Set up an integration with Fortify

This topic explains how to set up an integration with Micro Focus Fortify, bringing security testing into your development cycle.

Overview of the ALM Octane integration with Fortify

What is Fortify?

Micro Focus Fortify is an application security testing service. It performs static code analysis on your application's code, assessing it for potential security vulnerabilities. It can be cloud-based or installed on premises.

Why integrate ALM Octane with Fortify?

Integrate ALM Octane with Fortify to bring security testing into your development cycle:

  • Identify security vulnerabilities soon after they are introduced into the code and correct them.

  • Raise developers' awareness, encouraging them to avoid introducing vulnerabilities.

Tip: If you are using a static code analysis tool other than Fortify, you can inject security vulnerability issues detected by the tool into ALM Octane using the ALM Octane REST API. For details, see Add vulnerability issues into ALM Octane.

How does the integration work?

After reviewing the vulnerabilities, you can create a relevant defect to fix your code, or dismiss and close the issue. For details, see Track security vulnerabilities.

Important privacy note: If your Fortify data contains personally identifiable information (PII), contact your system administrators to check the geographical locations of the Fortify data farm and the ALM Octane server. If the two are located in different geographical locations, verify with your chief information security officer or privacy office that this integration complies with your regional regulations.

Back to top

Step 1: Set up Fortify and ALM Octane to integrate with Jenkins

Back to top

Step 2 (Fortify on Demand only): Create a security tool connection in ALM Octane

Note: This step is for Fortify on Demand only.

Add Fortify on Demand as a security tool in the DevOps settings page, so ALM Octane can retrieve the assessment results from the Fortify on Demand server:

  1. In ALM Octane, click Settings > Spaces, select a workspace.

  2. Select the DevOps > Security Tools tab.

  3. Click + Connection.

  4. Define a name for the connection and select the security tool (Fortify On Demand).

  5. Enter the URL for your Fortify on Demand server, and the API keys required to access it.

  6. Click Test Connection to make sure the configuration is correct.

  7. Click Add to add the security tool to the list.

    After a pipeline step uploads code to Fortify on Demand for assessment, ALM Octane will use this connection information to contact Fortify on Demand and retrieve the assessment results.

Back to top

Step 3: Create a pipeline in ALM Octane

  1. In the Pipelines > Pipelines page, add a new pipeline.

  2. In the Type field, select Security.

  3. For Fortify on Demand: 

    1. Select the Fortify on Demand Upload job defined earlier, or the root of a flow that includes it.

    2. Select the option This pipeline includes a Fortify on Demand job.
    3. Enter the Application and Release that you used when configuring the Jenkins Fortify on Demand Upload step. These details identify the application whose code Fortify on Demand is scanning.

Depending on your integration, the following then occurs:

  • Fortify on Demand: After this pipeline runs successfully, ALM Octane polls the Fortify on Demand server, waiting to retrieve the assessment results.

  • Fortify Software Security Center: The Jenkins plugin checks periodically if there are new scan results in the Software Security Center database. If there are, the new security data is injected to ALM Octane and is displayed on the corresponding pipeline run.

Back to top

Configuration options

For details, see Configuration parameters.

Back to top

See also: