fortify-fod
Fortify on Demand (FoD) Skill
Fortify on Demand (FoD) integration via Model Context Protocol (MCP).
When to Use This Skill
- List applications and releases
- Run security scans (SAST, SCA, DAST, MAST)
- List security issues/vulnerabilities with filtering by severity, category, etc.
- Count issues grouped by severity, category, etc.
- Manage scan configurations and monitor scan progress
- Generate and download security reports
Parameter Formats
Common formats and examples for key parameters:
| Parameter | Format | Example |
|---|---|---|
--release |
"<App>[:<MicroService>]:<Release>" - case-sensitive, colon-separated (for *_list, *_scan_setup, *_scan_start, *_scan_get_config tools) |
"MyApp:MyRelease" or "MyApp:MyService:MyRelease" |
qualifiedReleaseNameOrId |
"<App>[:<MicroService>]:<Release>" - positional param, case-sensitive, colon-separated (for release_get tool) |
"MyApp:MyRelease" or "MyApp:MyService:MyRelease" |
appNameOrId |
Application name or ID - positional param, camelCase (for app_get tool) |
"MyApp" or "5011" |
releaseQualifiedScanOrId |
Scan ID or qualified scan ID (for *_scan_get tools) - Always use scan ID returned from *_scan_start or from *_scan_list |
"12345" or "MyApp:MyRelease:12345" |
--include |
Control which issue statuses to include. By default, only visible issues returned. Comma-separated values: visible, fixed, suppressed |
"visible,fixed" or "suppressed" |
--embed |
Comma-separated values to include additional data. Valid values: allData, summary, details, recommendations, history, requestResponse, headers, parameters, traces |
"details,recommendations,history" |
file |
Path to packaged zip or report output | "package.zip", "report.pdf" |
Authentication
All operations require authentication. Always verify session before any operation:
fcli_fod_session_list refresh-cache=true
- If
Expired=No→ proceed - If expired → ask user to run locally:
fcli fod session login --url <URL> --client-id <id> --client-secret <secret> - When running any FoD tool, if authentication error occurs, prompt user to re-authenticate locally.
Note: Reference workflows assume authentication has been verified.
Domain-Specific Guidance
Scan Workflows: Always Check Settings First
Before starting any scan, follow this sequence:
- Check existing scan configuration using
*_scan_get_configcommand - If not configured → Always ask user for required settings (language, build tool, framework, etc.)
- Never infer settings from workspace - build tools, language versions, and frameworks must be user-confirmed
- Package source code (SAST/SCA only) using
fcli_fod_action_package - Upload and start scan using appropriate
*_scan_startcommand - Monitor progress using
*_scan_wait_foror periodic*_scan_getcalls
Packaging Requirements
- SAST scans: Package source code with
fcli_fod_action_package - SCA/OSS scans: Package source code with
fcli_fod_action_package(same as SAST) - DAST scans: No packaging needed - scans live running application
- MAST scans: Upload mobile app binary (APK/IPA file)
- Note: To enable Open Source Analysis in a SAST scan, use
--ossflag infcli_fod_sast_scan_setup
Filtering: Use query for Client-Side, --include for Status
- Use
queryfor client-side filtering by valid fields:category,foundInReleases,instanceId,location,severity,visibilityMarker - Use
--includeto control issue status visibility:visible(default),fixed,suppressed --filters-paramdoes NOT exist — do not use it; it will fail- Common examples:
query {"severity": "Critical"},query {"category": "SQL Injection"},--include "suppressed"
Pagination
- If
pagination.hasMore= true → usepagination-offsetfor next page - Continue until
pagination.hasMore= false orpagination.totalRecordsreached
Error Recovery
| Error | Recovery |
|---|---|
| "Session expired" | Refer to flow in Authentication section |
| "Release not found" | Run release_list to discover correct names (see Finding Releases) |
| "Scan not configured" | Ask user for scan settings and run *_scan_setup |
| "Package required" | Run fcli_fod_action_package to package source code |
Decision Tree: Choosing the Right Approach
| User Intent | Action |
|---|---|
| "run SAST scan" / "static analysis" | Check config → ask settings → package → sast_scan_start (see SAST Workflow) |
| "run SCA scan" / "open source scan" | Package → oss_scan_start (see SCA Workflow) |
| "run DAST scan" / "dynamic scan" | DAST Automated only — setup-website/api/workflow only support automated DAST types; manually-conducted Dynamic Assessments cannot be configured via MCP. Check config → ask settings → dast_scan_start (see DAST Workflow) |
| "list/show vulnerabilities" | issue_list with query {"severity": "Critical"} + --embed details,recommendations — see List and Filter Vulnerabilities |
| "how many / count / summary" | issue_list and aggregate results client-side — see Vulnerability Summary |
| "find release / which release" | release_list → release_get (see Finding Releases) |
| "show recommendations / how to fix" | issue_list with --embed recommendations,history → prioritize Aviator (see Remediation) |
Best Practices
DO:
- ✅ Always verify authentication before operations
- ✅ Check scan configuration before starting SAST scans
- ✅ Always ask user for SAST scan settings (language, build tool, framework)
- ✅ Use
--ossflag insast_scan_setupto enable Open Source Analysis in SAST scans - ✅ Use
queryfor client-side filtering (valid fields:severity,category,location,instanceId,foundInReleases,visibilityMarker) - ✅ Use
--include "suppressed"or--include "fixed"to retrieve non-default issue statuses - ✅ Use
--embedto include details, recommendations, and history - ✅ Prioritize Fortify Aviator code fix suggestions in remediation
- ✅ Use MCP tools over FCLI CLI directly
- ✅ Monitor long-running scans with
*_scan_wait_for
DO NOT:
- ❌ Guess release names - always discover with
release_listif uncertain - ❌ Infer SAST scan settings from workspace - always ask user
- ❌ Skip SAST scan configuration validation
- ❌ Prompt user for credentials - ask user to run
fcli fod session loginlocally - ❌ Start scans without confirming settings with user
- ❌ Package source code for DAST scans (not needed)
- ❌ Use
dast_scan_setup_*for non-automated (manually-conducted) DAST assessments — only DAST Automated assessment types are supported
References
Example Workflows
| Workflow | Use When User Says... |
|---|---|
| Run SAST Scan | "run SAST scan", "static analysis", "scan source code", "check for code vulnerabilities" |
| Run SCA Scan | "run SCA scan", "open source scan", "check dependencies", "OSS vulnerabilities", "software composition analysis" |
| Run DAST Scan | "run DAST scan", "dynamic scan", "test running application", "web application security test" |
| List and Filter Vulnerabilities | "list vulnerabilities", "show security issues", "filter issues by severity", "critical vulnerabilities" |
| Find Release | "find release", "which release", "list releases", "search for application" |
| Vulnerability Summary | "count vulnerabilities", "show summary", "breakdown by severity", "how many issues" |
| Remediation Workflow | "show recommendations", "how to fix", "remediation advice", "Aviator suggestions", "code fixes" |
External Resources
More from crance/agent-skills-fortify
fortify-ssc
use this skill whenever the user wants to list and filter application security findings, discover applications and versions, and manage applications using Fortify Software Security Center (SSC). Triggers include: any mention of 'SSC', 'list vulnerabilities', 'list applications', and similar requests indicating interaction with Fortify SSC for application security tasks. OpenText Application Security is the new name for Fortify Software Security Center.
7fortify-onprem
Use this skill whenever the user wants to list and filter application security findings, run SAST or DAST scans, discover applications and versions, and manage security assessments using Fortify on-premises products: Software Security Center (SSC), ScanCentral SAST (SC-SAST), and ScanCentral DAST (SC-DAST). Triggers include: any mention of 'SSC', 'ScanCentral', 'SC-SAST', 'SC-DAST', 'list vulnerabilities', 'run SAST scan', 'run DAST scan', 'list applications', 'DAST scan', 'web scan', 'dynamic scan', and similar requests for on-premises Fortify products.
6fortify-scdast
ScanCentral DAST guide for MCP tools. Run dynamic application security testing (DAST) scans, list and filter scan results, discover scan settings and policies, and manage web application security scanning using Fortify ScanCentral DAST. Triggers include any mention of 'SC-DAST', 'ScanCentral DAST', 'DAST scan', 'web scan', 'dynamic scan', 'run DAST scan', 'list scans', and similar requests indicating interaction with SC-DAST for dynamic application security scanning.
5fortify-scsast
ScanCentral SAST guide for MCP tools. Package source code, run SAST scans on ScanCentral sensors, monitor scan progress, and retrieve results from SSC.
5