Performing an advanced scan with ScanCentral SAST

Use the Advanced Scan wizard to change the analysis options for a specific project from those configured in the analysis settings. Make sure that you have a ScanCentral SAST client configured (see Requirements to Scan with ScanCentral SAST).

To perform an advanced scan using ScanCentral SAST:

1. Select Tools > Fortify > Advanced Scan.

   The Advanced Scan wizard automatically includes all source files configured in IntelliJ or Android Studio.

   

   If you scan several modules, the wizard displays a tab for each module. All modules are translated separately but analyzed together. To exclude a module, close its tab.

   The following options are only available for analysis performed entirely on a local system: Java version, Build ID, Output path, and Enable Quick Scan mode. Ignore these options for analysis with ScanCentral SAST.

2. Specify where you want to run the translation and scan phases of the analysis by doing one of the following:

   • To run the entire analysis with ScanCentral SAST, select Remote for Translation type.

     When you select Remote for the translation type, then the Fortify Analysis Plugin automatically sets the Scan type to Remote.

   • To run the translation phase on the local system and the scan phase with ScanCentral SAST, select Local for Translation type and Remote for Scan type.

   • To run the entire analysis on the local system, select Local for both Translation type and Scan type. Skip the rest of this procedure and see Performing an Advanced Local Scan.

3. To exclude files or directories that contain, for example, test source code, right-click the file or directory, and then select Exclude.

4. The Fortify Analysis Plugin automatically detects the class path from the IntelliJ or Android Studio project settings. To add folders that the plugin has not detected in the class path, right‑click a build directory and select Add to ClassPath.

5. Click Next.

   

6. To upload the analysis results to Fortify Software Security Center, select the Send scan results to SSC check box and do the following:

   1. Click Select Application Version.

      

   2. Select the application version where you want to upload the analysis results, and then click OK.

7. From the Sensor pool list, select a sensor pool.

   If ScanCentral SAST is in SSC lockdown mode, the sensor pool selection is not enabled. ScanCentral SAST automatically uses either the sensor pool associated with a selected application version or the default sensor pool.

8. Click Next.

   A preview of the OpenText SAST and ScanCentral SAST command-line options for the analysis is displayed. The following image shows an example of a local translation and remote scan preview.

   

   The preview shows the commands-lines for the following phases:

   • (Local translation only) During the clean phase, OpenText SAST removes files from a previous translation of the project.

   • (Local translation only) During the translation phase, you can see one translation section for each selected module. You can change the class path and build parameters for each module individually. OpenText SAST translates source code identified in the previous page into an intermediate format associated with the build ID. (The build ID is typically the project name.)

     Any additional OpenText SAST translation options configured on the Advanced Options tab in the analysis settings are shown here. You can change any of the OpenText SAST options. For information about the available command-line options, see the OpenText™ Static Application Security Testing User Guide.

   • The Fortify Analysis Plugin uses the ScanCentral SAST start command to start a remote scan. You cannot modify this command.

9. (Optional) To skip an analysis phase, clear the Enable clean, or Enable translation for <proj_name> check box.

10. Click Finish.