Applying a Scan Policy to the Analysis
For the analysis (scan) phase, you can specify a scan policy to help you identify the most serious vulnerabilities so you can remediate the code quickly. The following table describes the three available scan policies.
| Policy Name | Description |
|---|---|
| classic | This is the default scan policy, which does not prioritize the analysis results. This policy has the same effect as not specifying a scan policy for the analysis. Fortify recommends that you run complete classic scans whenever possible. |
| security |
This scan policy excludes issues related to code quality from the analysis results. Use this policy to focus code remediation on the security issues. |
| devops |
This scan policy excludes issues that are also excluded by the security policy and reduces the number of reported low-priority issues. Use this scan policy when scan speed is a priority and developers review results directly (without any intermediate auditing). Issues that remain after applying this scan policy are probably serious security issues that require remediation. Note: This devops scan policy does not automatically include any customization made to the local security scan policy. |
To use a scan policy for your analysis, include the -scan-policy (or -sc) option in the analysis phase as shown in the following example:
sourceanalyzer -b MyProject -scan -scan-policy security -f MyResults.fpr
Alternatively, you can specify the scan policy with the com.fortify.sca.ScanPolicy property in the fortify-sca.properties file. For example:
com.fortify.sca.ScanPolicy=security
Note: You can apply a filter file (see Excluding Issues with Filter Files) with a scan policy setting for an analysis. In this case, Fortify Static Code Analyzer applies both the scan policy and the filter file to the analysis.
The policy files are in the <sca_install_dir>/Core/config/scales directory. There is one file for each scan policy. You can modify the settings in these policy files to customize your scan policies. For information about the syntax used for the policy files, see Excluding Issues with Filter Files.