About This Tool

Checks HP Fortify for projects and project versions. If the project doesn't exist, then the task is capable of creating the project and an initial version. If the project version doesn't exist, then the task is capable of creating the version and also capable of copying issues/suppressions from previous versions.

Primary Use Case

This tool is used by security teams and DevOps engineers to automate the management of HP Fortify projects and their versions, ensuring that projects and versions exist before scans are run. It simplifies maintaining project versions by enabling creation of new projects or versions and copying issues or suppressions from previous versions, streamlining vulnerability tracking and reporting.

Key Features

Checks existence of projects and project versions in HP Fortify

Creates new projects if they do not exist

Creates new project versions if they do not exist

Copies issues and suppressions from previous project versions

Supports authentication via Fortify API key or personal access token

Configurable parameters for project/version creation permissions

Insights & Recommendations

Only Security Leads can create API keys in Fortify on Demand; ensure you securely store API secrets as they are shown only once. The tool requires exact matching of project names and versions to function correctly. It is recommended to integrate this task within CI/CD pipelines for automated Fortify project/version management.

Installation

Obtain an API key or personal access token from Fortify on Demand as per instructions in the README
Configure the Fortify Base URL to point to your Fortify instance (e.g., https://fortify/ssc)
Set up the required parameters such as API key, project name, and application version
Integrate or run the task/script in your CI/CD pipeline or automation environment

Usage

Set Fortify Base URL to your Fortify instance (e.g., https://fortify/ssc)

Defines the Fortify server endpoint to connect to

Provide HP Fortify API Key or Personal Access Token

Authenticates the task to interact with Fortify APIs

Allow New Projects = true/false

Enables or disables creation of new projects if not found

Allow New Project Versions = true/false

Enables or disables creation of new project versions if not found

Specify Project Name

The exact project name to check or create in Fortify

Specify Application Version (e.g., 1.0.0)

The target version to check or create

Specify Version to Copy

Version from which to copy issues/suppressions; defaults to latest if not found

Smart Usage Notes

Integrate this tool into CI/CD pipelines to automate vulnerability project/version management and ensure consistent scanning coverage.Leverage the issue/suppression copying feature to maintain historical context and reduce noise in vulnerability triage.Combine with other security automation tools to trigger scans only when projects and versions are validated, improving scan efficiency.Use API key management best practices to secure authentication and limit permissions to minimize risk exposure.Extend the script to generate alerts or reports when new projects or versions are created to improve visibility for security teams.

OpenSec Atlas

FortifyVersionCheck

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like