Configuring Scan Speed with Speed Dial

You can configure the speed and depth of the scan by specifying a precision level for the analysis phase. You can use these precision levels to adjust the scan time to fit for example, into a pipeline and quickly find a set of vulnerabilities while the developer is still working on the code. Although scans with the speed dial settings are faster than a full scan, it does not provide as robust a result set. Fortify recommends that you run full scans whenever possible.

The precision level controls the depth and precision of the scan by associating configuration properties with each level. The configuration properties files for each level are in the <sca_install_dir>/Core/config/scales directory. There is one file for each level: (level-<precision_level>.properties). You can modify the settings in these files to create your own specific precision levels.


To specify the speed dial setting for a scan, include the -scan-precision (or -p) option in the scan phase as shown in the following example:

sourceanalyzer -b MyProject -scan -scan-precision <level> -f MyResults.fpr

Note: You cannot use the speed dial setting and the -quick option in the same scan command.

The following table describes the four precision levels.

Precision Level Description
1 This is the quickest scan and is recommended if you are scanning a few files. By default, a scan with this precision level disables the Buffer Analyzer, Control Flow Analyzer, Dataflow Analyzer, and Null Pointer Analyzer.

By default, a scan with this precision level enables all analyzers. The scan runs quicker by performing with reduced limiters. This results in fewer issues detected.

3 This precision level improves intermediate development scan speeds by up to 50% (with a reduction in reported issues). Specifically, this level improves the scan time for typed languages such as Java and C/C++.
4 This is equivalent to a full scan.

You can also specify the scan precision level with the property in the file. For example: