Scanning .NET Application using FortifySCA from AzureDevOps

The below steps will help you to scan any .NET application for SAST using FortifySCA from AzureDevOps


1.Fortify SCA needs to be installed

Step1: Go to Pipelines and Click on Pipelines

Step2 : Click on Classic Editor at the bottom in the next step

Step 3: If you want to scan the repository from a project within the same organization then choose AzureDevOps GIT and then choose the project and the GIT repository that you need to scan

If you want to scan Repo from another AzureDevOps organization, you can use the option as Other GIT, then enter the username and password

Step 4: Click on Empty job at the top

Step 5: Search for Fortify task and add it (If the task has not been installed, you may need to install it)

Step 6: Once you have added the task, you can add the info below to run Fortify. You need to specify if there is a new license file if there is any or you can just leave it as empty and you can also specify a BuildID for Fortify SCA

Select Run Fortify Clean, and choose Application Type as .NET and choose Scan Type as “Local Scan” and if there are any additional scan parameters you can enter it

Uploading results to SSC:

To upload results to SSC, you need to add Fortify Server End point and for any application you need to choose an application name and application version (Application name is the name you entered in SSC) and once all these are entered, click on Save.

Once you run the job, it will start running the Fortify Scan on the code

You may also like...