How to set the Fortify Scan Policy

Question

How do I set the Fortify Scan Policy? Which Scan Policy should I use?

Answer

Starting with Fortify v23.1.0, scans use a “scan policy” to select which rules are utilized as part of the scan. OIS Software Assurance requires that scan use the classic scan policy which includes the full set of rules.

The classic scan policy is not the default used by Fortify. The scan policy must be changed for scans submitted for review.

The scan policy is set as part of the scan command by adding either the -scan-policy or -sc option to the scan command-line along with specifing which scan policy to use.

For example:

sourceanalyzer -b <buildid> -scan -scan-policy classic <other scan command options>

or

sourceanalyzer -b <buildid> -scan -sc classic <other scan command options>

If scanning using Audit Workbench or an IDE plugin, see this technical note for guidance on how to add command-line arguments.

Alternatively, the scan policy may be set using the com.fortify.sca.ScanPolicy property:

com.fortify.sca.ScanPolicy=classic

References

• Fortify documentation