Fortify ScanCentral SAST Command-Line Options

This appendix provides information about the command-line options that you can use with Fortify ScanCentral SAST. The Fortify ScanCentral SAST options are:

Global Options
Status Command
Start Command
Retrieve Command
Cancel Command
Worker Command
Package Command
Arguments Command
Progress Command
Update Command

Global Options

This section provides information about the command-line options that you can use with Fortify ScanCentral SAST.

Global Options	Use to:
`-debug`	Enables debug logging on ScanCentral SAST clients and sensors. For information on how to configure the logging level on the Controller, see Configuring the Logging Level on the Controller.
`-h <command>` or `--help <command>`	Get help for the selected command. To see all command help, type `-h all`.
`-ssctoken <ScanCentralCtrlToken>`	Specify the Fortify Software Security Center authorization token.
`-sscurl <url>`	Specify the Fortify Software Security Center server URL.
`-url <url>`	Specify the ScanCentral SAST Controller URL.
`-version`	Get the product version.

Status Command

Use the status command to check the status of the Controller or a job.

Status Options	Description
`-bl, --block-until <action>`	Use this option to have the process (scanning or merging) wait until Fortify Software Security Center FPR upload and processing are complete, and then download the merged FPR from Fortify Software Security Center. Valid values are `scan` and `sscproc`. If you specify `scan`, the `status` command directs the scan process to continue to run until the scan is complete and available on the Controller. If you specify `sscproc`, the `status` command waits for Fortify Software Security Center processing to complete. If the scan result is not uploaded to Fortify Software Security Center, an error occurs.
`-bto, --block-timeout`	Specify how long (in minutes) to block processing. Valid range is from 0 to 10080. If 0 is specified, no timeout is set.
`-ctrl`	Verify that the Controller is running.
`-pi, --poll-interval`	Specify how frequently (in seconds) to poll the processing status. Valid range is from 10 to 60.
`-token, --job-token <token>`	Specify the job token to query.

Start Command

You can use the options listed in the following tables with the start command to perform a remote scan, or to perform a remote translation and scan.

Use the options listed in the following table with the start command to perform a remote scan. For information about the start command options you can use to perform a remote translation and scan, see Start Options for Remote Translation and Scan.

Start Options for Remote Scans	Description
`-application, ‑‑application <name>`	Specifies the Fortify Software Security Center application name.
`-bc, --build-command <commands>`	For use with Maven, Gradle and MSBuild. Specifies custom build parameters for preparing and building a project. For example, to invoke a Gradle build before packaging: `-Prelease=true clean customTask build` If you use the `-bc` option, and the build fails, ScanCentral stops working on the build. (Gradle only) If you do not use `-bc`, the default command, default tasks and target are invoked. If the build fails, ScanCentral displays a warning, but continues to work and then displays a message to indicate that the build procedure failed and your results may be incomplete.
`-b, --build-id <id>`	Specifies the build ID of the session to export.
`-bf, --build-file <file>`	Specifies the build file, unless it has a default name such as `build.gradle` or `pom.xml`. You cannot use this option with the `-scan` option.
`-block`	Waits for the job to complete, and then downloads the result.
`-bt, --build-tool <name>`	(Optional) Specifies the build tool name used for the project. Example: `-bt mvn -bc "package --setting custom.xml"` You cannot use this option with the `-scan` option. The `-bt` option is not required. Fortify ScanCentral SAST can detect the build tool automatically based on the project files being scanned.
`-email <address>`	Specifies the email address for job status notifications.
`-exclude`	Specifies the files or directories (with absolute or relative path, or Ant-style path pattern) to exclude from a package (repeatable).
`-f, --output-file <file>`	Specifies the name for the local FPR file output. Use with the `-block` option to specify the name for the local FPR file output after a scan is completed.
`-filter <file>`	Specifies the filter file to use during a scan (repeatable).
`-fprssc, --fpr-filename-on-ssc <file>`	Specifies the name to use for the FPR files uploaded to Fortify Software Security Center. The file name must not exceed 128 characters in length and must not contain the following invalid characters: colon (:) backslash (\) forward slash (/) asterisk (*) question mark (?) vertical bar or pipe (\|) less than (<) greater than (>) double quote (")
`-hv, --php-version <version>`	Specifies the PHP version.
`-log, --log-file <file>`	Use with the `-block` option to specify the name for the local log file output after a scan is completed.
`-mbs <file>`	Specifies the mobile build session to upload.
`-o, --overwrite`	Overwrites the existing FPR or log with new data.
`-p, --package <file>`	Specifies the project package file to upload.
`-pool, --submit-to-pool <uuid>`	Specifies the sensor pool into which a sensor is to be placed at startup.
`-projroot, --project-root <dir>`	Specifies the project directory for the mobile build session export.
`-projtl, --project-template <file>`	Specifies the issue template file to include.
`-pyr, --python-requirements <file>`	Specifies the Python project requirements file to install and collect dependencies.
`-pyv, --python-virtual-env <directory>`	Specifies the Python virtual environment location.
`-q, --quiet`	Prevents the printing of stdout from the build execution.
`-rules <file/dir>`	Specifies custom rules file or directory to use during the scan (repeatable).
`-sargs, --scan-args`	Fortify Static Code Analyzer scan arguments (repeatable) Takes a single string argument. For multiple scan arguments, use multiple `-sargs` options. If the scan option has a path parameter that includes a space, enclose the path with single quotes. Note: You cannot use the `-sargs` option with the `-scan` option. It is for use in remote translation and scan only.
`-scan`	Sets the point beyond which all arguments are for sourceanalyzer. You cannot use this option with the `--build-tool` or `--package` option.
`-snm, --scan-node-modules`	Specifies node_modules dependencies in the package. If you set `--scan-node-modules`, all third-party library scan results are added to the resulting FPR. Tip: Because including node_modules dependencies in a package does not greatly improve type resolution or dataflow, and can result in an excessive number of false positives, Fortify recommends that you exclude them from scans. By default, node_modules are not applied to a package unless you apply the `--scan-node-modules` option from the command line.
`-skipBuild`	Disables the project preparation build step before packaging. If you use `-skipBuild` option, the `-bc` option (if used) is ignored. Caution! You can apply this option to Gradle and Maven build tools, but not to MSBuild.
`-sp, --save-package <file>`	Specifies the package file to save after uploading. The file extension must be `*.zip`.
`-sto, --scan-timeout`	Specifies the maximum amount of time (in minutes) a scan job can be processed (and prevent a sensor from doing other work). Note: Use of this worker option has a higher priority than the `scan_timeout` property setting in the `config.properties` file.
`-t, --include-test`	Includes test source set (Gradle) or test scope (Maven) to scan (for Java projects only).
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable) Takes a single string argument. For multiple translation arguments, use multiple `-targs` options. If the translation option has a path parameter that includes a space, enclose the path with single quotes. If you use the `-targs` option with the start command `+p` option, ScanCentral SAST ignores it and displays an error message. Note: You cannot use the `-targs` option with the `-scan` option. It is for use in remote translation and scan only. For a list of the Fortify Static Code Analyzer options you can use with the `-targs` option, see Options Accepted for -targs (‑‑translation-args).
`-upload, --upload-to-ssc`	Uploads the FPR to Fortify Software Security Center upon completion.
`-uptoken, --ssc-upload-token <token>`	Specifies the Fortify Software Security Center file upload token. Note: If the `pool_mapping_mode` property is set to `DISABLED` on the Controller, you can use a Fortify Software Security Center `AnalysisUploadToken` instead. However, if `pool_mapping_mode` is ENABLED, an `AnalysisUploadToken` does not work, and a `ScanCentralCtrlToken` is required instead. For information about how to acquire `AnalysisUploadToken` and `ScanCentralCtrlToken` tokens, see the Fortify Software Security Center User Guide.
`-version, --application-version <name>`	Specifies the Fortify Software Security Center application version name.
`-versionid, --application-version-id <id>`	Specifies the Fortify Software Security Center application version ID.
`-yv, --python-version <version>`	Specifies the Python version to automatically find the installed Python. Allowed values: 2 or 3. This flag is ignored if the ScanCentral SAST client is started under a Python virtual environment or if `-python-virtual-env` is specified.

Use the options listed in the following table with the start command to perform a remote translation and scan. For information about the start command options you can use to perform remote scans (only), see Start Options for Remote Scans.

Start Options for Remote Translation and Scan	Description
`-application, --application <name>`	Specifies the Fortify Software Security Center application name.
`-bc, --build-command <commands>`	For use with Maven, Gradle and MSBuild. Specifies custom build parameters for preparing and building a project. For example, to invoke a Gradle build before packaging: `-Prelease=true clean customTask build` If you use the `-bc` option, and the build fails, ScanCentral stops working on the build. (Gradle only)If you do not use `-bc`, the default command, default tasks and target are invoked. If the build fails, ScanCentral displays a warning, but continues to work and then displays a message to indicate that the build procedure failed and your results may be incomplete.
`-b, --build-id <id>`	Specifies the build ID of the session to export.
`-bf, --build-file <file>`	Specifies the build file, unless it has a default name such as `build.gradle` or `pom.xml`. You cannot use this option with the `-scan` option.
`-block`	Waits for the job to complete, and then downloads the result.
`-bt, --build-tool <name>`	(Optional) Specifies the build tool name used for the project. Example: `-bt mvn -bc "package --setting custom.xml"` You cannot use this option with the `-scan` option. The `-bt` option is not required. Fortify ScanCentral SAST can detect the build tool automatically based on the project files being scanned.
`-email <address>`	Specifies the email address for job status notifications.
`-exclude`	Specifies the files or directories (with absolute or relative path, or Ant-style path pattern) to exclude from a package (repeatable).
`-f, --output-file <file>`	Specifies the name for the local FPR file output. Use with the `‑block` option to specify the name for the local FPR file output after a scan is completed.
`-filter <file>`	Specifies the filter file to use during a scan (repeatable).
`-fprssc, --fpr-filename-on-ssc <file>`	Specifies the name to use for the FPR files uploaded to Fortify Software Security Center. The file name must not exceed 128 characters in length and must not contain the following invalid characters: colon (:) backslash (\) forward slash (/) asterisk (*) question mark (?) vertical bar or pipe (\|) less than (<) greater than (>) double quote (")
`-hv, --php-version <version>`	Specifies the PHP version.
`-log, --log-file <file>`	Use with the `-block` option to specify the name for the local log file output after a scan is completed.
`-mbs <file>`	Specifies the mobile build session to upload.
`-o, --overwrite`	Overwrites the existing FPR or log with new data.
`-p, --package <file>`	Specifies the project package file to upload.
`-pool, --submit-to-pool <uuid>`	Specifies the sensor pool into which a sensor is to be placed at startup.
`-projroot, --project-root <dir>`	Specifies the project directory for the mobile build session export.
`-projtl, --project-template <file>`	Specifies the issue template file to include.
`-pyr, --python-requirements <file>`	Specifies the Python project requirements file to install and collect dependencies.
`-pyv, --python-virtual-env <directory>`	Specifies the Python virtual environment location.
`-q, --quiet`	Prevents the printing of stdout from the build execution.
`-rules <file/dir>`	Specifies custom rules file or directory to use during the scan (repeatable).
`-sargs, --scan-args`	Fortify Static Code Analyzer scan arguments (repeatable) Takes a single string argument. For multiple scan arguments, use multiple `-sargs` options. If the scan option has a path parameter that includes a space, enclose the path with single quotes. Note: You cannot use the `-sargs` option with the `-scan` option. It is for use in remote translation and scan only.
`-scan`	Sets the point beyond which all arguments are for sourceanalyzer. You cannot use this option with the `--build-tool` or `--package` option.
`-snm, --scan-node-modules`	Specifies node_modules dependencies in the package. If you set `--scan-node-modules`, all third-party library scan results are added to the resulting FPR. Tip: Because including node_modules dependencies in a package does not greatly improve type resolution or dataflow, and can result in an excessive number of false positives, Fortify recommends that you exclude them from scans. By default, node_modules are not applied to a package unless you apply the `--scan-node-modules` option from the command line.
`-skipBuild`	Disables the project preparation build step before packaging. If you use `-skipBuild` option, the `-bc` option (if used) is ignored. Caution! You can apply this option to Gradle and Maven build tools, but not to MSBuild.
`-sp, --save-package <file>`	Specifies the package file to save after uploading. The file extension must be `*.zip`.
`-sto, --scan-timeout`	Specifies the maximum amount of time (in minutes) a scan job can be processed (and prevent a sensor from doing other work). Note: Use of this worker option has a higher priority than the `scan_timeout` property setting in the `config.properties` file.
`-t, --include-test`	Includes test source set (Gradle) or test scope (Maven) to scan (for Java projects only).
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable) Takes a single string argument. For multiple translation arguments, use multiple `-targs` options. If the translation option has a path parameter that includes a space, enclose the path with single quotes. If you use the `-targs` option with the start command `+p` option, ScanCentral SAST ignores it and displays an error message. Note: You cannot use the `-targs` option with the `-scan` option. It is for use in remote translation and scan only. For a list of the Fortify Static Code Analyzer options you can use with the `-targs` option, see Options Accepted for -targs (‑‑translation-args).
`-upload, --upload-to-ssc`	Uploads the FPR to Fortify Software Security Center upon completion.
`-uptoken, --ssc-upload-token <token>`	Specifies the Fortify Software Security Center file upload token. Note: If the `pool_mapping_mode` property is set to `DISABLED` on the Controller, you can use a Fortify Software Security Center `AnalysisUploadToken` instead. However, if `pool_mapping_mode` is ENABLED, an `AnalysisUploadToken` does not work, and a `ScanCentralCtrlToken` is required instead. For information about how to acquire `AnalysisUploadToken` and `ScanCentralCtrlToken` tokens, see the Fortify Software Security Center User Guide.
`-version, --application-version <name>`	Specifies the Fortify Software Security Center application version name.
`-versionid, --application-version-id <id>`	Specifies the Fortify Software Security Center application version ID.
`-yv, --python-version <version>`	Specifies the Python version to automatically find the installed Python. Allowed values: 2 or 3. This flag is ignored if the ScanCentral SAST client is started under a Python virtual environment or if `-python-virtual-env` is specified.

Retrieve Command

Use the retrieve command to download the result of a remote scan job.

Retrieve Options	Description
`-block`	Wait for the job to complete and download the result.
`-bto, --block-timeout`	Specify how long (in minutes) to block processing. Valid range is from 0 to 10080. If 0 is specified, no timeout is set.
`-f, --output-file <file>`	Specify the file name for local FPR output. Use with the `-block` option to specify the name for the local FPR file output after a scan is completed.
`-log, --log-file <file>`	Use with the `-block` option to specify the name for the local log file output after a scan is completed.
`-o, --overwrite`	Overwrite the existing FPR or log with new data.
`-pi, --poll-interval`	Specify how frequently (in seconds) to poll the processing status. Valid range is from 10 to 60.
`-token, --job-token <token>`	Specify the job token to query.

Cancel Command

Use the cancel command to cancel a remote scan job.

Cancel Options	Description
`-token, --job-token <token>`	Specify the job token to query.

Worker Command

Caution! To avoid packaging failure for projects with file paths that contain an umlaut, you must first add the com.fortify.sca.CmdlineOptionsFileEncoding property to the fortify‑sca.properties file (located in the <sca_install_dir>/Core/config directory) and give it a value that is not encoded in ASCII.

Use the worker command to start or test a sensor.

Worker Options	Description
`-hello`	Sensor reporting for duty.
`-pool, --assign-to-pool`	Specifies the sensor pool to which the sensor is to be assigned after It connects to the Controller. If the sensor is already assigned to a pool, this option overrides that assignment. (If an error occurs In sensor pool assignment, the sensor shuts down.)
`-sto, --scan-timeout`	Specifies the maximum amount of time (in minutes) a scan job can be processed (and prevent a sensor from doing other work). Note: Use of this worker option has a higher priority than the `scan_timeout` property setting in the `config.properties` file.

Package Command

Use the package command to create a zip package of the specified project.

Package Options	Description
`-bc, --build-command <commands>`	Specify custom build parameters for preparing and building a project. For example, to invoke a Gradle build before packaging: `-Prelease=true clean customTask build` If you use the `-bc` option, and the build fails, ScanCentral stops working on the build. (Gradle only) If you do not use `-bc`, the default tasks and targets are invoked. If the build fails, ScanCentral SAST displays a warning, but continues. You can use this option with Maven, Gradle and MSBuild.
`-bf, --build-file <file>`	Specify the build file if you are not using a default name such as `build.gradle` or `pom.xml`.
`-bt, --build-tool <name>`	Specify the build tool name used for the project. You cannot use this option with the project.
`-exclude`	Specify the files or directories (with absolute or relative path, or Ant-style path pattern) to exclude from a package (repeatable).
`-hv, --php-version <version>`	Specify the PHP version.
`-o, --output <file>`	Specify the output file name. The file extension must be `*.zip`.
`-oss, --open-source-scan`	(Applies only to Fortify on Demand) Used to generate and collect additional files for scanning. For details see Fortify on Demand documentation.
`-pyr, --python-requirements <file>`	Specify the Python project requirements file to install and collect dependencies.
`-pyv, --python-virtual-env <directory>`	Specify the Python virtual environment location.
`-q, --quiet`	Prevent the printing of stdout from the build execution.
`-snm, --scan-node-modules`	Specifies node_modules dependencies in the package. If you set `--scan-node-modules`, all third-party library scan results are added to the resulting FPR. Tip: Because including node_modules dependencies in a package does not improve type resolution or dataflow results, and because they degrade translation and scan speed, Fortify recommends that you exclude them from scans. By default, node_modules are not applied to a package unless you apply the `--scan-node-modules` option from the command line.
`-skipBuild`	Disables the project preparation build step before packaging.
`-t, --include-test`	Include the test source set (Gradle) or test scope (Maven) to scan (for Java projects only).
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable) Takes a single string argument. For multiple translation arguments, use multiple `-targs` options. If the translation option has a path parameter that includes a space, enclose the path with single quotes. For a list of the Fortify Static Code Analyzer options you can use with the `‑targs` option, see Options Accepted for -targs (‑‑translation-args).
`-yv, --python-version <version>`	Specify the Python version to automatically find the installed Python. Allowed values: 2 or 3. This flag is ignored if the ScanCentral SAST client is started under a Python virtual environment or if `‑python-virtual-env` is specified.

Arguments Command

Use the arguments command to generate a settings file for additional Fortify Static Code Analyzer command-line options. The settings file must reside in the same directory you specify ScanCentral SAST commands for remote translation and scanning.

Deprecated: As of the 23.1.0 release, the arguments command is deprecated.

Arguments Options	Description
`-o, --overwrite`	Overwrite the existing arguments file.
`-p, --project-dir <directory>`	Specify the project directory in which to create the Fortify Static Code Analyzer translation and scan additional arguments file.
`-sargs, --scan-args`	Fortify Static Code Analyzer scan arguments (repeatable) Deprecated: Fortify recommends that you use the `‑targs` option directly with the Start Command. For a list of the Fortify Static Code Analyzer options you can use with `-sargs`, see Options Accepted for -sargs (--scan-args).
`-targs, --translation-args`	Fortify Static Code Analyzer translation arguments (repeatable) Deprecated: Fortify recommends that you use the `‑targs` option directly with the Start Command. For a list of the Fortify Static Code Analyzer options you can use with `-targs`, see Options Accepted for -targs (‑‑translation-args).

Important! The -targs and -sargs options take a single string argument. To specify multiple translation or scan arguments, use multiple -targs and (or) -sargs options. If the translation or scan option has a path parameter that includes a space, enclose the path in single quotes.

Example: The following generates a fortify-sca.settings file in the current directory.

scancentral.bat  arguments -o -targs "-Xmx4G" -targs "-cp 'myProject Dir/path to/lib/*.jar'" -targs "-exclude 'myProject Dir/path to/src/*.js'" -sargs "-Xms256M" -sargs "-analyzers controlflow, dataflow"

The resulting fortify-sca.settings file looks similar to the following:

{
  "translationArgs": [
  "-Xmx4G",
  "-cp",
  "myProject Dir/path to/lib/*.jar",
  "-exclude",
  "myProject Dir/path to/src/*.jar"
 ],             
  "scanArgs": [
  "-Xms256M",

  "-analyzers",
  "controlflow,dataflow" 
 ]

Progress Command

Use the progress command to get the progress of a Fortify Static Code Analyzer scan.

Important! If your projects are based on Java 11, and you want to use the progress command to check the progress of your scans, some minor sensor configuration is required. For instructions, see Configuring Sensors to Use the Progress Command when Starting on Java.

Update Command

Use the update command to update a client or sensor to the latest version available on the Controller. This updates a standalone client to the latest available client version. It updates an embedded client or sensor to the latest available patch version, but does not update these to the next major version.

Options Accepted for -targs (‑‑translation-args)

The following table lists the Fortify Static Code Analyzer options you can use with the Fortify Static Code Analyzer -targs option.

Deprecated: Fortify recommends that you use the ‑targs option directly with the Start Command.

Accepted Options: -targs
-64	-goproxy
-autoheap	-goroot
-abap-includes	-jdk
-apex	-jdk-bootclasspath
-apex-sobject-path	-jsp-as-top-level
-apex-version	-jvm-default
-appserver	-machine-output
-appserver-home	-noextension-type
-appserver-version	-php-source-root
-bootclasspath	-php-version
-build-label	-project-root
-build-project	-python-no-auto-root-calculation
-build-version	-python-no-file-function-optimization
-cp	-python-path
-debug	-python-version
-debug-mem	-python-warnings-suppression
-debug-verbose	-quiet
-disable-java-kotlin-interop	-rubygem-path
-disable-language	-ruby-on-rails
-django-disable-autodiscover	-ruby-path
-django-template-dirs	-show-python-resolution
-document-root	-show-unresolved-symbols
-enable-language	-source-base-dir
-encoding	-source-jars
-exclude	-sourcepath
-exit-code-level	-sql-language
-extdirs	-v
-gopath	-verbose

Options Accepted for -sargs (--scan-args)

The following table lists the Fortify Static Code Analyzer options you can use with the Fortify Static Code Analyzer -sargs option.

Deprecated: Fortify recommends that you use the ‑sargs option directly with the Start Command.

Accepted Options: -sargs
-64	-machine-output
-autoheap	-mt
-build-label	-no-default-issue-rules
-build-project	-no-default-rules
-build-version	-no-default-sink-rules
-debug	-no-default-source-rules
-debug-mem	-p
-debug-verbose	-project-root
-disable-analyzer	-project-template
-disable-default-rule-type	-quick
-disable-filtering	-quiet
-disable-funptr-analysis	-rules
-enable-analyzer	-v
-filter	-validate
-legacy-jsp-dataflow	-verbose