Set up an integration with Fortify

This topic explains how to set up an integration with Fortify, bringing security testing into your development cycle.

Overview of the integration with Fortify

This section provides an overview of the Fortify integration and describes its benefits.

What is Fortify?

Fortify is an application security testing service. It performs static code analysis on your application's code, assessing it for potential security vulnerabilities. It can be cloud-based or installed on premises.

Why integrate ValueEdge with Fortify?

Integrate ValueEdge with Fortify to bring security testing into your development cycle:

  • Identify security vulnerabilities soon after they are introduced into the code and correct them.

  • Raise developers' awareness, encouraging them to avoid introducing vulnerabilities.

Tip: If you are using a static code analysis tool other than Fortify, you can inject security vulnerability issues detected by the tool into ValueEdge using the ValueEdge REST API. For details, see Add vulnerability issues into ValueEdge.

How does the integration work?

After reviewing the vulnerabilities, you can create a relevant defect to fix your code, or dismiss and close the issue. For details, see Track security vulnerabilities.

Important privacy note: If your Fortify data contains personally identifiable information (PII), contact your system administrators to check the geographical locations of the Fortify data farm and the ValueEdge server. If the two are located in different geographical locations, verify with your chief information security officer or privacy office that this integration complies with your regional regulations.

Back to top

Integrate Fortify and ValueEdge with Jenkins

This section describes how to set up the integration for Fortify on Demand and the Fortify Software Security Center.

Back to top

Create a pipeline in ValueEdge

This section describes how to set up pipeline that integrates Fortify on Demand and the Fortify Software Security Center.

To set up a pipeline:

  1. In the Pipelines > Pipelines page, add a new pipeline.

  2. In the Type field, select Security.

Depending on your integration, the following then occurs:

  • Fortify on Demand: After this pipeline runs successfully, ValueEdge polls the Fortify on Demand server, waiting to retrieve the assessment results.

  • Fortify Software Security Center: The Jenkins plugin checks periodically if there are new scan results in the Software Security Center database. If there are, the new security data is injected to ValueEdge and is displayed on the corresponding pipeline run.

Back to top

Configuration options

This section describes how to set the configuration options for Fortify on Demand and the Fortify Software Security Center.

For details, see Configuration parameters.

Back to top

See also: