About Fortify Software Documentation

Congratulations on acquiring the latest Fortify Software products. You will notice that, apart from
the Micro Focus Fortify Static Code Analyzer Custom Rules Guide, the software downloads for this
release contain no product documentation. The very latest product documentation is available on
the Micro Focus Product Documentation website.

Please note that the Micro Focus Fortify Static Code Analyzer Custom Rules Guide is not available
on the Micro Focus Product Documentation website. That document is included with the product
download and is also available from support.

Getting Fortify Product Documentation

You can find the Micro Focus Fortify product documentation at
https://www.microfocus.com/support/documentation. There, you can search for a product by
selecting one from the list or by typing in the product name.

All guides are available in both PDF and HTML formats. Product help is available within the
Fortify WebInspect products.

Fortify Product Feature Videos

You can find videos that highlight Fortify products and features on the Fortify Unplugged
YouTube channel.

Products Available from Other Marketplaces

Micro Focus Fortify SourceAndLibScanner
Fortify SourceAndLibScanner provides a command-line interface that enables you to combine
both your Fortify Static Code Analyzer and Sonatype scans of your applications into a single
command. With this utility, you can integrate a single command into the build process of an
application that you want to scan on a one-time or continuous basis. You can also upload the
analysis results to Micro Focus Fortify Software Security Center.

You can download Fortify SourceAndLibScanner from the Fortify Marketplace. Complete
documentation is included with the software package.

Micro Focus Fortify Azure DevOps Extension

The Fortify Azure DevOps Extension adds static and dynamic analysis to your continuous
integration and continuous delivery builds. This integration helps you identify application
vulnerabilities earlier in the software development lifecycle. This extension includes tasks to install
and run Fortify Static Code Analyzer, submit static and dynamic scan requests to Fortify on
Demand, and run static and dynamic scan requests with Fortify ScanCentral SAST and Fortify
ScanCentral DAST, respectively.
You can download the Fortify Azure DevOps Extension from the Azure DevOps Marketplace and
access the product documentation at
https://www.microfocus.com/support/documentation/fortify-azure-devops-extension.

Micro Focus Fortify Extension for Visual Studio Code

Use the Fortify Extension for Visual Studio Code to identify security issues in your source code
with Micro Focus Fortify Static Code Analyzer from VS Code. There are three ways to analyze your
source code on the currently opened project:

• Upload your project to Fortify on Demand for static assessment.

• Run a locally-installed version of Fortify Static Code Analyzer on the project. View the analysis
results with Micro Focus Fortify Audit Workbench.
• Run a remote analysis on the project using Micro Focus Fortify ScanCentral SAST and
optionally upload the analysis results to Fortify Software Security Center.

You can download the Fortify Extension for Visual Studio Code from the Microsoft Visual Studio
Code Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-visual-studio-code.

Micro Focus Fortify Security Assistant for Visual Studio

Security Assistant for Visual Studio provides real-time security analysis and results as you type
your code. It leverages Visual Studio's Error List and other VS components to help you find
security issues as you type code. You can use it to analyze a file or an entire solution. Security
Assistant is a lightweight, real-time code checker that developers can use to find a significant
portion of issues before they check in code to source control, where it can be subject to more
rigorous checks by more robust tools such as Fortify Static Code Analyzer. Fortify Security
Assistant uses downloaded Fortify Security Content, which includes both structural and
configuration rules, to detect high-likelihood issues.

You can download the Fortify Security Assistant extension from the Microsoft Visual Studio
Marketplace. Access the product documentation at
https://www.microfocus.com/documentation/fortify-security-assistant-plugin-for-visual-studio.

Micro Focus Fortify Security Assistant for Eclipse

Fortify Security Assistant for Eclipse integrates with the Eclipse Java development environment. It
works with the Fortify security content to provide alerts to potential security issues as you write
your Java code. Security Assistant for Eclipse provides detailed information about security risks
and recommendations on how to secure potential vulnerabilities. Security Assistant for Eclipse
uses downloaded Fortify Security Content that has been tuned to detect the following high-
likelihood issues:

• Potentially dangerous uses of functions and APIs

• Issues caused by tainted data reaching vulnerable functions and APIs at the intra-class level

The Fortify Security Assistant for Eclipse plugin is available in the Fortify SCA and Applications
electronic download package. Access the product documentation at
https://www.microfocus.com/documentation/fortify-security-assistant-plugin-for-eclipse.
Micro Focus Fortify Jenkins Plugin
Use the Fortify Jenkins Plugin in your continuous integration builds to identify security issues in
your source code with Micro Focus Fortify Static Code Analyzer.

The Fortify Jenkins Plugin provides three ways to analyze your source code:

• Offload the complete analysis to Fortify ScanCentral SAST.

• Perform translation on the local system and then offload the more CPU-intensive scan phase
to Fortify ScanCentral SAST.
• Perform the complete analysis on the local system.

You can run the analysis locally with Gradle, Maven, MSBuild, and Visual Studio (devenv). You can
also analyze your source code without a build tool.

After the Fortify Static Code Analyzer analysis is complete, you can upload the results to a Micro
Focus Fortify Software Security Center server. For complete analysis run locally, the Fortify
Jenkins Plugin also enables you to view the analysis result details from within Jenkins. It provides
metrics for each build and an overview of the results, without requiring you to log into Fortify
Software Security Center.

The Fortify Jenkins Plugin is available from Jenkins. Access the product documentation at
https://www.microfocus.com/documentation/fortify-jenkins-plugin.

Micro Focus Fortify Plugin for Bamboo

Use the Micro Focus Fortify Plugin for Bamboo in your continuous integration builds to identify
security issues in your source code with Micro Focus Fortify Static Code Analyzer. After the Fortify
Static Code Analyzer analysis is complete, you can upload the results to Micro Focus Fortify
Software Security Center.

With the Fortify Plugin for Bamboo, you can integrate Fortify Static Code Analyzer with Gradle,
Maven, MSBuild, and Visual Studio (devenv). You can also scan your source code directly without
a build tool.

The Fortify Plugin for Bamboo is available through the Atlassian Marketplace. Access the product
documentation at https://www.microfocus.com/documentation/fortify-plugin-for-bamboo.

We Welcome Your Feedback

If you have comments or suggestions about the documentation, you can send these to the
documentation team at [email protected]. Please use the subject line “Feedback on
<Document_Title> <Product_Version>.” We appreciate your feedback!