How are Fortify scans different than code review

Question

How is using Fortify different than the code reviews we already do?

Answer

Manual code review after code has been written and automated tests have been run and passed, but before the code is merged upstream, for any obvious logic errors, for making sure requirements are implemented, for making sure new automated tests are sufficient for the new code, for making sure project style guidelines are being followed, and so on are not the same as scanning code using Fortify.

To fulfill the DevSecOps promise of repeatable, efficient integration of security into all aspects of DevOps, static security testing must be integrated into the CI/CD pipeline.
Integration of Fortify into the CI/CD pipeline gives an emphasis to security as a functional requirement on par with other testing such as unit and integration testing.
Fortify scans the entire application so it can detect how changes affect the security of the application as a whole. Manual code review generally only looks at the local effects of the changes.
Fortify applies a very broad set of security knowledge to the security testing, while manual review will provide a narrower set of security knowledge though with more application-specific knowledge.

Scanning source code using OIS-licensed Fortify SCA is required at VA during development and maintenance of custom-developed applications, as per the OIS Authorization Requirements SOP. Scanning source code using Fortify is generally performed in addition to, not instead of, manual reviews as described above. Fortify scans specifically for potential security issues in source code.

Fortify SCA (or Fortify in a Scan Central configuration) scans are generally integrated into CI/CD pipeline stages. The scans are performed according to pipeline configuration and can be configured to provide build failure information. Fortify scans are typically configured to scan the entire codebase each time they are performed.