Fortify ScanCentral SAST Command-Line Options

This appendix provides information about the command-line options that you can use with Fortify ScanCentral SAST. The Fortify ScanCentral SAST options are:

Global Options
Status Command
Start Command
Retrieve Command
Cancel Command
Worker Command
Package Command
Arguments Command
Progress Command
Update Command

Global Options

This section provides information about the command-line options that you can use with Fortify ScanCentral SAST.

Global Option	Use to:
`-debug`	Enables debug logging on ScanCentral SAST clients and sensors. For information on how to configure the logging level on the Controller, see Configuring the Logging Level on the Controller.
`-h <command>` or `--help <command>`	Get help for the selected command. To see all command help, type `-h all`.
`-ssctoken <ScanCentralCtrlToken>`	Specify the Fortify Software Security Center authorization Access control. After a user has been authenticated (proven his or her identify, typically via a password), the operating system or application identifies what resources the user can access during this session, and provides access accordingly. token.
`-sscurl <url>`	Specify the Fortify Software Security Center server URL.
`-url <url>`	Specify the ScanCentral SAST Controller URL.
`-version`	Get the product version.

Status Command

Use the status command to check the status of the Controller or a job.

Option	Description
`-ctrl`	Verify that the Controller is running.
`-token, --job-token <token>`	Specify the job token to query.

Start Command

Use the start command to start a remote scan.

Option	Description
`-application, --application <name>`	Specifies the Fortify Software Security Center application A customer codebase evaluated by Fortify software. The top-level container for one or more application versions. When you work with a new codebase, the application and first application version are automatically created. An application includes one or more application versions that users create and configure. name.
`-bc, --build-command <commands>`	For use with Maven, Gradle and MSBuild. Specifies custom build parameters for preparing and building a project. For example, to invoke a Gradle build before packaging: `-Prelease=true clean customTask build` If you use the `-bc` option, and the build fails, ScanCentral stops working on the build. (Gradle only) If you do not use `-bc`, the default command, default tasks and target are invoked. If the build fails, ScanCentral displays a warning, but continues to work and then displays a message to indicate that the build procedure failed and your results may be incomplete.
`-b, --build-id <id>`	Specifies the build ID Name of an application being analyzed. of the session to export.
`-bf, --build-file <file>`	Specifies the build file, unless it has a default name such as `build.gradle` or `pom.xml`. You cannot use this option with the `-scan` option.
`-block`	Waits for the scan to complete, and then downloads the result.
`-bt, --build-tool <name>`	Specifies the build tool name used for the project. You cannot use this option with the `-scan` option. Example: `-bt mvn -bc "package --setting custom.xml"`
`-email <address>`	Specifies the email address for job status notifications.
`-f, --output-file <file>`	Specifies the name for the local FPR Fortify project results. The Fortify Static Code Analyzer output file format. file output.
`-filter <file>`	Specifies the filter file to use during a scan (repeatable).
`-fprssc, --fpr-filename-on-ssc <file>`	Specifies the name to use for the FPR files uploaded to Fortify Software Security Center. The file name must not exceed 128 characters in length and must not contain the following invalid characters: colon (:) backslash (\) forward slash (/) asterisk (*) question mark (?) vertical bar or pipe (\|) less than (<) greater than (>) double quote (")
`-hv, --php-version <version>`	Specifies the PHP version.
`-log, --log-file <file>`	Specifies the name for the local log file output.
`-mbs <file>`	Specifies the mobile build session A mobile build session (MBS file) created in the Fortify Static Code Analyzer translation phase includes the files required for analysis and enables you to scan a project on a different machine (than the translation phase). to upload.
`-o, --overwrite`	Overwrites the existing FPR or log with new data.
`-p, --package <file>`	Specifies the project package file to upload.
`-pool, --submit-to-pool <uuid>`	Specifies the sensor pool A group of ScanCentral sensors, grouped based on any criteria, which you can then target for scan requests. Example: A sensor pool consisting of machines with a lot of physical memory is used for scan requests that require a lot of memory. into which a sensor is to be placed at startup.
`-projroot, --project-root <dir>`	Specifies the project directory for the mobile build session export.
`-projtl, --project-template <file>`	Specifies the issue template A template that determines how Fortify Software products prioritize issues. Prioritizing issues of a category or type helps guide the security team's audit and remediation activities. Fortify Software Security Center provides some standard templates. Users can employ them as is, modify them, and/or create additional templates. file to include.
`-pyr, --python-requirements <file>`	Specifies the Python project requirements file to install and collect dependencies.
`-pyv, --python-virtual-env <directory>`	Specifies the Python virtual environment location.
`-q, --quiet`	Prevents the printing of stdout from the build execution.
`-rules <file/dir>`	Specifies custom rules Rules that extend the functionality of Fortify Static Code Analyzer and the Secure Coding Rulepacks. Custom rules enable you to enforce proprietary security guidelines or analyze a project that uses third-party libraries or other pre-compiled binaries that are not already covered by the Secure Coding Rulepacks. file or directory to use during the scan (repeatable).
`-sargs, --scan-args`	Fortify Static Code Analyzer scan arguments (repeatable) Takes a single string argument. For multiple scan arguments, use multiple `-sargs` options. If the scan option has a path parameter An item of information, such as a name, a selection, or a number, passed to a program by another program or an end-user. that includes a space, enclose the path with single quotes. Note: You cannot use the `-sargs` option with the `-scan` option. It is for use in remote translation and scan only.
`-scan`	Sets the point beyond which all arguments are for sourceanalyzer. You cannot use this option with the `--build-tool` or `--package` option.
`-snm, --scan-node-modules`	Specifies node_modules dependencies in the package. If you set `--scan-node-modules`, all third-party library scan results are added to the resulting FPR. Tip: Because including node_modules dependencies in a package does not greatly improve type resolution or dataflow, and can result in an excessive number of false positives, Fortify recommends that you exclude them from scans. By default, node_modules are not applied to a package unless you apply the `--scan-node-modules` option from the command line.
`-skipBuild`	Disables the project preparation build step before packaging. If you use `-skipBuild` option, the `-bc` option (if used) is ignored. Caution! You can apply this option to Gradle and Maven build tools, but not to MSBuild.
`-sp, --save-package <file>`	Specifies the package file to save after uploading. The file extension must be `*.zip`.
`-sto, --scan-timeout`	Specifies the maximum amount of time (in minutes) a scan job can be processed (and prevent a sensor from doing other work). Note: Use of this worker An older term for a Fortify ScanCentral sensor. option has a higher priority than the `scan_timeout` property setting in the `config.properties` file.
`-t, --include-test`	Includes test source set (Gradle) or test scope (Maven) to scan (for Java projects only).
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable) Takes a single string argument. For multiple translation arguments, use multiple `-targs` options. If the translation option has a path parameter that includes a space, enclose the path with single quotes. Note: You cannot use the `-targs` option with the `-scan` option. It is for use in remote translation and scan only.
`-upload, --upload-to-ssc`	Uploads the FPR to Fortify Software Security Center upon completion.
`-uptoken, --ssc-upload-token <token>`	Specifies the Fortify Software Security Center file upload token. Note: If the `pool_mapping_mode` property is set to `DISABLED` on the Controller, you can use a Fortify Software Security Center `AnalysisUploadToken` instead. However, if `pool_mapping_mode` is ENABLED, an `AnalysisUploadToken` does not work, and a `ScanCentralCtrlToken` is required instead. For information about how to acquire `AnalysisUploadToken` and `ScanCentralCtrlToken` tokens, see the Fortify Software Security Center User Guide.
`-version, --application-version <name>`	Specifies the Fortify Software Security Center application version A particular iteration of the analysis of a codebase as it applies to Fortify Software Security Center. An application always begins with a first version. An administrator adds new versions, as needed. name.
`-versionid, --application-version-id <id>`	Specifies the Fortify Software Security Center application version ID.
`-yv, --python-version <version>`	Specifies the Python version to automatically find the installed Python. Allowed values: 2 or 3. This flag is ignored if the ScanCentral SAST client Requesting program or user in a client/server relationship. For example, the user of a web browser is effectively making client requests for pages from servers all over the web. The browser itself is a client in its relationship with the computer that is getting and returning the requested HTML file. The computer handling the request and sending back the HTML file is a server. is started under a Python virtual environment or if `-python-virtual-env` is specified.

Retrieve Command

Use the retrieve command to download the result of a remote scan job.

Option	Description
`-block`	Wait for the job to complete and download the result.
`-f, --output-file <file>`	Specify the file name for local FPR output.
`-log, --log-file <file>`	Specify the file name for local log output.
`-o, --overwrite`	Overwrite the existing FPR or log with new data.
`-token, --job-token <token>`	Specify the job token to query.

Cancel Command

Use the cancel command to cancel a remote scan job.

Option	Description
`-token, --job-token <token>`	Specify the job token to query.

Worker Command

Caution! To avoid packaging failure for projects with file paths that contain an umlaut, you must first add the com.fortify.sca.CmdlineOptionsFileEncoding property to the fortify‑sca.properties file (located in the <sca_install_dir>/Core/config directory) and give it a value that is not encoded in ASCII.

Use the worker command to start or test a sensor.

Option	Description
`-hello`	Sensor reporting for duty.
`-pool, --assign-to-pool`	Specifies the sensor pool to which the sensor is to be assigned after It connects to the Controller. If the sensor is already assigned to a pool, this option overrides that assignment. (If an error occurs In sensor pool assignment, the sensor shuts down.)
`-sto, --scan-timeout`	Specifies the maximum amount of time (in minutes) a scan job can be processed (and prevent a sensor from doing other work). Note: Use of this worker option has a higher priority than the `scan_timeout` property setting in the `config.properties` file.

Package Command

Use the package command to create a zip package of the specified project.

Option	Description
`-bc, --build-command <commands>`	Specify custom build parameters for preparing and building a project. For example, to invoke a Gradle build before packaging: `-Prelease=true clean customTask build` If you use the `-bc` option, and the build fails, ScanCentral stops working on the build. (Gradle only) If you do not use `-bc`, the default tasks and targets are invoked. If the build fails, ScanCentral SAST displays a warning, but continues. You can use this option with Maven, Gradle and MSBuild.
`-bf, --build-file <file>`	Specify the build file if you are not using a default name such as `build.gradle` or `pom.xml`.
`-bt, --build-tool <name>`	Specify the build tool name used for the project. You cannot use this option with the project.
`-exclude`	Use the `-exclude` option directly from the ScanCentral SAST command line to exclude files from scans for the Maven, Gradle, MSBuild build tools, and for `-bt none`.
`-hv, --php-version <version>`	Specify the PHP version.
`-o, --output <file>`	Specify the output file name. The file extension must be `*.zip`.
-oss, --open-source-scan	(Applies only to Fortify on Demand) Used to generate and collect additional files for scanning. For details see Fortify on Demand documentation.
`-pyr, --python-requirements <file>`	Specify the Python project requirements file to install and collect dependencies.
`-pyv, --python-virtual-env <directory>`	Specify the Python virtual environment location.
`-q, --quiet`	Prevent the printing of stdout from the build execution.
`-sargs, --scan-args`	Fortify Static Code Analyzer scan arguments (repeatable) Takes a single string argument. For multiple scan arguments, use multiple `-sargs` options. If the scan option has a path parameter that includes a space, enclose the path with single quotes.
`-snm, --scan-node-modules`	Specifies node_modules dependencies in the package. If you set `--scan-node-modules`, all third-party library scan results are added to the resulting FPR. Tip: Because including node_modules dependencies in a package does not improve type resolution or dataflow results, and because they degrade translation and scan speed, Fortify recommends that you exclude them from scans. By default, node_modules are not applied to a package unless you apply the `--scan-node-modules` option from the command line.
`-skipBuild`	Disables the project preparation build step before packaging.
`-t, --include-test`	Include the test source set (Gradle) or test scope (Maven) to scan (for Java projects only).
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable) Takes a single string argument. For multiple translation arguments, use multiple `-targs` options. If the translation option has a path parameter that includes a space, enclose the path with single quotes.
`-yv, --python-version <version>`	Specify the Python version to automatically find the installed Python. Allowed values: 2 or 3. This flag is ignored if the ScanCentral SAST client is started under a Python virtual environment or if `-python-virtual-env` is specified.

Arguments Command

Use the arguments command to generate a settings file for additional Fortify Static Code Analyzer command-line options. The settings file must reside in the same directory you specify ScanCentral SAST commands for remote translation and scanning.

Option	Description
`-o, --overwrite`	Overwrite the existing arguments file.
`-p, --project-dir <directory>`	Specify the project directory in which to create the Fortify Static Code Analyzer translation and scan additional arguments file.
`-sargs, --scan-args`	Fortify Static Code Analyzer scan arguments (repeatable)
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable)

Important! The -targs and -sargs options take a single string argument. To specify multiple translation or scan arguments, use multiple -targs and (or) -sargs options. If the translation or scan option has a path parameter that includes a space, enclose the path in single quotes.

Example: The following generates a fortify-sca.settings file in the current directory.

scancentral.bat  arguments -o -targs "-Xmx4G" -targs "-cp 'myProject Dir/path to/lib/*.jar'" -targs "-exclude 'myProject Dir/path to/src/*.js'" -sargs "-Xms256M" -sargs "-analyzers controlflow,dataflow"

The resulting fortify-sca.settings file looks similar to the following:

{
  "translationArgs": [
  "-Xmx4G",
  "-cp",
  "myProject Dir/path to/lib/*.jar",
  "-exclude",
  "myProject Dir/path to/src/*.jar"
 ],             
  "scanArgs": [
  "-Xms256M",

  "-analyzers",
  "controlflow,dataflow" 
 ]

Progress Command

Use the progress command to get the progress of a Fortify Static Code Analyzer scan.

Important! If your projects are based on Java 11, and you want to use the progress command to check the progress of your scans, some minor sensor configuration is required. For instructions, see Configuring Sensors to Use the Progress Command when Starting on Java.

Update Command

Use the update command to update a client or sensor to the latest version available on the Controller. This updates a standalone client ScanCentral SAST client that runs outside of SCA and Apps. to the latest available client version. It updates an embedded client ScanCentral client that comes with SCA and Apps. or sensor to the latest available patch version, but does not update these to the next major version.