fortify-scdast
Fortify ScanCentral DAST Skill
Fortify ScanCentral DAST (SC-DAST) integration via Model Context Protocol (MCP).
When to Use This Skill
- Run dynamic application security testing (DAST) scans
- List and monitor scan status
- Pause/resume running scans
- Discover available scan settings and policies
- Manage scan sensors and sensor pools
- View scan results in SSC using SSC skill
Available MCP Tools
Only key MCP tools for SC-DAST are listed here.
| Tool | Description | When to Use |
|---|---|---|
fcli_sc_dast_scan_start |
Start a new DAST scan | When user wants to run/start a DAST scan |
fcli_sc_dast_scan_list |
List all scans | List scans, check scan status |
fcli_sc_dast_scan_get |
Get details of a specific scan | Get scan details by ID |
fcli_sc_dast_scan_wait_for |
Wait for scan condition | Monitor scan until condition met |
fcli_sc_dast_scan_pause |
Pause a running scan | Temporarily stop a scan |
fcli_sc_dast_scan_resume |
Resume a paused scan | Continue a paused scan |
fcli_sc_dast_scan_settings_list |
List available scan settings | Discover scan configuration options |
fcli_sc_dast_scan_settings_get |
Get scan settings details | Get specific settings by ID or CICD token |
fcli_sc_dast_scan_policy_list |
List available scan policies | Discover scan policy options |
fcli_sc_dast_scan_policy_get |
Get scan policy details | Get specific policy by name or ID |
fcli_sc_dast_sensor_list |
List available sensors | View available scan sensors |
fcli_sc_dast_sensor_get |
Get sensor details | View specific sensor information |
fcli_sc_dast_sensor_enable |
Enable a sensor | Enable a disabled sensor |
fcli_sc_dast_mcp_job |
Background job handler | Handle pagination and background tasks |
fcli_ssc_session_list |
Check SSC session status | Verify authentication before operations |
Parameter Formats
| Parameter | Format | Example |
|---|---|---|
--settings |
CICD token or ID | "MY_SCAN_SETTINGS" or "12345" |
--name |
Scan name | "MyApp Security Scan" |
--policy |
Policy name or ID | "Standard" or "67890" |
--overwrite-scan-mode |
Boolean flag | true (mutually exclusive with priority-scan-mode) |
--priority-scan-mode |
Boolean flag | true (mutually exclusive with overwrite-scan-mode) |
--login-macro |
Login macro ID | "98765" (optional) |
--server-queries |
Key-value filtering | "status=Running" or "name~MyApp" |
--until |
Wait condition | "status=Complete" or "status=Failed" |
--while |
Wait condition (inverse) | "status=Running" |
scanIds |
Scan identifier(s) | Single or multiple scan IDs from list/get operations |
query |
Client-side filtering (SpEL) | "status == 'Complete' && scanVersion > 5" |
Authentication
SC-DAST uses SSC authentication (simplest authentication model - no additional tokens required).
Session Check: Always check SSC session status before SC-DAST operations:
Tool: fcli_ssc_session_list
Parameters: { "refresh-cache": true }
If session expired or missing:
Ask the user to run this command locally in their terminal:
fcli ssc session login --url <SSC_URL> -u <username> -p <password>
Default Session:
If the user doesn't specify a session name, inform them that the default session will be used.
Domain-Specific Guidance: Scan Workflow
SC-DAST scans follow a straightforward workflow:
Phase 1: Discovery
- List available scan settings:
scan_settings_list - List available scan policies:
scan_policy_list - Get specific settings/policy details if needed
Phase 2: Start Scan
Start scan with required parameters:
--settings(CICD token or ID) - REQUIRED--name(scan name) - REQUIRED--policy(policy name or ID) - optional--overwrite-scan-modeor--priority-scan-mode(boolean flags, mutually exclusive) - optional--login-macro(login macro ID) - optional
Important: Ensure scan settings are configured to automatically publish results to SSC. This is typically configured in the scan settings by the administrator.
Phase 3: Monitor Progress
- Use
scan_wait_forwith--until: "status=Complete"or--while: "status=Running" - Use
scan_listwith--server-queries: "status=Running"to check all running scans - Unique capability: Use
scan_pauseandscan_resumeto control scan execution
Phase 4: View Results
- Once scan completes, findings automatically appear in SSC (if configured)
- View findings in SSC using SSC skill (fcli_ssc_issue_list, fcli_ssc_issue_count, etc.)
Filtering
SC-DAST supports both server-side and client-side filtering:
Server-Side Filtering (Preferred):
Use --server-queries parameter with key-value pairs:
- Single filter:
"status=Running" - Contains match:
"name~MyApp" - Multiple filters:
"status=Complete,name~Security"
Client-Side Filtering:
Use query parameter for complex filtering with SpEL (Spring Expression Language):
query: "status == 'Complete' && scanVersion > 5"
When to use each:
- Server-side (
--server-queries): Preferred for performance, especially with large datasets - Client-side (
query): Use for complex expressions not supported by server-side filtering
Pagination
SC-DAST uses job_token-based pagination (same pattern as SSC):
When pagination.totalRecords is null:
-
Call
fcli_sc_dast_mcp_job:Parameters: { "operation": "wait", "job_token": "<job_token from previous response>" } -
After job completes, retry the original list call to get results.
Example Flow:
1. Call scan_list → Response has totalRecords: null, job_token: "abc123..."
2. Call mcp_job with operation: "wait", job_token: "abc123..."
3. Retry scan_list → Response now has full results with totalRecords populated
Error Recovery
| Error | Recovery |
|---|---|
| "Session expired" | Ask user to run fcli ssc session login locally |
| "Scan settings not found" | Use scan_settings_list to discover available settings |
| "Policy not found" | Use scan_policy_list to discover available policies |
| "Scan cannot be completed" | Check scan status - may still be running or failed |
| "No sensors available" | Use sensor_list to check available sensors |
| "Import failed" | Ensure scan was completed and published first |
Pagination totalRecords: null |
Use mcp_job with operation: "wait" and job_token |
Decision Tree: Choosing the Right Approach
| User Intent | Action |
|---|---|
| "Run a DAST scan" | Discovery workflow: scan_settings_list → scan_policy_list → scan_start → scan_wait_for → view results in SSC |
| "List scans" / "Show my scans" | scan_list with optional --server-queries filtering |
| "Check scan status" | scan_get with scan ID OR scan_list with --server-queries: "name~<scan-name>" |
| "Pause a scan" | scan_pause with scan ID |
| "Resume a scan" | scan_resume with scan ID |
| "View scan results" | Use SSC skill: fcli_ssc_issue_list or fcli_ssc_issue_count |
| "Find scan settings" | scan_settings_list optionally with server-queries |
| "Check sensors" | sensor_list to view available sensors |
Best Practices
DO:
- ✅ Always check SSC session status before SC-DAST operations
- ✅ Use discovery workflow (list settings/policies) before starting scans
- ✅ Use server-side filtering (
--server-queries) for performance - ✅ Ensure scan settings are configured to auto-publish to SSC
- ✅ Use
scan_wait_forwith appropriate timeouts for long-running scans (typically 30min-2hrs) - ✅ Leverage pause/resume capability for scan management
- ✅ Use CICD token for scan settings in automation scenarios
- ✅ Handle pagination with job_token pattern when totalRecords is null
- ✅ View results in SSC using SSC skill after scan completes
DO NOT:
- ❌ Start scans without verifying settings/policy existence
- ❌ Use client-side filtering for large datasets (prefer
--server-queries) - ❌ Poll scan status manually - use
scan_wait_forinstead - ❌ Forget to verify scan settings are configured to publish to SSC
- ❌ Ignore pagination when totalRecords is null
References
Example Workflows
| Workflow | Use When User Says... |
|---|---|
| Run DAST Scan | "run scan", "start DAST scan", "web scan", "scan my application", "dynamic scan" |
| List and Monitor Scans | "list scans", "monitor progress", "check status", "pause scan", "resume scan" |
| Discover Scan Settings and Policies | "scan settings", "scan policy", "configuration", "CICD token", "available settings" |
External Resources
More from crance/agent-skills-fortify
fortify-fod
use this skill whenever the user wants to list and filter application security findings, run SAST/SCA/DAST scans, discover applications and releases, and manage security scanning using Fortify on Demand (FoD). Triggers include: any mention of 'FoD', 'Fortify on Demand', 'list vulnerabilities', 'run SAST scan', 'run SCA scan', 'run DAST scan', 'list applications', 'list releases', 'package source code', 'security scan', and similar requests indicating interaction with FoD for application security scanning and vulnerability management.
11fortify-ssc
use this skill whenever the user wants to list and filter application security findings, discover applications and versions, and manage applications using Fortify Software Security Center (SSC). Triggers include: any mention of 'SSC', 'list vulnerabilities', 'list applications', and similar requests indicating interaction with Fortify SSC for application security tasks. OpenText Application Security is the new name for Fortify Software Security Center.
7fortify-onprem
Use this skill whenever the user wants to list and filter application security findings, run SAST or DAST scans, discover applications and versions, and manage security assessments using Fortify on-premises products: Software Security Center (SSC), ScanCentral SAST (SC-SAST), and ScanCentral DAST (SC-DAST). Triggers include: any mention of 'SSC', 'ScanCentral', 'SC-SAST', 'SC-DAST', 'list vulnerabilities', 'run SAST scan', 'run DAST scan', 'list applications', 'DAST scan', 'web scan', 'dynamic scan', and similar requests for on-premises Fortify products.
6fortify-scsast
ScanCentral SAST guide for MCP tools. Package source code, run SAST scans on ScanCentral sensors, monitor scan progress, and retrieve results from SSC.
5