The Fortify Hosted SaaS solution is based on Fortify Scan Central SAST, Fortify ScanCentral DAST and, optionally, Fortify Source Components Analysis (Sonatype SCA) architectures.
A Fortify ScanCentral SAST scan is a Fortify Hosted SaaS remote scan and it can be initiated by using:
- Fortify CI/CD integration - plugins, extensions and templates
- Fortify IDE Complete plugin
- Fortify ScanCentral SAST Client CLI (payload package + scan start)
- Fortify ScanCentral SAST Client CLI (payload package only) + Fortify CLI (scan start)
Here you find more details:
-
Fortify CI/CD integration - plugins, extensions and templates
-
Application Security Integration Ecosystem
- AzureDevOps
- Jenkins
- GitHub
- GitLab
- BitBucket
- AWS
- Google Cloud
- Oracle Cloud Infrastructure (OCI)
-
Application Security Integration Ecosystem
-
Fortify IDE Complete plugin
-
Eclipse
- About Installing the Eclipse Complete Plugin- the Fortify Applications and Tools (Fortify_Tools_XX.X.X) installation file (available in the Fortify Hosted Support Hub - <tools_install_dir>/plugins/eclipse directory.
-
About Scanning with Fortify ScanCentral SAST
-
There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
-
Installing a Standalone Client– Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).
-
the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
-
-
-
Visual Studio
- Installing Fortify Extension for Visual Studio- the Fortify Applications and Tools (Fortify_Tools_XX.X.X) installation file (available in the Fortify Hosted Support Hub ).
-
Installing a Standalone Client
- There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
-
Installing a Standalone Client – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).
-
the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
-
Visual Code
- Fortify Extension for Visual Studio Code - Visual Studio Marketplace
-
Performing an Analysis Remotely with Fortify ScanCentral SAST
-
There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
-
Installing a Standalone Client – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub ).
-
the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
-
-
-
JetBrains (IntelliJ IDEA, AndroidStudio, PyCharm, WebStorm)
- Installing the Fortify Analysis Plugin - the Fortify Applications and Tools (Fortify_Tools_XX.X.X) installation file (available in the Fortify Hosted Support Hub) - <tools_install_dir>/plugins/IntelliJAnalysis directory.
-
Scanning with Fortify ScanCentral SAST
-
There is another token (client_auth_token) to set up in your Fortify ScanCentral client installation.
-
Installing a Standalone Client – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).
-
the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
-
-
-
Eclipse
-
Fortify ScanCentral SAST Client CLI (payload package + scan start)
-
Installing a Standalone Client – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).
- the value of the scSastClientAuthToken (provided by the Fortify Hosted team) needs to be used as client_auth_token’s value in the Fortify_ScanCentral_Client_XX.X.X_x64\Core\config\client.properties file.
-
Offloading Both Translation and Scanning by using a Fortify SSC CIToken (SSC API Token Best Practices for uploading the SAST results to Fortify SSC
-
Fortify ScanCentral SAST Command-Line Options
- Example 1 (no build tool integration):
- Example 2 (maven build tool integration):
-
Fortify ScanCentral SAST Command-Line Options
-
Installing a Standalone Client – Fortify_ScanCentral_Client_XX.X.X_x64.zip (available in the Fortify Hosted Support Hub).
-
Fortify ScanCentral SAST Client CLI (payload package only) + Fortify CLI (scan start)
-
1_SET VARIABLES - Fortify Command Line Interface (FCLI) : The universal Fortify CLI
set FCLI_DEFAULT_SSC_URL=https://xxx.xxx.xxx.xxx/
set FCLI_DEFAULT_SSC_USER=userxxx
set FCLI_DEFAULT_SSC_PASSWORD=xxx
set FCLI_DEFAULT_SSC_CI_TOKEN=xxx-xxx-xxx-xxx-xxx
set FCLI_DEFAULT_SC_SAST_CLIENT_AUTH_TOKEN=xxx
set SSC_APPLICATION_NAME=xxx
set SSC_APPLICATION_VERSION=xxx
-
2_SSC LOGIN - Fortify Command Line Interface (FCLI) : The universal Fortify CLI
fcli ssc session login
-
3_SAST PAYLOAD PACKAGING WITH SCANCENTRAL
- Example (package without build integration): scancentral package -bt none -o package.zip
- Example (package with maven integration): scancentral package -bt mvn -o package.zip
-
4_FCLI SAST SCAN START - Fortify Command Line Interface (FCLI) : The universal Fortify CLI
- fcli sc-sast scan start --package-file=package.zip --appversion=%SSC_APPLICATION_NAME%:%SSC_APPLICATION_VERSION%
-