Adding a Fortify ScanCentral SAST Assessment task

Use the Fortify ScanCentral SAST Assessment task to perform a remote Fortify Static Code Analyzer analysis using Fortify ScanCentral SAST as part of your build. The project is automatically packaged and then uploaded to Fortify ScanCentral SAST for security analysis. You can also upload the scan results to Fortify Software Security Center.

This task automatically installs a Fortify ScanCentral SAST client from the Fortify ScanCentral SAST Controller on the agent if it is not already installed. In addition, if the Controller version you are using is newer than the Fortify ScanCentral SAST client already installed on the agent, then the task automatically installs the newer version. Make sure that you have enabled auto-updates of Fortify ScanCentral SAST clients from the Controller. The Fortify ScanCentral SAST client is installed in the Azure DevOps Pipelines tool cache.

For detailed information about how to use Fortify ScanCentral SAST, see OpenText™ Fortify ScanCentral SAST Installation, Configuration, and Usage Guide in Fortify Software Security Center Documentation.

To configure a Fortify ScanCentral SAST Assessment task:

In an Azure DevOps project, navigate to your existing build pipeline.
Click Edit.
Find and add the Fortify ScanCentral SAST Assessment task.

In the Server Information section, provide the information described in the following table.

Field	Description
ScanCentral Controller URL	(Optional) Type the URL for the Fortify ScanCentral SAST Controller. The correct format for the Controller URL is: `<protocol>://<controller_host>:<port>/scancentral-ctrl` (for example: `https://myControllerHost.com:8443/scancentral-ctrl`). If you do not provide the Controller URL, then you must provide the SSC URL and the SSC continuous integration token.
ScanCentral client authentication token	Type a defined variable that contains the value of the `client_auth_token` property for the Fortify ScanCentral SAST Controller. This secures the Controller for authorized clients only. See OpenText™ Fortify ScanCentral SAST Installation, Configuration, and Usage Guide in Fortify Software Security Center Documentation for more information.
SSC URL	(Optional) Type the URL for the Fortify Software Security Center server. The SSC URL is required if you are uploading the scan results to Fortify Software Security Center and if you do not provide a Fortify ScanCentral SAST Controller URL.
SSC continuous integration token	Type a defined variable that contains the decoded value of a Fortify Software Security Center authentication of type CIToken. The SSC continuous integration token is required if you provide an SSC URL and if you are uploading scan results to Fortify Software Security Center.
Upload results to SSC	(Optional) To upload the scan results (FPR file) to Fortify Software Security Center, do the following: Select Upload results to SSC. Specify an application version that exists in Fortify Software Security Center by providing one of the following: An application name and an application version name. A Fortify Software Security Center application version ID. If you provide both application name and version and an application ID, the extension uses the application ID for the upload regardless of the selected application version type. (Optional) To trigger a build failure based on the scan results, type a search query in the Build failure criteria box. For example, the following search query causes the build to fail if any critical issues exist in the scan results: [fortify priority order]:critical See OpenText™ Fortify Software Security Center User Guide in Fortify Software Security Center Documentation for a description of the search query syntax. By default, the task returns a warning when the build failure criteria is met. To fail the build instead, select FAIL from the Task results when build failure criteria is met list. (Optional) To specify how long to poll Fortify Software Security Center to determine if FPR processing is finished, type the time in minutes in the Polling timeout box. If no value or a value of 0 is specified, polling continues until FPR processing finishes or stops due to errors. The valid values are 0–10080. (Optional) To specify how frequently to poll Fortify Software Security Center to determine if the FPR processing is finished, in the Polling interval box, specify an interval (in minutes). The valid values are 1–60 and the default value is 1 minute.

In the Translation Options section:

Select Automatically detect build tool option to automatically detect the build tool.

On Windows agents, if you select the Automatically detect build tool option, the default build tool is MSBuild.

On Linux agents, if you select the Automatically detect build tool option, the default build tool is DotNet.

If you want to use DotNet as the build tool on a Windows agent, you must explicitly select DotNet from the Build tool list.

If you selected DotNet, Gradle, Maven, or MSBuild in the Build tool list, provide the information described in the following table.

Field	Description
Build command	(Optional) Type any custom build commands to prepare and build the project. If not specified, the default build command is used.
Build file	(For DotNet, Gradle, or Maven) Type the name of the build file if it is different than the default of `build.snl`, `build.gradle`, or `pom.xml`. (For MSBuild) Type the name of the build file.
Additional Fortify SCA translation options	Specify a list of Fortify Static Code Analyzer translation options separated by a new line (one per line).
Excludes	Specify the relative paths of files or directories to exclude from the package separated by a new line (one per line).
Skip build	Select whether to skip the build invocation that prepares the generated sources and libraries before the project information is packaged for submission to Fortify ScanCentral SAST.
Include test	(For Gradle and Maven projects only) Select whether to include the test source set (Gradle) or a test scope (Maven) with the scan.
Exclude disabled projects	(For MSBuild projects only) Select whether to skip projects that are either explicitly excluded from the build in the solution or skipped during the build due to platform and configuration settings. This setting is only valid with Fortify ScanCentral SAST versions 21.1.2 and earlier.

If you selected none for the build tool, provide the information described in the following table.

Field	Description
Skip build	Select the check box to disable the project preparation build step before packaging.
Include node_modules dependencies	(Optional) Select whether to restore dependencies to the node_modules directory before the scan.
Python version	(Optional) Select the Python version for Python projects.
Python requirements file	(Optional) Type the name of the Python project requirements file used to install and collect dependencies. Use only this Python field if you have no preference for the Python version used or there is only one Python version installed and on the PATH.
Python virtual environment	(Optional) Type the location (directory) of the Python virtual environment. Specify this together with the Python requirements file to have dependencies restored before the scan.
PHP version	(Optional) Type the PHP version used in the project.
Translate Apex project	Select this option if your project consists of Apex and Visualforce code.
Translate SQL project	Select this option if your project is an SQL project and then select if your project is PL/SQL or T-SQL.

(Optional) In the Scan Options section, provide the information described in the following table.

Field	Description
Filter file	Type the name of a filter file to filter out specific vulnerability categories, rules, and vulnerability instances from the analysis. For more information, see OpenText™ Fortify Static Code Analyzer User Guide in Fortify Static Code Analyzer and Tools Documentation.
Issue template	Type an issue template to include for the scan. An issue template determines how issues uncovered in your project are filtered and sorted.
Custom Rulepacks	Specify any custom rules files (`*.xml`) separated by spaces or specify a directory that contains custom rules.
Additional Fortify SCA scan options	Specify a list of Fortify Static Code Analyzer scan options separated by a new line (one per line).

(Optional) In the Advanced Options section, provide the information described in the following table.

Field	Description
Notification email	Type the email address to which the Fortify ScanCentral SAST Controller will send notifications.
Sensor pool UUID	To target a specific sensor pool for the scan, specify the sensor pool UUID. You can obtain the UUID for sensor pools from the ScanCentral SAST Sensor Pools page in Fortify Software Security Center. By default, Fortify ScanCentral SAST uses the default sensor pool as defined in Fortify Software Security Center.
Wait for scan to finish	Select whether to have this task wait until the scan is complete and the results are downloaded to the DevOps agent. If selected, then you can provide the following: In the Results file box, type a name for the Fortify results file (FPR). For example, `MyProjectA.fpr`. The file is saved in the working folder unless you specify an absolute path. In the Log file box, type a name for the local log file. The file is saved in the working folder unless you specify an absolute path. Select Overwrite to replace any existing results file (*.fpr) or log file with new data. Otherwise, existing files are not overwritten and the results are not downloaded to the agent. A message will indicate if this happens.
Quiet	Select this option to prevent execution statements from being written to stdout during the build.
Download debug logs	Select this option to generate a ZIP file that includes debug log files from clients, sensors, and Fortify Static Code Analyzer. If you select this option, the process waits for the completion of the scan in order to download the log files.