Adding a Dynamic Assessment Task

You can add the Fortify on Demand Dynamic Assessment task to your pipeline using the classic editor or YAML editor in Azure DevOps. The following instructions describe how to add a dynamic assessment to a build pipeline through the YAML editor.

Build pipelines can be defined using the classic editor or YAML editor; release pipelines can be defined using the classic editor.

To add a dynamic assessment task:

  1. In an Azure DevOps project, navigate to your existing build pipeline.
  2. Click Edit.

  3. Select Fortify on Demand Dynamic Assessment from the list.

    The dynamic assessment task settings appear.

  4. Complete the following fields:

    Field Description
    Display name Type a name for the task.
    The root API Url Type the API root URL of your Fortify on Demand data server.
    Release Id Type the release ID.

  5. In the Authentication Methods section, complete the following fields:

    Field Description
    API Authentication Type
    1. Select the method of authentication: API Key/Secret or Personal Access Token.
    2. Provide the API key and secret or your account username, personal access token, and tenant ID. OpenText recommends using secret build variables to specify the Fortify on Demand credentials.
    Proxy host (Optional) Type the URL of the proxy server.
    Proxy port (Optional) Type the port of the proxy server.

  6. In the Entitlement Options section, complete the following fields:

    Field Description
    Entitlement Preference Select the entitlement preference. If multiple entitlements are available, the scan will use the oldest entitlement. If the release has an active subscription, the scan will use the active subscription.
    Purchase Entitlements (Optional) Select the check box to purchase an entitlement if none is available for the specified entitlement preference. The purchase entitlements feature must be enabled for the tenant.
    Prefer Remediation Select the check box to run a remediation scan if one is available.

  7. Click Add.

    The YAML code for the task is added to your build pipeline. The YAML code specifies the latest version of the extension.

  8. Save the settings.

If a scan is successfully submitted during the pipeline run, the task will be marked as succeeded. If the scan is rejected, the build logs will display the appropriate error message.