Set up an integration with Fortify

This topic explains how to set up an integration with Fortify, bringing security testing into your development cycle.

Overview of Fortify integration

Fortify is an application security testing service. It performs static code analysis on your application's code, assessing it for potential security vulnerabilities. It can be cloud-based or installed on premises.

Integrating with Fortify can bring security testing into your development cycle in the following ways:

  • Identifying security vulnerabilities soon after they are introduced into the code, so they can be corrected

  • Raising developers' awareness and helping them avoid introducing vulnerabilities

Tip: If you are using a static code analysis tool other than Fortify, you can inject security vulnerability issues detected by the tool into ValueEdge using the ValueEdge REST API. For details, see Add vulnerability issues into ValueEdge.

Fortify integration tools

You can integrate with Fortify using the following tools.

After reviewing the vulnerabilities, you can create a relevant defect to fix your code, or dismiss and close the issue. For details, see Track security vulnerabilities.

Important privacy note: If your Fortify data contains personally identifiable information (PII), contact your system administrators to check the geographical locations of the Fortify data farm and the ValueEdge server. If the two are located in different geographical locations, verify with your chief information security officer or privacy office that this integration complies with your regional regulations.

Back to top

Integrate Fortify and ValueEdge with Jenkins

This section describes how to set up the integration for Fortify on Demand and the Fortify Software Security Center.

Back to top

Create a pipeline in ValueEdge

This section describes how to set up pipeline that integrates Fortify on Demand and the Fortify Software Security Center.

To set up a pipeline:

  1. In the Pipelines > Pipelines page, add a new pipeline.

  2. In the Type field, select Security.

Depending on your integration, the following then occurs:

  • Fortify on Demand: After this pipeline runs successfully, ValueEdge polls the Fortify on Demand server, waiting to retrieve the assessment results.

  • Fortify Software Security Center: The Jenkins plugin checks periodically if there are new scan results in the Software Security Center database. If there are, the new security data is injected to ValueEdge and is displayed on the corresponding pipeline run.

Back to top

Configuration options

This section describes how to set the configuration options for Fortify on Demand and the Fortify Software Security Center.

For details, see Configuration parameters.

Back to top

See also: