Requirements for the Fortify ScanCentral SAST task

Make sure that your environment meets the requirements described in this section to use Fortify ScanCentral SAST task in your build. This section also includes preparation steps and information required to have on hand to use the task.

  • The Fortify ScanCentral SAST task is available with Fortify ScanCentral SAST versions 20.2.0 or later.

  • To trigger a build failure based on the scan results, you must use Fortify ScanCentral SAST version 22.1.0 or later (see Upload results to SSC).

  • Fortify ScanCentral SAST runs on a Java Virtual Machine. Make sure that you have a Java Virtual Machine installed on the agent. You can use the Java tool installer task in your pipeline to install it.

    You can run the Fortify ScanCentral SAST Assessment task on a Microsoft-hosted agent that might already have a Java Virtual Machine installed.

  • Java 17 must be installed on the agent for Fortify ScanCentral SAST client version 24.2.0 or later.

  • For Fortify ScanCentral SAST client version 24.2.0 or later, set the SCANCENTRAL_JAVA_HOME environmental variable to Java version 17. For Fortify ScanCentral SAST client version 23.2.0 or earlier, set the SCANCENTRAL_JAVA_HOME to Java version 11.

  • To connect to Fortify ScanCentral SAST, you must have one of the following:

    • The Fortify ScanCentral SAST Controller URL

    • The Fortify Software Security Center URL and a Fortify Software Security Center authentication token of type CIToken (the task determines the Controller information from Fortify Software Security Center)

      Define an Azure DevOps variable that contains the decoded value of this token. By default, the extension uses a variable with the name ScanCentral.SscCiToken.

  • If the Fortify ScanCentral SAST Controller or Fortify Software Security Center URL uses SSL with a self-signed or untrusted certificate, you might need to add the certificate to the trusted certificates as follows:

    • On the agent's certificate store—To allow the Fortify Azure DevOps Extension to download and install the Fortify ScanCentral SAST client. See the Azure DevOps documentation for how to run with a self-signed certificate.

    • In the Java keystore—To allow the Fortify ScanCentral SAST client to connect to Fortify ScanCentral SAST Controller and Fortify Software Security Center. Use the Java keytool to import a trusted certificate.

  • Define an Azure DevOps variable that contains value of the Fortify ScanCentral SAST client_auth_token property for the Controller. By default, the extension uses a variable with the name ScanCentral.ClientToken.

  • Your project must be in one of the supported languages. For a list of languages that are supported for project translation, see the Fortify Software System Requirements in Fortify Software Security Center Documentation.