Fortify SCA

Use the Fortify SCA bundled plugin to locally analyze an application's source code for security issues.

Fortify Static Code Analyzer (SCA) identifies the root causes of software security vulnerabilities and delivers accurate, risk-ranked results with line-of-code remediation guidance.


To run the Fortify SCA plugin, you need Fortify SCA and the tools that it uses, such as Microsoft Visual Studio, installed on the same machine as the PulseUno agent. Configure them correctly for the named user account under which Common Tomcat is running.

Note: Fortify SCA may not work if Common Tomcat runs as a Windows service under the LocalSystem account.

Back to top

Configure the plugin

When you add the Fortify SCA plugin to a chain, specify the plugin configuration details.

To configure the Fortify SCA step:

  1. Add the Fortify SCA step to a chain, as described in Create chains.

  2. (Optional) Rename the plugin step.

  3. For Translation Phase, select a custom translation option:

    • Yes. Use a custom translation string. In the Custom translation options field, enter a string that includes only translation phase options. Do not include the '-b' option.

    • No. Select translation options:

      Translator type Option Description
      Java sources Sources include pattern

      Enter patterns for Java sources, for example:

      src/**/ *.java

      Default pattern: **/*.java


      Enter a Java class path. The format is the same as javac (colon or semi-colon separated list of paths).

      Use the sourceanalyzer Ant task classpath attribute.

      Resolution source path

      Enter a path to a Java resolution sources directory. Sources are used for resolution, not analysis.

      Use the sourceanalyzer Ant task sourcepath attribute.

      Java version

      Specify the JDK version the Java code is written for.

      Use the sourceanalyzer Ant task source attribute.

      Visual Studio projects Project/solution file path Enter the relative path to a solution file.
      Microsoft Visual Studio

      Enter the full path to Visual Studio, for example:

      C:\Program Files (x86)\Microsoft Visual Studio <version>\Common7\IDE\

      C/C++ source files Include pattern

      Specify the names of source files. Enter include patterns, separating each entry with a comma, for example:


      Path to C++ compiler executable Enter the path to C++ compiler executable.
      Other sources

      Include pattern

      Enter include patterns for other sources. Separate each entry with a comma, for example:

      **/ *.sql.,*.php

  4. (Optional) For Analysis Phase, enter additional rulepack files or directories, one per line. You can specify an absolute path or the path relative to the stream/branch root. Use the sourceanalyzer Ant task rules attribute.

    To use custom analyze options instead, select Yes and specify a custom options string for sourceanalyzer executable. Include analyze phase options only.

  5. To create a PDF file of the report, select Generate PDF report and enter the path of a report template file. You can specify an absolute path or the path relative to the stream/branch root. Leave empty to use the default template.

    Use the ReportGenerator utility's template option.

    Tip: Instead of generating a report file, you can use the Fortify SSC plugin to send scan results to Fortify Software Security Center. For details, see Fortify SSC.

  6. To capture findings to PulseUno, keep the option Create findings from FPR file selected.

    Note: If you're running both Fortify SCA and Fortify SSC plugins in the same chain, we recommend clearing this option to avoid duplicating findings in PulseUno.

  7. (Optional) Select Use advanced options to specify additional SCA options:

    Option Description
    Fortify SCA sourceanalyzer path

    Enter the path to Fortify SCA sourceanalyzer executable, for example:

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\bin\sourceanalyzer.exe

    Fortify SCA ReportGenerator path

    Enter the path to the Fortify SCA ReportGenerator utility, for example:

    C:\Program Files\Fortify\Fortify_SCA_and_Apps_<version>\bin\ReportGenerator.bat

  8. (Optional) Define the control options for the plugin step:

    • Enable step. By default, the step is enabled to run. Clear this option if you need to deactivate the step.

      Disabled steps are skipped when the chain runs.

    • Fail the step. Specify the conditions for failing the step, such as unit test failures, findings criteria, and/or console log entries.

    • Mark step as unstable. Specify the conditions for making the step unstable, such as unit test failures, findings criteria, and/or console log entries.

  9. (Optional) Specify the output variables to be passed to other steps down the chain. For details, see Publish output variables.

Back to top

See also: