Quick Scan

Quick scan mode provides a way to quickly scan your projects for critical- and high-priority issues. Fortify Static Code Analyzer performs the scan faster by reducing the depth of the analysis. It also applies the Quick View filter set. Quick scan settings are configurable. For more details about the configuration of quick scan mode, see fortify-sca-quickscan.properties.

Quick scans are a great way to get many applications through an assessment so that you can quickly find issues and begin remediation. The performance improvement you get depends on the complexity and size of the application. Although the scan is faster than a full scan, it does not provide as robust a result set. Fortify recommends that you run full scans whenever possible.


The depth of the Fortify Static Code Analyzer analysis sometimes depends on the available resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources with the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when it does not look like Fortify Static Code Analyzer has enough resources available.

Fortify Static Code Analyzer enables the user to control the “cutoff” point by using Fortify Static Code Analyzer limiter properties. The different analyzers have different limiters. You can run a predefined set of these limiters using a quick scan. See the fortify-sca-quickscan.properties for descriptions of the limiters.

To enable quick scan mode, use the -quick option with -scan option. With quick scan mode enabled, Fortify Static Code Analyzer applies the properties from the <sca_install_dir>/Core/config/fortify-sca-quickscan.properties file, in addition to the standard <sca_install_dir>/Core/config/fortify-sca.properties file. You can adjust the limiters that Fortify Static Code Analyzer uses by editing the fortify-sca-quickscan.properties file. If you modify fortify-sca.properties, it also affects quick scan behavior. Fortify recommends that you do performance tuning in quick scan mode, and leave the full scan in the default settings to produce a highly accurate scan. For description of the quick scan mode properties, see Fortify Static Code Analyzer Properties Files.

Using Quick Scan and Full Scan