Configuring ScanCentral SAST options

This topic describes how to configure the default ScanCentral SAST options used when you submit a project for analysis. You can specify how to connect to the ScanCentral SAST Controller, whether to upload analysis results to Fortify Software Security Center, and other ScanCentral SAST settings such as inclusion of test files, sensor pool selection, and notification email address). You can also specify OpenText SAST translation and scan options to include in the analysis.

To configure the ScanCentral SAST options:

Select Tools > Fortify > Analysis Settings.
For local translation, you must provide the location of a locally installed OpenText SAST. If the Fortify executable path shows <Unavailable>, do the following:
1. Click Browse to the right of Fortify executable path.
2. Go to the OpenText SAST installation directory and select the executable file.
  
  Make sure to set the file type to sourceanalyzer executable.
3. Click OK.
To configure the ScanCentral SAST client location:
1. Click Browse to the right of ScanCentral Client Path
2. Go to the ScanCentral SAST installation directory and do one of the following:
  - If you are using a standalone client installed with OpenText™ Application Security Tools, navigate to <tools_install_dir>/bin/ and select scancentral.bat (on Windows) or scancentral (on non-Windows).
  - If the standalone client is installed in a different location, navigate to the installation directory and select scancentral.bat (on Windows) or scancentral (on non-Windows).
Select the ScanCentral SAST Configuration tab.
(Optional) Select Include test files in scan to include the test source set (Gradle) or a test scope (Maven) with the scan.
To specify how to connect to ScanCentral SAST, do one of the following:
- Select Use Controller URL, and then in the Controller URL box, type the URL for the ScanCentral SAST Controller.
  
  Example: https://<controller_host>:<port>/scancentral-ctrl
  
  Click Test Connection to confirm that the URL is valid, and the Controller is accessible.
- Select Get Controller URL from SSC, and then in the Token box, paste the decoded token value for an authentication token of type ToolsConnectToken.
  
  For instructions about how to create an authentication token from Fortify Software Security Center, see the OpenText™ Fortify Software Security Center User Guide.
  
  Make sure you that have the Fortify Software Security Center URL that is integrated with the ScanCentral SAST Controller provided on the Server Configuration tab (see Working with Fortify Software Security Center).
  
  Click Test Connection to confirm that the URL and token is valid, and the server is accessible.
To upload the analysis results to Fortify Software Security Center, do the following:
1. Select the Send scan results to SSC check box.
2. In the Token box, paste the decoded token value for an authentication token of type ToolsConnectToken.
  
  If you connect to ScanCentral SAST using a Controller URL, analysis results are uploaded to the Fortify Software Security Center server specifically integrated with the ScanCentral SAST Controller.
Under Sensor pool, specify whether to use the default sensor pool or to select one from a list of available sensor pools when you run a ScanCentral SAST scan.

If ScanCentral SAST is in SSC lockdown mode, the sensor pool selection is disabled. ScanCentral SAST automatically uses either the sensor pool associated with a selected application version or the default sensor pool.
(Optional) In the Notification email box, type an email address for job status notification.
(Optional) To specify OpenText SAST command-line options for the translation or scan phase:
1. Select the Advanced Options tab.
2. Select the Use additional SCA options check box and type OpenText SAST command‑line options for the translation or scan phase.
  
  For detailed information about the available OpenText SAST options, see the OpenText™ Static Application Security Testing User Guide.
Click OK to save the configuration.