Using the Fortify Maven Plugin

There are two ways to perform an analysis on a maven project:

In an OpenText SAST build integration
In this method, prepend the maven command used to build your project with the sourceanalyzer command and any OpenText SAST options. To analyze your files as part of an OpenText SAST build integration:
1. Clean out the previous build:
```
sourceanalyzer -b MyProject -clean
```
2. Translate the code:
```
sourceanalyzer -b MyProject [<sca_options>] [<mvn_command_with_options>]
```
  Examples:
```
sourceanalyzer -b MyProject mvn package
```
```
sourceanalyzer -b MyProject -exclude "**/Test/*.java" mvn clean install
```
  See Command-Line Interface for descriptions of available OpenText SAST options.
3. Run the scan and save the results in an FPR file as shown in the following example:
```
sourceanalyzer -b MyProject [<sca_scan_options>] -scan -f MyResults.fpr
```
As a Maven Plugin
In this method, you perform the analysis tasks as goals with the mvn command. For example, use the following command to translate source code:
```
mvn com.fortify.sca.plugins.maven:sca-maven-plugin:25.3.0:translate
```
For example, use the following command to translate source code and exclude test files:
```
mvn -Dfortify.sca.exclude=“**/Test/*.java” com.fortify.sca.plugins.maven:sca-maven-plugin:25.3.0:translate
```
To analyze your code this way, see the documentation included with the Fortify Maven Plugin. The following table describes where to find the documentation after you install the Fortify Maven Plugin.
Package type Documentation location
Binary <root_dir>/docs/index.html
Source <root_dir>/sca-maven-plugin/target/site/index.html

Package type	Documentation location
Binary	`<root_dir>/docs/index.html`
Source	`<root_dir>/sca-maven-plugin/target/site/index.html`