Fortify on Demand scanner reference
You can set up Fortify scans using a Security step: create a CI Build or Security Tests stage, add a Security step, and then add the setting:value
pairs as specified below.
Security step settings
product_name
=fortifyondemand
scan_type
=repository
policy_type
=orchestratedScan
,dataLoad
, oringestionOnly
- When
policy_type
is set toorchestratedScan
ordataLoad
:product_domain
product_access_id
product_access_token
product_owner_id
product_entitlement
product_scan_type
product_app_name
product_release_name
product_target_language
product_target_language_version
product_scan_settings
- accepted values:
Custom
,default
- accepted values:
product_audit_type
product_lookup_type
- accepted values:
Dynamic
,Static
,Mobile
- accepted values:
product_data_center
product_config_name
- Accepted values(s):
sast
( ifproduct_lookup_type
=Static
)dast
( ifproduct_lookup_type
=Dynamic
)
fail_on_severity
- See Fail on Severity.
Repository scan settings
Ingestion scan settings
Fail on Severity
Every Security step has a Fail on Severity setting. If the scan finds any vulnerability with the specified severity level or higher, the pipeline fails automatically. You can specify one of the following:
CRITICAL
HIGH
MEDIUM
LOW
INFO
NONE
— Do not fail on severity
The YAML definition looks like this: fail_on_severity : critical # | high | medium | low | info | none