FortifySAST Connector

Getting started with Fortify On-Demand SAST connector

Updated this week

Support Note: FortifySAST on-prem is not supported


Start Scans application role with API authorization access. In order to create the application, follow the instructions:

  1. Log to Fortify account

  2. Navigate to Administration --> Settings --> API --> Add Key

  3. Add Application Name

  4. Choose Start Scans role

  5. Enable Authorize app to use API

  6. Click Save

  7. Copy the Secret Code and keep it somewhere safe. 

  8. Copy the Api Key of the relevant application and keep it somewhere safe

Configuring Fortify On-Demand SAST

In the Connectors page, click on Add a Connector

Click on Fortify SAST connector

Click on Forifty SAST connector.

Fill in the relevant fields:
Data Center - Choose Data Center from list to determine the API Root URL

Client Api ID - Key to communicate with Fortify API. Instructions of how to get the API Id can be found under section 1 in this document.
Client Api Secret - Key to authenticate with Fortify API. Instructions of how to get the API Secret can be found under section 1 in this document. 

Click on Create.

Viewing data from Fortify SAST in Vulcan

Vulcan provides the option to remediate vulnerabilities from 2 different angels:

  • Assets

  • Vulnerabilities

The data from Fortify On-Demand SAST will be displayed under Code Projects  - This tab gathers all data that was pulled from SAST and SCA tools. To filter only Fortify data, simply use the Search Bar

The Project column will display the Application Names that were scanned by

Last Report column will indicate the last completed scan time in Fortify.
Top Risk column will indicate  the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities. 

Tags column will indicate the following values from Fortify:  'Business Criticality' and 'Application Type'.

Clicking on each project will open its Asset Card where you can view in project's data, including - All related vulnerabilities, affected code and details of projects and correlated data from other sources.

Codebase tab will indicate the exact location of the vulnerabilities:

You can view all data from Fortify On-Demand SAST in Vulnerabilities.  In order to filter only Fortify data, simply use the Search Bar.

You can start the remediation process by clicking on a vulnerability and view all details fetched from your Fortify account.
All the data from Fortify including the descriptions, the offered solutions, available fixes and more are in Vulcan.

Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.


Which Fortify API version are you using?
We use API Version 3. 

Can I pull also result from Dyanimc scans ?

Yes, by defining a dedicated Fortify DAST connector.

Did this answer your question?