fortify-ssc
Fortify Software Security Center (SSC) Skill
Fortify Software Security Center (SSC) integration via Model Context Protocol (MCP).
When to Use This Skill
- List application and application version
- List security issues/vulnerabilities with filtering by severity, category, etc.
- Count issues grouped by severity, category, etc.
Available MCP Tools
Only key MCP tools for SSC are listed here.
| Tool | Description | When to Use |
|---|---|---|
fcli_ssc_session_list |
List authentication sessions | Check authentication status |
fcli_ssc_app_list |
List applications | Discover available applications |
fcli_ssc_app_get |
Get details of a specific application | Retrieve detailed information about an application |
fcli_ssc_appversion_list |
List application versions | Discover available application versions |
fcli_ssc_appversion_get |
Get details of a specific application version | Retrieve detailed information about an application version |
fcli_ssc_issue_list |
List issues | Retrieve a list of security issues/vulnerabilities |
fcli_ssc_issue_list_filters |
Discover available filtering options for issues | Look for most appropriate filter to use |
fcli_ssc_issue_list_groups |
Discover available grouping options for issues | Look for most appropriate group to use |
fcli_ssc_issue_count |
Group and count issues | Count issues grouped by severity, category, etc. Always include --by parameter |
fcli_ssc_mcp_job |
Wait for background jobs to complete | When pagination.jobToken is present in responses |
Parameter Formats
Common formats and examples for key parameters:
| Parameter | Format | Example |
|---|---|---|
appVersionNameOrId or --appversion |
"<App>:<Version>" - case-sensitive, colon-separated |
"MyApp:MyRelease" |
--filter |
"<FilterType>:<Value>" - preferred server-side filtering; discover via issue_list_filters first |
"Folder:Critical" |
--filterset |
Filter set title or ID - predefined SSC filter combinations (e.g., "Security Auditor View", "Quick View"); distinct from --filter |
"Security Auditor View" |
--embed |
Comma-separated values to include additional data (see reference files for specific options) | "details,auditHistory" |
--by |
Group name from issue_list_groups - always include when using issue_count |
"Folder", "Category" |
Authentication
All operations require authentication. Always verify session before any operation:
fcli_ssc_session_list with refresh-cache=true
- If
Expired=No→ proceed - If expired → ask user to run locally:
fcli ssc session login --url "<URL>" -u "<user>" -p '<pass>' - When running any SSC tool, if authentication error occurs, prompt user to re-authenticate locally.
Note: Reference workflows assume authentication has been verified.
Filtering: Prefer --filter; query Optional
- Prefer
--filterfor server-side filtering (fastest, smallest payloads) - Optionally use
queryas a client-side post-filter when you need a simple match on returned fields - Always discover available filters with
issue_list_filtersbefore applying them
Pagination
- If
pagination.hasMore= true → usepagination-offsetfor next page - If
pagination.jobTokenpresent → background loading; wait withfcli_ssc_mcp_job(see Background Job Handling) - Once
pagination.totalRecordsappears → all records collected
Error Recovery
| Error | Recovery |
|---|---|
| "Session expired" | Refer to flow in Authentication section |
| "Application version not found" | Run app_list to discover correct names |
| "Unknown filter" | Run issue_list_filters to discover valid filters |
Decision Tree: Choosing the Right Approach
| User Intent | Action |
|---|---|
| "list/show vulnerabilities" | issue_list with --filter + --embed details |
| "how many / count / summary" | issue_count with --by |
| "find app / which version" | app_list → appversion_list |
Best Practices
DO:
- ✅ Use
--filterfor filtering - ✅ Prioritize server-side filtering over client-side
- ✅ Prioritize use MCP tool over FCLI CLI directly
Do NOT:
- ❌ Guess application/version names - ask the user
- ❌ Prompt user for credentials - ask user to run
fcli ssc session loginlocally - ❌ Assume filter names exist - always run
issue_list_filtersfirst - ❌ Make multiple API calls for details - use
--embedparameter instead
References
Example Workflows
| Workflow | Use When User Says... |
|---|---|
| List and find Applications Versions | "list applications", "show application versions", "what applications are available" |
| List, Filter and Query Issues | "list vulnerabilities", "show security issues", "filter issues by severity", "include suppressed issues" |
| Summarise and Count Issues | "count issues", "show summary", "breakdown by severity" |
| Provide Recommendations | "show recommendations", "provide remediation advice", "how to fix" |
| Background Job Handling | When pagination.jobToken appears in responses, background data loading |
External Resources
More from crance/agent-skills-fortify
fortify-fod
use this skill whenever the user wants to list and filter application security findings, run SAST/SCA/DAST scans, discover applications and releases, and manage security scanning using Fortify on Demand (FoD). Triggers include: any mention of 'FoD', 'Fortify on Demand', 'list vulnerabilities', 'run SAST scan', 'run SCA scan', 'run DAST scan', 'list applications', 'list releases', 'package source code', 'security scan', and similar requests indicating interaction with FoD for application security scanning and vulnerability management.
11fortify-onprem
Use this skill whenever the user wants to list and filter application security findings, run SAST or DAST scans, discover applications and versions, and manage security assessments using Fortify on-premises products: Software Security Center (SSC), ScanCentral SAST (SC-SAST), and ScanCentral DAST (SC-DAST). Triggers include: any mention of 'SSC', 'ScanCentral', 'SC-SAST', 'SC-DAST', 'list vulnerabilities', 'run SAST scan', 'run DAST scan', 'list applications', 'DAST scan', 'web scan', 'dynamic scan', and similar requests for on-premises Fortify products.
6fortify-scdast
ScanCentral DAST guide for MCP tools. Run dynamic application security testing (DAST) scans, list and filter scan results, discover scan settings and policies, and manage web application security scanning using Fortify ScanCentral DAST. Triggers include any mention of 'SC-DAST', 'ScanCentral DAST', 'DAST scan', 'web scan', 'dynamic scan', 'run DAST scan', 'list scans', and similar requests indicating interaction with SC-DAST for dynamic application security scanning.
5fortify-scsast
ScanCentral SAST guide for MCP tools. Package source code, run SAST scans on ScanCentral sensors, monitor scan progress, and retrieve results from SSC.
5