba1667-53f8-4ab7-8419-1dcaec5ef728 --application eightball_tam_test --application-version 1
    - Example 2 (maven build tool integration): scancentral -url https://scsastctrl.xxxxx.fortifyhosted.com/scancentral-ctrl/start -bt mvn -upload -uptoken 26ba1667-53f8-4ab7-8419-1dcaec5ef728 --application eightball_tam_test --application-version 1

Related articles