How to scan Apex code

Question

How do I scan Apex code using Fortify?

Answer

To scan your Salesforce application, you must download your Salesforce app to your local computer using the Ant Migration Tool available on the Salesforce website. Ensure that all the .cls, .page., .trigger, .object, and .component files have been downloaded.

Next scan the application from the command-line. This follows the phases that are part of a Fortify scan: clean, translate, and analyze.

Clean:

sourceanalyzer -b <buildid> -clean

Translate:

sourceanalyzer -b <buildid> <source code directory>

Analyze:

sourceanalyzer -b <buildid> -scan -f results.fpr

The file resutls.fpr will contain your scan results.

References

Fortify documentation