Join us

FAUN.dev is where engineers from GitHub, Netflix, and Shopify go to stay ahead β€” fast.

An effortless, straightforward way to keep up with technologies...so you can keep your tabs closed and your mind open!
70,000+ developers already joined ⭐⭐⭐⭐⭐
Trusted by developers at
Google β€’ Microsoft β€’ AWS β€’ Netflix

Fortify Static Code Analysis in Pipelines

@dkatara_pandit123 ・ Feb 15,2024 ・ 1 min read・ 2k views Β 

fortify

Implementation

Fortify SCA executes it vulnerability test by looking at the JAVA pom.xml file which contains all the dependencies. As the scanning is performed at the code level, the best practice is that it is performed as early as possible. This is achieved by running the scan after the code checkout, as to stop further processing of the build in case vulnerabilities are detected.

How the Fortify task works

Fortify works by analyzing the JAVA libraries for any known vulnerabilities. Required installed extension - Micro Focus Fortify. It is a white-box testing tool, it identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. SAST solutions analyze an application from the β€œinside out” and do not reed a running system to perform a scan.

Fortify Agent

For the possibility to run Fortify task our project was provided with a special Agent from Security Team. The agent should be pointed in the β€œpool” section of pipelines and added to the project where you plan to use this task.

Pool configuration

pool:

name: Fortify

Task Usage Example

Official task documentation page: FortifySCA@7

Task 'SAST Fortify Report Generation' is used for converting scanning results to HTML format.

  • stage: Fortify
    jobs:

  • job: SAST
    timeoutInMinutes: 20
    pool:
    name: Fortify
    steps:

    • checkout: self

    # Fortify scan
    - task: FortifySCA@7
    displayName: 'SAST - FortifySCA'
    inputs:
    licenseFile: 'F:\fortify\fortify.license'
    applicationType: 'java'
    buildSourceVersion: '11'
    fortifyBuildId: '${{ parameters.servicename }}-fortify'
    fortifyScanType: 'LocalScan'

    # Export results in HTML format
    - task: CmdLine@2
    displayName: 'SAST Fortify Report Generation'
    inputs:
    script: >-
    BIRTReportGenerator -template "Developer Workbook"
    -source $(Build.ArtifactStagingDirectory)/sca_artifacts/${{ parameters.servicename }}-fortify.fpr
    -format HTML
    --UseFortifyPriorityOrder
    -output $(Build.ArtifactStagingDirectory)/sca_artifacts/${{ parameters.servicename }}-fortify-report.html

    # Publish Fortify results as pipeline artifact
    - publish: $(Build.ArtifactStagingDirectory)/sca_artifacts/${{ parameters.servicename }}-fortify-report.html
    artifact: FortifyReport

Quality Gates

The standard quality gates for Fortify Java language are used.

Limitation

The current Fortify SCA implementation has a limitation that reports are not sent back to Azure DevOps. For this purpose verification of Fortify report needs to occur manually on schedule.

The suggested schedule is:

  • Verify and fix vulnerabilities reported before promoting code from Dev to QA environment
  • Verify and fix vulnerabilities reported before promoting code from UAT to Production environment

As the reports need to be fetched manually on the Fortify server, it is recommended to coordinate with Info Sec team on a scheduled dates through the DevOps team.

Let's keep in touch!

Stay updated with my latest posts and news. I share insights, updates, and exclusive content.

By subscribing, you share your email with @dkatara_pandit123 and accept our Terms & Privacy. Unsubscribe anytime.

Give a Pawfive to this post!

Only registered users can post comments. Please, login or signup.

Share with your friends and followers

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN.dev account now!

Publish your first story!

FAUN.dev is where engineers from GitHub, Netflix, and Shopify go to stay ahead β€” fast.

An effortless, straightforward way to keep up with technologies...so you can keep your tabs closed and your mind open!
70,000+ developers already joined ⭐⭐⭐⭐⭐
Trusted by developers at
Google β€’ Microsoft β€’ AWS β€’ Netflix
Avatar

Deepanshu katara

Devops Team Leader, EPAM

@dkatara_pandit123
Devops Engineer, like to talk about cloud, devops , AI/ML
Developer Influence
20

Influence

2k

Total Hits

1

Posts

Join and showcase your work and skills