Requirements for Fortify Static Code Analyzer tasks

Make sure that you have the following information needed to configure the Fortify Static Code Analyzer installation and complete the preparation steps before you run a scan on your application:

  • A Fortify license file (fortify.license)

  • To run Fortify scans in your build definitions, you must first set up a build agent pool of agents that are configured with all the prerequisites to build the application.

    To prepare an agent for the analysis, install the required build software based on your target application's source code, and then confirm that you can successfully build your application on the agent.

    The Fortify Static Code Analyzer tasks are not supported on Microsoft-hosted agents. OpenText recommends a minimum of 16 GB of RAM and a quad-core processor to run Fortify Static Code Analyzer.

  • To scan .NET projects, the agent must have a full installation of Visual Studio and devenv included in the path environment variable or a supported version of .NET SDK and .NET Framework. For more information, see Fortify Software System Requirements.

    One way to do this is to launch the Developer Command Prompt and run the agent's configureAgent or runAgent scripts to connect to Azure DevOps.

  • You can perform the scan phase on the local agent or remotely using Fortify ScanCentral SAST. To run a scan with Fortify ScanCentral SAST, you must have the following:

    • A Fortify Software Security Center server that is configured to integrate with ScanCentral SAST Controller
    • A Fortify Software Security Center authentication token of type CIToken

  • To trigger a build failure based on scan results produced with Fortify ScanCentral SAST, you must use Fortify ScanCentral SAST version 22.1.0 or later (see Adding a Fortify Static Code Analyzer Scan as a Build Step).

  • To upload the scan results to Fortify Software Security Center, you must have a Fortify Software Security Center authentication token of type CIToken.

  • To perform the scan using Fortify ScanCentral SAST and to upload scan results to Fortify Software Security Center, you need to set up an Azure DevOps service connection to Fortify Software Security Center.

    Create a Generic service connection and provide the Fortify Software Security Center server URL and the encoded value of a Fortify Software Security Center authentication token of type CIToken. Leave the username box empty.