Adding a Static Assessment task

You can add the Fortify on Demand Static Assessment task to your build pipeline using the classic editor or the YAML editor in Azure DevOps. The following instructions describe how to add a static assessment task to a build pipeline using the YAML editor.

To add a static assessment task:

1. In an Azure DevOps project, navigate to your existing build pipeline.
2. Click Edit.

3. Find and select Fortify on Demand Static Assessment from the task list.

   The static assessment task settings appear.

4. Complete the following fields:

   Field	Description
   Source code location	Specify the path on the agent where the source code files are located. You can use predefined variables for the source code directory, such as $(Build.SourcesDirectory). Do not use $(Build.ArtifactStagingDirectory) or $(Build.ArtifactDirectory), as these locations can cause errors when compressing the source code prior to transmission.
   ScanCentral file location	Specify the path on the agent where the Fortify ScanCentral SAST client executable is located. For example, C:\Program Files\Fortify_ScanCentral_Client_21.1.0_x64\bin. If the field is left empty, the latest version of the Fortify ScanCentral SAST client will automatically be downloaded on the agent. The Fortify ScanCentral SAST version and the installed Java version must be compatible. If the Java version is incompatible, the task will fail.
   Fortify Connection	Select an existing service connection or click +New to add a new service connection. For more information, see Adding Fortify on Demand credentials in Azure DevOps.

5. In the Application/Release Options section, select the method of identifying the release from the Pick a Release list:

   • Release ID
   • BSI Token
   • New Application and Release

6. Follow the procedure for the selected method:

   Method	Procedure
   Release Id	In the Release ID field, specify the release ID. The release must have saved scan settings in the portal in order for the release ID to be used as a token.
   BSI token	In the Build Server Integration Token field, specify the BSI token.
   New Application and Release	Complete the following fields to create an application and/or release: Application Name: specify the application name. If a unique value is provided, an application will be created. If you are working with an existing application, updates to application settings will be applied where applicable. Business Criticality: select the business criticality. Application Attributes: specify required and optional application attributes as <attributeName1>: <attributeValue1>; <attributeName2>: <attributeValue2>; ... Application Type (not applicable to existing applications): select the application type. Microservice Application (not applicable to existing applications): select the check box to scan the application as a microservice application. The microservice feature must be enabled for the tenant. Microservice Name: If the application consists of microservices, specify the microservice name. If a unique value is provided, a microservice will be created. An application can have a maximum of 10 microservices. Release Name: specify the release name. A unique value must be provided. SDLC Status: select the SDLC status. Owner ID: specify the owner ID.

7. In the Entitlement Options section, complete the following fields:

   Field	Description
   Entitlement Options	Select the method of determining the entitlement to use: User-selected entitlement: the user specifies the entitlement. Provide the entitlement ID in the Entitlement ID field. Auto-selected entitlement: Fortify on Demand determines the entitlement. If multiple entitlements are available, the scan will use the oldest entitlement. If the release has an active subscription, the scan will use the active subscription.
   Entitlement Preference	Select the entitlement preference.
   Purchase Entitlements	(Optional, available for Auto-selected entitlement) Select the check box to purchase an entitlement if none is available for the specified entitlement preference. The purchase entitlements feature must be enabled for the tenant.

8. In the Scan Options section, complete the following fields:

   Updates to scan settings are retained for subsequent scans.

   Field	Description
   Choose Scan Settings Source	Select the method of specifying the scan settings: Create/Override Existing Scan Settings if any (required if you are creating a release) Complete the following fields: Assessment Type Id: specify the assessment type ID Audit Preference: select the audit preference Use Existing Saved Scan Settings
   Action if Scan In Progress	If the release has an in progress scan, select the action to take: Do Not Start Scan: do not start a new scan and fail the task Cancel Scan In Progress: cancel the scan in progress and start a new scan (if the scan in progress scan can be automatically canceled) Queue: queue the scan (if the scan queue limit has been reached, the scan will be canceled)
   Remediation Preference Type	Select whether to run a remediation scan.
   Build Type	Select the method of packaging the application files. All selections except for None invoke the Fortify ScanCentral SAST client to package the application files.

9. Follow the procedure for the selected build type:

   Field	Procedure
   Go (ScanCentral)	Open Source Component Analysis: select the check box to include open source component analysis.1
   Maven, Gradle	Complete the following fields: Technology Stack: select the technology stack.2 Language Level: select the language level.2 Open Source Component Analysis: select the check box to include open source component analysis.1,2 Build Command: (Optional) specify custom build parameters for preparing and building a project. For example, to invoke a Gradle build before packaging: -Prelease=true clean customTask build Build File: (Optional) specify the path on the agent where the build file is if you are not using a default name such as build.gradle or pom.xml. For example, myCustomBuild.gradle Include Tests: (Optional) select the check box to include the test source set (Gradle) or a test scope (Maven) with the scan. Skip Build: (Optional) select the check box to disable the project preparation build step before packaging.
   DotNet, MSBuild	Packaging using MSBuild is only available on Windows agents. The MSBuild executable must be added to the PATH environment variable. You can set the environment variable by running the Batch Script task before the Static Assessment task. Set filename to the path of VsDevCmd.bat and modifyEnvironment to true. For detailed instructions on configuring the Batch Script task, see https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/batch-script?view=azure-devops. If you are using a Microsoft-hosted agent, see https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml to determine the path of VsDevCmd.bat. For example, for the Windows Server 2019 with Visual Studio 2019 agent, the path is C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat. Complete the following fields: Technology Stack: select the technology stack.2 Language Level: select the language level.2 Open Source Component Analysis: select the check box to include open source component analysis.1,2 Build Command: (Optional) specify custom build parameters for preparing and building a project. Build File: specify the path on the agent where the build file is located. For example, mySolution.sln. Skip Build: (Optional, MSBuild only) select the check box to disable the project preparation build step before packaging. Skip Build is not supported in Fortify ScanCentral SAST versions 21.1.2 and later.
   PHP (ScanCentral)	Open Source Component Analysis: select the check box to include open source component analysis.1
   Python	Complete the following fields: Python Version: select the language level.2 Open Source Component Analysis: select the check box to include open source component analysis.1,2 Python Virtual Environment: Specify the Python virtual environment location. Python Requirements File: specify the Python project requirements file to install and collect dependencies.
   None	Complete the following fields: Technology Stack: select the technology stack.2 Language Level: if applicable, select the language level.2 Open Source Component Analysis: select the check box to include open source component analysis.1,2

   1. If your tenant has Debricked entitlements, OpenText recommends using version 22.1.2 or later of the Fortify ScanCentral SAST client, which packages the files required for a Debricked open source scan. Otherwise, manually generate the files and include them in the payload. For instructions on generating these files, see the Fortify on Demand documentation.

   2. Available if you are configuring scan settings.

10. In the Poll Options section, complete the following fields:

    Field	Description
    Polling Interval	Specify the length of time in minutes between polling for static and open source scan statuses and results. The default value is 1. A value of 0 disables polling. Polling stops once either the static or open source scan is canceled, paused, or completed.
    Action if Failing Policy	Select whether to complete the task and throw a warning or fail the task based on the application security policy set by your organization.

11. Click Add.

    The YAML code for the task is added to your pipeline. The YAML code by default specifies the latest version of the extension.

12. Save the settings.

If a scan is successfully submitted during the pipeline run, the task will be marked as succeeded. If the scan is rejected, the build logs will display the appropriate error message.