Fortify Integrations - GitHub

Supported Products

Fortify on Demand Scan

Integrate your Static Application Security Testing (SAST) into your GitHub workflow with Fortify on Demand. This GitHub Action sets up the Fortify on Demand (FoD) Uploader – also referred to as the FoD Universal CI Tool, allowing you to:

Downloads and caches the specified version of the Fortify on Demand Uploader JAR file
Adds the FOD_UPLOAD_JAR environment variable containing the full path to the Fortify on Demand Uploader JAR file
Install
Video - Integrating Fortify SAST into a GitHub pipeline
Video - Fortify CI Integrations Part 1 (GitHub, GitLab, Bamboo)

Generate SARIF from Fortify on Demand

This GitHub Action invokes the Fortify on Demand (FoD) API to generate a SARIF log file of Static Application Security Testing (SAST) results. The SARIF output is optimized for subsequent import into GitHub to display vulnerabilities in the Security Code Scanning Alerts.

Install

Fortify ScanCentral Scan

Integrate Static Application Security Testing (SAST) into your GitHub workflows with Fortify. This GitHub Action sets up the Fortify ScanCentral Client, allowing you to:

Downloads, extracts and caches the specified version of the Fortify ScanCentral Client zip file
Adds the Fortify ScanCentral Client bin-directory to the path

These are the most common use cases for this GitHub Action:

Start a SAST scan on a ScanCentral environment; note that the ScanCentral Controller must be accessible from the GitHub Runner where the workflow is running.
Start a scan on Fortify on Demand (FoD), utilizing ScanCentral Client for packaging only;
Install
Video - Fortify CI Integrations Part 1 (GitHub, GitLab, Bamboo)

Generate SARIF from Fortify Software Security Center (SSC)

This GitHub Action invokes the Fortify Software Security Center (SSC) API to generate a SARIF log file of Static Application Security Testing (SAST) results. The SARIF output is optimized for subsequent import into GitHub to display vulnerabilities in the Security Code Scanning Alerts.

The primary use case for this action is after completion of a Fortify SCA or ScanCentral SAST scan.

Install

Fortify-related projects developed by Fortify Professional Services

Includes the following:

FortifyBugTrackerUtility – Automated submission of FoD and SSC vulnerabilities to external systems
FortifySyncFoDToSSC – Utility to synchronize FoD releases and scan results to SSC
fortify-integration-maven-webinspect – WebInspect Maven Plugin
fortify-ssc-parser-owasp-dependency-check – Fortify SSC Parser Plugin for OWASP Dependency Check results
fortify-ssc-parser-tenable-io-cs – Fortify SSC Parser Plugin for Tenable.io Container Security results
fortify-ssc-parser-burp – Fortify SSC Parser Plugin for BURP Suite
Install

About GitHub

GitHub is a development platform used by developers to host and review code, manage projects, and build software.

View Integration Page

Your browser is not supported

Fortify for GitHub