Core SAST Aviator (now Application Security Aviator for Vulnerability Remediation) is a cloud-based enterprise service that audits, identifies, and classifies each issue received from SAST scan result as a true positive or a false positive.
Core SAST Aviator (GenAI/LLM) reduces false positives/noise by applying auto-triage and providing auto-remediation advice.
SAST Aviator leverages Generative Artificial Intelligence (GenAI) in the form of a Large Language Model (LLM) technology to evaluate each identified issue, predicting whether it is a true positive or a false positive. For both true and false positive cases, SAST Aviator provides a detailed explanation. When an issue is classified as a true positive, SAST Aviator offers remediation recommendations, enabling users to resolve code issues quickly and accurately.
SAST Aviator is accessible using SAST through Fortify Hosted. You can use the Fortify CLI tool (Fortify Command Line Interface (FCLI)) to transmit SAST scan results from the Fortify Software Security Center (Fortify SSC) to SAST Aviator for processing. The results from SAST Aviator are stored as audit information in the Fortify SSC.
A regular SAST scan is performed, and the results are uploaded to the Fortify SSC. Subsequently, SAST Aviator audits the scan results stored in Fortify SSC.
Fortify CLI tool sends the SAST scan results, including vulnerability information and source code snippets from the Fortify SSC to SAST Aviator. The SAST Aviator sends (for each vulnerability) audit instructions, vulnerability data, relevant code to an LLM for auditing them. The audited results are then returned to Fortify CLI. The vulnerability and audit information are not stored within the SAST Aviator. SAST Aviator retains only the statistical data indicating that an audit occurred, including the number of issues identified:
Perform the following steps (Get Started) to get started with SAST Aviator:
- Download fcli or use any fcli binaries (Releases · fortify/fcli)
- Register customer administrator by sharing the public key (public_key.pem), name, surname and email with OpenText Support.
- Generate tokens for individual users
- Create application
- Trigger audit