Start Scans application role with API authorization access. In order to create the application, follow the instructions:
Log to Fortify account
Navigate to Administration --> Settings --> API --> Add Key
Add Application Name
Choose Start Scans role
Enable Authorize app to use API
Copy the Secret Code and keep it somewhere safe.
Copy the Api Key of the relevant application and keep it somewhere safe
Configuring Fortify On-Demand SAST
In the Connectors page, click on Add a Connector
Click on Fortify SAST connector
Click on Forifty SAST connector.
Fill in the relevant fields:
Data Center - Choose Data Center from list to determine the API Root URL
Client Api ID - Key to communicate with Fortify API. Instructions of how to get the API Id can be found under section 1 in this document.
Client Api Secret - Key to authenticate with Fortify API. Instructions of how to get the API Secret can be found under section 1 in this document.
Click on Create.
Viewing data from Fortify SAST in Vulcan
Vulcan provides the option to remediate vulnerabilities from 2 different angels:
The data from Fortify On-Demand SAST will be displayed under Code Projects - This tab gathers all data that was pulled from SAST and SCA tools. To filter only Fortify data, simply use the Search Bar
The Project column will display the Application Names that were scanned by
Last Report column will indicate the last completed scan time in Fortify.
Top Risk column will indicate the highest risk-value from all risks that exists in a project.
Vulnerabilities column will indicate the number of issues instances. For example:
If Fortify indicates the following issues, Vulcan will display their total number under Vulnerabilities.
Tags column will indicate the following values from Fortify: 'Business Criticality' and 'Application Type'.
Clicking on each project will open its Asset Card where you can view in project's data, including - All related vulnerabilities, affected code and details of projects and correlated data from other sources.
Codebase tab will indicate the exact location of the vulnerabilities:
You can view all data from Fortify On-Demand SAST in Vulnerabilities. In order to filter only Fortify data, simply use the Search Bar.
You can start the remediation process by clicking on a vulnerability and view all details fetched from your Fortify account.
All the data from Fortify including the descriptions, the offered solutions, available fixes and more are in Vulcan.
Click on Take Action if you wish to open a ticket and assign it to a specific team or share your findings via Slack channels or emails.
Which Fortify API version are you using?
We use API Version 3.
Can I pull also result from Dyanimc scans ?
Yes, by defining a dedicated Fortify DAST connector.