Introduction
The Fortify Azure DevOps Extension (formerly the Fortify VSTS Extension) adds static and dynamic analysis to your continuous integration (CI) and continuous delivery (CD) builds. This integration helps you identify application vulnerabilities earlier in the software development lifecycle.
This document describes how to use the Fortify Azure DevOps Extension. This document assumes that you have a working knowledge of Azure DevOps and know how to use Azure Pipelines for your CI/CD solutions. This extension includes the tasks described in the following table.
If you use any Fortify Azure DevOps task that requires access to an external server such as Fortify Software Security Center or Fortify ScanCentral (SAST or DAST) and the server's certificates are self-signed, then you must extend the node.js predefined root certificate authority (CA) with extra certificates. Do this by setting the NODE_EXTRA_CA_CERTS environment variable. For more information, see the node.js command-line options documentation.
| Task (version) | Description | More information |
|---|---|---|
| Fortify Static Code Analyzer Install (8.x) | The Fortify Static Code Analyzer Installation task automatically installs and configures Fortify Static Code Analyzer. | Getting Started with Fortify Static Code Analyzer |
| Fortify Static Code Analyzer Assessment (7.x) |
The Fortify Static Code Analyzer Assessment task enables you to run Fortify Static Code Analyzer as a build step. After the analysis is complete, the scan results are available as a Fortify Project Results (FPR) file. You can publish the FPR as a build artifact. To review the scan results, download this artifact and open it in either Fortify Audit Workbench or Fortify Software Security Center. You can also configure the task to upload the scan results to a Fortify Software Security Center server. |
Getting Started with Fortify Static Code Analyzer |
|
Fortify on Demand Static Assessment 9.x) |
The Fortify on Demand Static Assessment task submits a static scan request and uploads code to Fortify on Demand as a build step. The scan results are available in Fortify on Demand. |
Getting started with Fortify on Demand |
| FoD DAST Automated (2.x) |
The FoD DAST Automated task submits an automated dynamic scan request to Fortify on Demand as a build step. The scan results are available in Fortify on Demand. |
|
| Fortify ScanCentral SAST Assessment (7.x) | The Fortify ScanCentral SAST Assessment task submits a static scan request to a ScanCentral SAST Controller (using a ScanCentral SAST client) as a build step. You can also configure the task to upload the scan results to Fortify Software Security Center. | Getting Started with Fortify ScanCentral SAST |
| Fortify ScanCentral DAST Assessment (7.x) | The Fortify ScanCentral DAST Assessment task submits a dynamic scan request to Fortify ScanCentral DAST as a build step. You can view the scan results in Fortify Software Security Center. | Getting Started with Fortify ScanCentral DAST |
|
Fortify WebInspect Dynamic Assessment (7.x) The "Fortify WebInspect Dynamic Assessment" task no longer exists. Removed in 9.5 |
The Fortify WebInspect Dynamic Assessment task automatically submits a dynamic scan request to Fortify WebInspect as a build step. Fortify WebInspect scans your Web application or Web services for vulnerabilities based on the settings specified in the Scan Settings file. |
Getting Started with Fortify WebInspect |