About Fortify Software Documentation

Congratulations on acquiring the latest Fortify Software products. The very latest product
documentation is available on the Product Documentation website.

Please note that the Fortify Static Code Analyzer Custom Rules Guide is not available on the
Product Documentation website. That document is included with the product download and is
also available from support.
Getting Fortify Product Documentation
You can find the Fortify product documentation at
https://www.microfocus.com/support/documentation. There, you can search for a product by
selecting one from the list or by typing the product name.
Most guides are available in both PDF and HTML formats. Product help is available within the
Fortify WebInspect products.
Fortify Product Feature Videos
You can find videos that highlight Fortify products and features on the Fortify Unplugged
YouTube channel.
Products Available from Other Marketplaces

Fortify Azure DevOps Extension

The Fortify Azure DevOps Extension adds static and dynamic analysis to your continuous
integration and continuous delivery builds. This integration helps you identify application
vulnerabilities earlier in the software development lifecycle. This extension includes tasks to install
and run Fortify Static Code Analyzer, submit static and dynamic scan requests to Fortify on
Demand, and run static and dynamic scan requests with Fortify ScanCentral SAST and Fortify
ScanCentral DAST, respectively.
You can download the Fortify Azure DevOps Extension from the Azure DevOps Marketplace and
access the product documentation at https://www.microfocus.com/documentation/fortify-azure-
devops-extension.

Fortify Plugin for Bamboo

The Fortify Jenkins Plugin adds static analysis to your continuous integration and continuous
delivery builds. This integration uses Fortify Static Code Analyzer to identify security issues in
your source code. After the analysis is complete, you can upload the results to Fortify Software
Security Center.

With the Fortify Plugin for Bamboo, you can integrate Fortify Static Code Analyzer with Gradle,
Maven, MSBuild, and Visual Studio (devenv). You can also scan your source code directly, without
a build tool.
The Fortify Plugin for Bamboo is available through the Atlassian Marketplace. Access the product
documentation at https://www.microfocus.com/documentation/fortify-plugin-for-bamboo.
Fortify Jenkins Plugin
The Fortify Jenkins Plugin adds static analysis to your continuous integration and continuous
delivery builds. This integration uses Fortify Static Code Analyzer to identify security issues in
your source code.
The Fortify Jenkins Plugin provides three ways to analyze your source code:
• Offload the complete analysis to Fortify ScanCentral SAST.
• Perform translation on the local system and then offload the more CPU-intensive scan phase
to Fortify ScanCentral SAST.
• Perform a complete analysis on the local system.
You can run the analysis locally with Gradle, Maven, MSBuild, and Visual Studio (devenv). You can
also analyze your source code without a build tool.
After the Fortify Static Code Analyzer analysis is complete, you can upload the results to a Fortify
Software Security Center server. For a complete analysis run locally, the Fortify Jenkins Plugin also
enables you to view the analysis result details from within Jenkins. It provides metrics for each
build and an overview of the results, without requiring you to log into Fortify Software Security
Center.
The Fortify Jenkins Plugin is available from the Jenkins Plugins Index. Access the product
documentation at https://www.microfocus.com/documentation/fortify-jenkins-plugin.

Fortify Remediation Plugin for Eclipse

Connect to a Fortify Software Security Center server with the Fortify Remediation Plugin for
Eclipse to view your analysis results. Use the Fortify Remediation Plugin for Eclipse to audit and
comment on the issues discovered in your scanned projects directly from the IDE. Use the Fortify
Remediation Plugin to:
• Review in-depth issue descriptions and mitigation recommendations
• Quickly navigate to the issue in code
• Tag issues with your audit evaluation
• Add comments and assign issues to users
The Fortify Remediation Plugin for Eclipse is available from the Eclipse Marketplace. Access the
product documentation at https://www.microfocus.com/documentation/fortify-remediation-
plugin-for-eclipse.

Fortify Security Assistant for Eclipse

The Fortify Security Assistant plugin for Eclipse works with Fortify security content to alert you
to potential security issues as you write your Java code. Security Assistant for Eclipse provides
detailed information about security risks and recommendations on how to secure potential
vulnerabilities. Security Assistant for Eclipse includes the semantic and intra-class data flow
analyzers to detect:
• Potentially dangerous use of functions and APIs
• Issues caused by tainted data reaching vulnerable functions and APIs at the intra-class level
The Fortify Security Assistant for Eclipse plugin is available in the Fortify Applications and Tools
electronic download package. Access the product documentation at
https://www.microfocus.com/documentation/fortify-security-assistant-plugin-for-eclipse.
Fortify Remediation Plugin for IntelliJ IDEA and Android Studio
Connect to a Fortify Software Security Center server with the Fortify Remediation Plugin for
IntelliJ IDEA and Android Studio to view your analysis results. Use the Fortify Remediation Plugin
to audit and comment on the issues discovered in your scanned projects directly from the IDE. Use
the Fortify Remediation Plugin to:
• Review in-depth issue descriptions and mitigation recommendations
• Quickly navigate to the issue in code
• Tag issues with your audit evaluation
• Add comments and assign issues to users
The Fortify Remediation Plugin for IntelliJ IDEA and Android Studio is available from the JetBrains
Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-remediation-plugin-for-intellij-and-android-
studio.

Fortify Security Assistant for IntelliJ IDEA and Android Studio

The Fortify Security Assistant plugin for IntelliJ IDEA and Android Studio works with Fortify
security content to alert you to potential security issues as you write your code. Fortify Security
Assistant provides detailed information about security risks and recommendations on how to
secure potential vulnerabilities. Fortify Security Assistant includes both structural and
configuration analyzers to detect:
• Potentially dangerous use of functions and APIs
• Insecure application configurations in property and XML files
The Fortify Security Assistant plugin for IntelliJ IDEA and Android Studio is available from the
JetBrains Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-security-assistant-plugin-for-intelliJ.

Fortify SourceAndLibScanner
Fortify SourceAndLibScanner provides a command-line interface that enables you to combine
both your Fortify Static Code Analyzer and Sonatype scans into a single command. With this
utility, you can integrate a single command into the build process of an application that you want
to scan on a one-time or continuous basis. You can also upload the analysis results to Fortify
Software Security Center.
You can download Fortify SourceAndLibScanner from the Fortify Marketplace. Documentation is
included with the software package.

Fortify Security Assistant for Visual Studio

Fortify Security Assistant Extension for Visual Studio provides real-time security analysis and
results as you type your code. It leverages Visual Studio's Error List and other Visual Studio
components to help you find security issues as you type code. You can use it to analyze a file or
an entire solution. Security Assistant is a lightweight, real-time code checker that developers can
use to find a significant portion of issues before they check in code to source control, where it can
be subject to more rigorous checks by more robust tools such as Fortify Static Code Analyzer.
Fortify Security Assistant uses downloaded Fortify security content, which includes both
structural and configuration rules, to detect high-likelihood issues.
You can download the Fortify Security Assistant extension from the Microsoft Visual Studio
Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-security-assistant-plugin-for-visual-studio.
OpenText™ Fortify Extension for Visual Studio Code
Use the Fortify Extension for Visual Studio Code to identify security issues in your source code
with Fortify Static Code Analyzer from VS Code. There are three ways to analyze your source code
in an open project:
• Upload your project to Fortify on Demand for static assessment.
• Analyze the project with a locally-installed version of Fortify Static Code Analyzer. View the
analysis results with Fortify Audit Workbench.
• Run a remote analysis on the project using Fortify ScanCentral SAST, and optionally upload
the analysis results to Fortify Software Security Center.
You can download the Fortify Extension for Visual Studio Code from the Microsoft Visual Studio
Code Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-visual-studio-code.

OpenText™ Fortify Remediation Extension for Visual Studio Code

With the Fortify Remediation Extension for Visual Studio Code, you can view and audit issues
directly from an application version in Fortify Software Security Center. Use the Fortify
Remediation extension to:
• Review in-depth issue descriptions and mitigation recommendations
• Quickly navigate to the issue in code
• Tag issues with your audit evaluation
• Add comments and assign issues to users
You can download the Fortify Remediation Extension for Visual Studio Code from the Microsoft
Visual Studio Code Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-visual-studio-code.

We Welcome Your Feedback

If you have comments or suggestions about the documentation, you can send these to the
documentation team at [email protected]. Please use the subject line “Feedback on
<Document_Title> <Product_Version>.” We appreciate your feedback!