Analysis Options

The following table describes the analysis options.

Analysis Option	Description
`-b <build_id>`	Specifies the build ID used in a prior translation command. Equivalent Property Name: `com.fortify.sca.BuildID`
`-scan`	Causes Fortify Static Code Analyzer to perform a security analysis for the specified build ID. Note: Do not use this option together with the `-scan-module` option in the same sourceanalyzer command.
`-scan-policy` `<policy_name>` \| `-sc` `<policy_name>`	Specifies a scan policy for the scan. The valid policy names are `classic`, `security`, and `devops`. For more information, see Applying a Scan Policy to the Analysis. Equivalent Property Name: `com.fortify.sca.ScanPolicy`
`-scan-module`	Causes Fortify Static Code Analyzer to perform a security analysis for the specified build ID as a separate module. Note: Do not use this option together with the `-scan` option in the same sourceanalyzer command. Equivalent Property Name: `com.fortify.sca.ScanScaModule`
`-include-modules`	Specifies the libraries previously scanned as separate modules in a comma- or colon-separated list of build IDs to include in the project scan. Equivalent Property Name: `com.fortify.sca.IncludeScaModules`
`-analyzers <analyzer_list>`	Specifies the analyzers you want to enable with a colon- or comma-separated list of analyzers. The valid analyzer names are `buffer`, `content`, `configuration`, `controlflow`, `dataflow`, `nullptr`, `semantic`, and `structural`. You can use this option to disable analyzers that are not required for your security requirements. Equivalent Property Name: `com.fortify.sca.DefaultAnalyzers`
`-p <level>` \| `-scan-precision <level>`	Uses speed dial to scan the project with a scan precision level. The lower the scan precision level, the faster the scan performance. The valid values are `1`, `2`, `3`, and `4`. For more information, see Configuring Scan Speed with Speed Dial. Equivalent Property Name: `com.fortify.sca.PrecisionLevel`
`-project-root`	Specifies the directory to store intermediate files generated in the translation and analysis phases. Fortify Static Code Analyzer makes extensive use of intermediate files located in this project root directory. In some cases, you can achieve better performance for analysis by making sure this directory is on local storage rather than on a network drive. Equivalent Property Name: `com.fortify.sca.ProjectRoot`
`-project-template <file>`	Specifies the issue template file to use for the scan. This only affects scans on the local machine. If you upload the FPR to Fortify Software Security Center, it uses the issue template assigned to the application version. Equivalent Property Name: `com.fortify.sca.ProjectTemplate`
`-quick`	Quickly scan the project for critical- and high-priority issues using the `fortify-sca-quickscan.properties` file, which provides a less in-depth analysis. By default, quick scan disables the Buffer Analyzer and the Control Flow Analyzer. In addition, it applies the Quick View filter set. For more information, see Quick Scan. Equivalent Property Name: `com.fortify.sca.QuickScanMode`
`-filter <file>`	Specifies a results filter file. For more information, see Filtering the Analysis. Equivalent Property Name: `com.fortify.sca.FilterFile`
`-bin <binary>` \| `-binary-name <binary>`	Specifies a subset of source files to scan. Only the source files that were linked in the named binary at build time are included in the scan. You can use this option multiple times to specify the inclusion of multiple binaries in the scan. Equivalent Property Name: `com.fortify.sca.BinaryName`
`-disable-default-rule-type <type>`	Disables all rules of the specified type in the default Rulepacks. You can use this option multiple times to specify multiple rule types. The `<type>` parameter is the XML tag minus the suffix `Rule`. For example, use `DataflowSource` for DataflowSourceRule elements. You can also specify specific sections of characterization rules, such as `Characterization:Control flow`, `Characterization:Issue`, and `Characterization:Generic`. The `<type>` parameter is case-insensitive.
`-no-default-issue-rules`	Disables rules in default Rulepacks that lead directly to issues. Fortify Static Code Analyzer still loads rules that characterize the behavior of functions. Note: This is equivalent to disabling the following rule types: DataflowSink, Semantic, Controlflow, Structural, Configuration, Content, Statistical, Internal, and Characterization:Issue. Equivalent Property Name: `com.fortify.sca.NoDefaultIssueRules`
`-no-default-rules`	Disables loading of rules from the default Rulepacks. Fortify Static Code Analyzer processes the Rulepacks for description elements and language libraries, but processes no rules. Equivalent Property Name: `com.fortify.sca.NoDefaultRules`
`-no-default-source-rules`	Disables source rules in the default Rulepacks. Note: Characterization source rules are not disabled. Equivalent Property Name: `com.fortify.sca.NoDefaultSourceRules`
`-no-default-sink-rules`	Disables sink rules in the default Rulepacks. Note: Characterization sink rules are not disabled. Equivalent Property Name: `com.fortify.sca.NoDefaultSinkRules`
`-rules <file>` \| `<dir>`	Specifies a custom Rulepack or directory. You can use this option multiple times to specify multiple Rulepack files. If you specify a directory, Fortify Static Code Analyzer includes all the files in the directory with the `.bin` and `.xml` extensions. Equivalent Property Name: `com.fortify.sca.RulesFile`