Fortify ScanCentral SAST

The Fortify ScanCentral SAST bundled plugin runs a Fortify Static Code Analyzer scan using remote Fortify ScanCentral SAST sensors. Both the translation and scanning phases of code analysis are offloaded to Fortify ScanCentral SAST.

Plugin overview

By default, the Fortify ScanCentral SAST plugin enables the following process:

  1. The plugin triggers a Fortify ScanCentral SAST (ScanCentral SAST) batch script that builds a project, packages the project for a Fortify Static Code Analyzer (Fortify SCA) scan, and offloads both the translation and scanning phases of the analysis process to remote ScanCentral SAST sensors.

  2. When the scan is finished, the results (FPR files) are uploaded to the specified application version in Fortify Software Security Center.

  3. The plugin pulls the scan results from Fortify Software Security Center to generate findings in PulseUno. When the chain finishes running, you can review the findings on the chain run page. For details, see View chain runs.

If you don't need the plugin to capture findings, you can choose not to upload the scan results to Fortify Software Security Center.

Back to top

Prerequisites

To use the Fortify ScanCentral SAST plugin, ensure that you fulfill the following prerequisites:

  • Install a standalone Fortify ScanCentral SAST client on your machine. For supported versions, see the Support Matrix.

  • Generate a UnifiedLoginToken (ScanCentral SAST 22.1.x or later) or CIToken (ScanCentral SAST 21.2.x) in Fortify Software Security Center. You need the token to start a remote scan and get analysis results from Fortify Software Security Center.

Back to top

Configure the plugin

When you add the Fortify ScanCentral SAST plugin to a chain, specify the plugin configuration details.

To configure the Fortify ScanCentral SAST step:

  1. Add the Fortify ScanCentral SAST step to a chain, as described in Create chains.

  2. (Optional) Rename the plugin step.

  3. From the Application Type list, select the type of project to scan:

    Type Description
    .NET MSbuild

    Select to scan a MSBuild project, and specify the following parameters:

    • Enter the path to the solution or project file, relative to the agent's workspace.

      If the path contains spaces, enclose it in double quotation marks, for example:

      "my solutions\mySolution.sln"

    • (Optional) Select to exclude disabled projects.
    Gradle

    Select to scan a Gradle project, and specify the following parameters:

    • Enter the path to the build file, relative to the agent's workspace. If the path contains spaces, enclose it in double quotation marks.

      Leave empty to run the default build.gradle file in the agent's workspace.

    • To include unit tests sources in the scan, select Include tests.

    • To skip building the project on the agent, select Skip build.
    Maven

    Select to scan a Maven project, and specify the following parameters:

    • Enter the path to the build file, relative to the agent's workspace. If the path contains spaces, enclose it in double quotation marks.

      Leave empty to run the default pom.xml file in the agent's workspace.

    • To include unit tests sources in the scan, select Include tests.

    • To skip building the project on the agent, select Skip build.
    Other Select this option to scan a project in another language that is not on this list.
    PHP Select to scan a PHP project. Optionally, specify the PHP version of your project.
    Python

    Select to scan a Python project. Optionally, specify the following parameters:

    • Enter the Python version installed on your machine.

    • To scan a Python project under a virtual environment, enter the path to the virtual environment.

    • Enter the path to the Python requirements file.

  4. (Optional) Enter the Fortify SCA translation options.

    For details about translation options, see the Fortify Static Code Analyzer User Guide.

  5. (Optional) To set the ScanCentral SAST Controller options, select Optional configuration and provide the following details:

    Option Description
    Sensor pool

    Specify the UUID of the sensor pool to which the Controller can assign scans.

    Leave empty to use the default sensor pool defined in ScanCentral SAST.
    Notification email Enter the email address to receive notifications from the Controller.

  6. (Optional) To set the Fortify SCA scan options, select Optional configuration and provide the following details:

    Option Description
    Fortify SCA scan options

    Enter additional Fortify SCA scan options.

    Custom Rulepacks Specify custom rulepack files or directories. Separate each entry with a space.
    Fortify SCA scan filter file To filter out specific issues from the scan results, enter the path to a file containing a list of items to be excluded.

  7. To upload the scan results to Fortify Software Security Center (Fortify SSC) and use them to generate findings in PulseUno, keep the option Upload Fortify SCA scan results to Fortify Software Security Center selected and provide the following details:

    Option Description
    Application name Enter the name of the application under which to store the scan results in Fortify SSC.
    Application version

    Enter the version number associated with the application. If this version doesn't exist, the plugin creates it.

    To use the build number as the application version, set it as a variable:

    {{chainnum}}

    For details about built-in variables, see Use variables in chains.
    Check timeout (in seconds) Specify how long to wait for the scan results to be uploaded before timing out, in seconds. Default: 300 seconds.
    Check status every (in seconds) Specify how often to poll Fortify SSC to check if the scan results are uploaded, in seconds. Default: every 60 seconds.

  8. Select Use advanced options and specify the Fortify SSC access and filtering details:

    Option Description
    Location of the ScanCentral standalone client 'bin' folder

    Enter the path to the bin directory of the standalone Fortify ScanCentral SAST client on the agent.

    You can set the path as an agent variable, which can have different values on each agent. For example:

    {{SCANCENTRAL_BIN_PATH}}

    For details about agent variables, see Add variables to agents.

    If the path is the same on all agents, you can use a global variable.
    Fortify Software Security Center URL

    Enter the URL of the Fortify SSC server. You can set it as a global variable, for example:

    {{FORTIFY_SSC_URL}}

    For details about global variables, see Define chain and global variables.
    Authentication token (UnifiedLoginToken)

    Enter the decoded token string for the following token:

    • ScanCentral SAST 22.1.x or later: Enter the UnifiedLoginToken token generated in Fortify SSC.

    • ScanCentral SAST 21.2.x: Enter the CIToken generated in Fortify SSC.

    The access token enables you to start a remote scan and access analysis results in Fortify SSC.
    Filter set

    (Optional) To filter the scan results based on a filter set, specify the ID of the filter set.

    Leave empty to use the default filter set defined in Fortify SSC.

  9. (Optional) Define the control options for the plugin step:

    • Enable step. By default, the step is enabled to run. Clear this option if you need to deactivate the step.

      Disabled steps are skipped when the chain runs.

    • Fail the step. Specify the conditions for failing the step, such as unit test failures, findings criteria, and/or console log entries.

    • Mark step as unstable. Specify the conditions for making the step unstable, such as unit test failures, findings criteria, and/or console log entries.

  10. (Optional) Specify the output variables to be passed to other steps down the chain. For details, see Publish output variables.

  11. Save the chain.

Back to top

See also: