Configuring ScanCentral SAST options

This section describes how to configure the default ScanCentral SAST options to use when you submit a solution or project for analysis to ScanCentral SAST. You can specify how to connect to the ScanCentral SAST Controller, the sensor pool selection, and whether to upload analysis results to Application Security. To change the analysis options and perform a scan for a specific solution, see Advanced Scanning of Projects or Solutions with ScanCentral SAST.

To configure the ScanCentral SAST options:

From the Fortify extension menu, select Options.
For local translation, you must provide the location of a locally installed OpenText SAST. If the Fortify executable path shows <Unavailable>, do the following:
1. Click Browse to the right of Fortify executable path.
2. Go to the OpenText SAST installation directory and select the executable file.
  
  Make sure to set the file type to sourceanalyzer executable.
3. Click OK.
To configure the ScanCentral SAST client location:
1. Click Browse to the right of ScanCentral Client Path
2. Go to the ScanCentral SAST installation directory and do one of the following:
  - If you are using a standalone client installed with OpenText™ Application Security Tools, navigate to <tools_install_dir>/bin/ and select scancentral.bat (on Windows) or scancentral (on non-Windows).
  - If the standalone client is installed in a different location, navigate to the installation directory and select scancentral.bat (on Windows) or scancentral (on non-Windows).
In the left pane, select ScanCentral SAST Configuration.
To specify how to connect to ScanCentral SAST, do one of the following:
- Select Use Controller URL, and then in the Controller URL box, type the URL for the ScanCentral SAST Controller.
  
  Example: https://<controller_host>:<port>/scancentral-ctrl
  
  Click Test Controller Connection to confirm that the URL is valid, and the Controller is accessible.
- Select Get Controller URL from SSC, and then in the Token box, paste the value for an authentication token of type ToolsConnectToken.
  
  Make sure that you have the Application Security URL that is associated with the ScanCentral SAST Controller provided in the Server Configuration options (see Configuring a Connection to Application Security).
  
  Click Test SSC Connection to confirm that the URL and token is valid, and the server is accessible.
To upload the analysis results to Application Security, select the Send Scan Results to SSC check box.
- In the Token box, paste the value for an authentication token of type ToolsConnectToken.
  
  If you connect to ScanCentral SAST using a Controller URL, Fortify Extension for Visual Studio uploads analysis results to the Application Security server specifically integrated with the ScanCentral SAST Controller.
(Optional) To specify OpenText SAST command-line options for the translation or scan phase:

To specify OpenText SAST command-line options, you must have a local installation of OpenText SAST that includes an embedded ScanCentral SAST client specified on the Security Content Management page.
1. Click Advanced Scan Options.
  
  The Project Configuration page opens to the Advanced Scan Options tab.
2. Select the Use Additional Static Code Analyzer Options check box and type OpenText SAST command‑line options for the translation or scan phase.
  
  For detailed information about the available OpenText SAST options and the proper syntax, see the OpenText™ Static Application Security Testing User Guide.
3. In the left pane, select ScanCentral SAST Configuration to return to the ScanCentral SAST option configuration.
Under Sensor Pool, specify whether to use the default sensor pool or be provided a list of sensor pools to choose from when you start a scan with ScanCentral SAST.
(Optional) in the Notification Email box, type an email address to receive job status notifications.
Click OK to save your configuration.