DevSecOps | VA Software Assurance

Skip to main content

VA Software Assurance

Home
Fortify
CodeQL
- CodeQL Usage
- CodeQL Errors
Snyk
- Snyk Usage
- Snyk Errors
Threat Modeling

This site uses Just the Docs, a documentation theme for Jekyll.

Fortify
DevSecOps

These technical notes provide information on applying Fortify concerns in DevSecOps environments:

Table of contents

How are Fortify scans different than code review
How to address container manager password management findings
How to capture Fortify logs in a CI server
How to configure Fortify build failure criteria on a CI server
How to configure Fortify Speed Dial for use at the VA
How to know if a database in a container environment should be trusted
How to know if a Redis in-memory data store should be trusted
How to know if container configuration data should be trusted
How to know if container environment variables can be trusted
How to know if it is safe to log sensitive information to a log aggregator
How to manage Fortify artifacts in a CI server
How to run Fortify Static Code Analyzer in a container
How to scan Infrastructure as Code (IaC) files
How to submit a code review that uses custom rules
How to submit a code review that uses a filter file
How to write a Fortify custom rule

GitHub at VA (part of VA OIT)
All content is available under Creative Commons Zero v1.0 Universal, except where otherwise stated.