Scanning Python projects

Fortify ScanCentral SAST clients can work with Python® projects in three ways:

The following table provides examples of different ways to submit scan requests for Python code.

Task Example command
Start a job to scan a Python 3 project scancentral -sscurl <ssc_url> -ssctoken <token> start ‑‑python-requirements <requirements_file_path>
Start a job to scan a Python 2 project scancentral -sscurl <ssc_url> -ssctoken <token> start –-python-version 2 ‑‑python-requirements <requirements_file_path>
Start a job to scan a Python project under an active virtual environment with dependencies already installed scancentral -sscurl <ssc_url> -ssctoken <token> start
Start a job to scan a Python project under an active virtual environment without project dependencies installed scancentral -sscurl <ssc_url> -ssctoken <token> start --python-requirements <requirements_file_path>
Start a job to scan a Python project using an existing Python virtual environment and install project dependencies scancentral -sscurl <ssc_url> -ssctoken <token> start --python-virtual-env <venv_location>

Submitting a scan request in a virtual environment

If you work in a virtual environment, all your project dependencies are already installed. You do not need to invoke the pip package manager before you start the job. Fortify ScanCentral SAST can detect the Python version automatically.

To start the scan job in a virtual environment:

  1. At the command prompt, activate the virtual environment.

  2. Start a job to scan the Python project as shown in the following example:

    scancentral -sscurl <ssc_url> -ssctoken <token> start

If pip dependencies are not yet installed in the virtual environment used, Fortify ScanCentral SAST installs them automatically using the requirements file with the following example:

scancentral -sscurl <ssc_url> -ssctoken <token> start --python-requirements <requirements_file_path>

Submitting a scan request in an unactivated virtual environment

To start the scan job in a virtual environment (with all dependencies installed) without activating that virtual environment:

  • At the command prompt, start the Python project scan as shown in the following examples:

    scancentral -sscurl <ssc_url> -ssctoken <token> start --python-virtual-env <venv_location>

    or

    scancentral -sscurl <ssc_url> -ssctoken <token> start --python-virtual-env <venv_location> --python-requirements <requirements_file_path>

Fortify ScanCentral SAST goes to the virtual environment, determines the Python version used, packages all required libraries, and then submits the scan job to the Controller.

Submitting a scan request outside of a virtual environment

To start the scan job if there is no virtual environment on the client, you must have Python installed on the client. If the Python version is not specified in the command, then Fortify ScanCentral SAST uses the first working version from PATH environment variable. Fortify ScanCentral SAST locates the Python installation. In this case, Fortify ScanCentral SAST creates a temporary virtual environment, installs all dependencies from the requirements file, and then submits the job to the Controller.

To start the scan job outside of a virtual environment:

  • At the command prompt, start the scan job as shown in the following example:

    scancentral -sscurl <ssc_url> -ssctoken <token> start --python-version 3

To prevent Fortify ScanCentral SAST from automatically restoring dependencies using pip install, include the -skipBuild option in the scan request command. If dependencies were already restored before running Fortify ScanCentral SAST, they are included in the project package that is sent to the Controller.