The Fortify Hosted SaaS solution is based on Fortify Scan Central SAST, Fortify ScanCentral DAST and, optionally, Fortify Source Components Analysis (Sonatype SCA) architectures.
A Fortify ScanCentral DAST scan can be either be initiated:
- manually, by using the Fortify SSC web portal
- automatically, by invoking a Fortify ScanCentral DAST API endpoint
These are the DAST scan pre-requisites when invoking a Fortify ScanCentral DAST API endpoint:
- An application URL to scan
- An Application and Version already created in Fortify Software Security Center
- An Application DAST settings already created in Fortify ScanCentralDAST
- it includes a CICD Token that identifies the Application DAST settings
- An Authorization Fortify Token
- UnifiedLoginToken (Max Days to Live:1) or CIToken (Max Days to Live:365)
- The Fortify ScanCentral DAST API URL and the Fortify ScanCentral DAST API SWAGGER URL (received on sign-up within a password protected document)
- A command line environment to invoke the Fortify ScanCentral DAST API endpoint to start a scan
- curl --location --request POST 'https://<Your Fortify ScanCentral DAST API endpoint>/api/scans/start-scan-cicd' --header 'Authorization: FORTIFYTOKEN <Your Auth Token>' --header 'Content-Type: application/json' --data-raw '{"cicdToken": "<Your cicdToken>"}'