Overview

This guide demonstrates how to integrate OpenText Application Security (Fortify Software Security Center) Application Security Testing (AST) into your Azure DevOps pipelines using a script-based approach, leveraging the @fortify/setup npm package to bootstrap fcli. Once bootstrapped, you can execute the fcli ci action to run scans, providing a unified yet customizable experience across your AST scan workflows on Azure DevOps and other CI systems. In the future, we may provide native fcli-based Azure DevOps tasks for an even easier integration.

Quick Start Example

Minimal configuration for running OpenText Fortify AST scans in Azure DevOps.

trigger:
  branches:
    include:
      - main
pr:
  branches:
    include:
      - main

variables:
  - group: fortify  # Variable group containing SSC_URL, SSC_TOKEN, SC_SAST_TOKEN

jobs:
  - job: fortify
    pool:
      vmImage: 'ubuntu-latest'
    steps:
      - checkout: self                       # Check out source code
      - task: # ... setup build tool(s)      # Set up build tool(s) required to build your project
      - task: Bash@3 # Or PowerShell@2, using the PowerShell variant of the script below
        displayName: 'Run Fortify AST scan'
        inputs:
          targetType: 'inline'
          # Bash variant
          script: |
            # Bootstrap fcli
            npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env init --tools=fcli:bootstrapped
            # Add fcli to PATH and set related environment variables for subsequent steps in current script
            source <(npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env shell)
            # Alternatively, to make fcli ALSO available for subsequent tasks:
            # source <(npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env ado --output-as=shell)
            # Alternatively, to make fcli ONLY available for subsequent tasks:
            # npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env ado
            "${FCLI_CMD:-fcli}" action run ci  # Or any other fcli-based custom workflow
          # PowerShell variant
          # script: |
          #   # Bootstrap fcli
          #   npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env init --tools=fcli:bootstrapped
          #   # Add fcli to PATH and set related environment variables for subsequent steps in current script
          #   npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env pwsh | Out-String | Invoke-Expression
          #   # Alternatively, to make fcli ALSO available for subsequent tasks:
          #   # npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env ado --output-as=pwsh | Out-String | Invoke-Expression
          #   # Alternatively, to make fcli ONLY available for subsequent tasks:
          #   # npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env ado
          #   & "${env:FCLI_CMD:-fcli}" action run ci  # Or any other fcli-based custom workflow
        env:
          SSC_URL: $(SSC_URL)
          SSC_TOKEN: $(SSC_TOKEN)
          SC_SAST_TOKEN: $(SC_SAST_TOKEN)
          # SSC_APPVERSION: MyApp:main  # Optional: defaults to repo:branch
          FORTIFY_SETUP_VERSION: v2.1   # Or v2 for latest features, v2.1.2 for stability

Platform Notes

To keep scripts portable across Linux/macOS and Windows agents, use the command path exported by @fortify/setup:

  • Bash: ${FCLI_CMD:-fcli} action run ci

  • PowerShell: & $env:FCLI_CMD action run ci

This is particularly important for Bash tasks on Windows agents, where invoking fcli without the full executable path may fail.

Tips & Recommendations

Centralized Configuration Management

For enterprise environments with multiple repositories, consider creating pipeline templates to wrap the Fortify integration. This approach provides:

  • Version stability: Pin specific @fortify/setup and fcli versions (e.g., FCLI_BOOTSTRAP_VERSION: v3.15.0) across all pipelines

  • Consistent configuration: Centrally manage common settings like tool versions and scan parameters

  • Controlled upgrades: Test new versions centrally before rolling out to all repositories

Example template structure:

# fortify-scan-template.yml (in your organization's shared template repository)
parameters:
  - name: sscAppVersion
    displayName: 'Optional SSC application version, defaults to <repo>:<branch>'
    type: string
    default: ''
steps:
  - task: Bash@3
    displayName: 'Run Fortify AST scan'
    inputs:
      targetType: 'inline'
      script: |
        npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env init --tools=fcli:bootstrapped
        source <(npx @fortify/setup@$(FORTIFY_SETUP_VERSION) env shell)
        "${FCLI_CMD:-fcli}" action run ci
    env:
      SSC_URL: $(SSC_URL)
      SSC_TOKEN: $(SSC_TOKEN)
      SC_SAST_TOKEN: $(SC_SAST_TOKEN)
      SSC_APPVERSION: $
      FCLI_BOOTSTRAP_VERSION: v3.15.0  # Centrally managed version
      FORTIFY_SETUP_VERSION: v2.1.2    # Centrally managed version

Air-Gapped Environments

For air-gapped or restricted network environments, host custom tool definitions and tool bundles in an internal SCM repository or artifact registry. Configure the integration to use these internal resources:

  • Set TOOL_DEFINITIONS to point to your internally hosted tool definitions file

  • Set FCLI_BOOTSTRAP_URL to download fcli from your internal mirror

This ensures all required tools are accessible without external internet access.

Configuration

Configuration is accomplished through environment variables set in your Azure DevOps pipeline YAML file. Secrets and variables should be configured in Azure DevOps Library or pipeline variables. The following sections document all available configuration options organized by their purpose.

Setup & Bootstrap

The script-based Azure DevOps integration leverages the @fortify/setup npm package to bootstrap fcli and supporting tools like ScanCentral Client. The environment variables in this section are provided by @fortify/setup v2.1.x (configured via FORTIFY_SETUP_VERSION=v2.1.x). If you configure a different @fortify/setup version, please refer to the @fortify/setup documentation for that version’s supported variables.

Note
 @fortify/setup is automatically configured through the FCLI_BOOTSTRAP_* environment variables documented in this section. For simplicity and to avoid pipelines from interfering with each other, it is recommended to not use the @fortify/setup bootstrap-config command in CI pipelines.
Note
 This integration requires @fortify/setup v2.1.2 or later, and fcli v3.15.0 or later.
Note
 Environment variables listed in the subsequent sections are for fcli 3.15.0; if your bootstrap settings install another fcli version, please refer to to the fcli ci action documentation for that version.

Environment Variable

Description

FCLI_BOOTSTRAP_VERSION

By default, the latest fcli v3.x.y release is used for running the fcli-provided ci workflow, allowing you to always benefit from the latest features and fixes. If you prefer stability over automatic updates, you can pin to a specific minor or patch release like v3.15 or v3.15.0 by setting this environment variable to the desired version. Likewise, you can set this variable to an fcli pre-release tag like dev_v3.x to experiment with upcoming changes provided by an fcli development version.

FCLI_BOOTSTRAP_PATH

Path to a pre-installed fcli executable. When set, fcli bootstrapping will use this binary instead of downloading fcli.

FCLI_BOOTSTRAP_URL

By default, fcli is downloaded from the official GitHub releases page. This environment variable allows you to specify a custom URL, for example pointing to an internal mirror in air-gapped environments. In those cases, you’ll likely also want to set TOOL_DEFINITIONS to point to a custom tool definitions file to allow for downloading supporting tools like ScanCentral Client from the internal mirror.

FCLI_BOOTSTRAP_RSA_SHA256_URL

Custom URL for the fcli RSA SHA256 signature file. Defaults to <FCLI_BOOTSTRAP_URL>.rsa_sha256.

FCLI_BOOTSTRAP_VERIFY_SIGNATURE

Set to false to skip verification (not recommended) of the fcli download.

TOOL_DEFINITIONS

Supporting tools like ScanCentral Client or Debricked CLI are by default downloaded from the URLs defined in the default Fortify tool definitions. For airgapped environments, point this environment variable to an internally hosted custom tool definitions zip file to download these tools from an internal mirror.

PREINSTALLED

Set to true to require that all supporting tools (e.g., ScanCentral Client, Debricked CLI) invoked by the fcli ci action are already installed, preventing tool definitions from being updated or tools from being automatically installed. This is useful for environments where pre-installed tools must be used, or where automatic tool installation is not permitted.

Authentication & Connection

Configure credentials and connection details for OpenText Application Security (Fortify Software Security Center).

Environment Variable

Description

SSC_URL

OpenText Application Security (Fortify Software Security Center) URL, for example https://ssc.customer.fortifyhosted.net/. This must be rendered by the CI/CD system as plain text, not as a masked secret/variable.

SSC_TOKEN

Required when authenticating with an SSC token (recommended). Most actions should work fine with a CIToken.

SSC_USER
SSC_PASSWORD

Required when authenticating with SSC user credentials.

SC_SAST_TOKEN

ScanCentral SAST Client Authentication Token for authenticating with ScanCentral SAST Controller. This environment variable is required when running a ScanCentral SAST scan.

SSC_LOGIN_EXTRA_OPTS

Extra SSC login options, for example for disabling SSL checks or changing connection time-outs; see fcli ssc session login documentation.

Application Version Management

Configure OpenText Application Security (Fortify Software Security Center) application version settings, including automatic creation of application versions if they don’t exist.

Environment Variable

Description

SSC_APPVERSION

Fortify SSC application version to use with this action. This should be specified as <app-name>:<version-name>. Default value is based on repository and branch name, for example myOrg/myRepo:myBranch.

DO_SETUP
SETUP_ACTION
SETUP_EXTRA_OPTS

If DO_SETUP is set not set to false, the application and/or version will be created if they do not yet exist using the fcli-provided setup-appversion action, or, if specified, the custom fcli action specified through SETUP_ACTION. Extra options for the fcli action can be passed through the SETUP_EXTRA_OPTS environment variable.

Depending on your Git workflow, it is recommended to copy state from the application version representing your default branch by passing the --copy-from option through SETUP_EXTRA_OPTS.

Package Configuration

Configure source code packaging behavior for SAST scans. Control whether to use custom packaging actions, specify pre-built packages, or customize ScanCentral Client usage.

Environment Variable

Description

PACKAGE_ACTION
PACKAGE_ACTION_EXTRA_OPTS

By default, when running a SAST scan, the fcli package action is used to (optionally) package the source code to be scanned; see next entry for information on how to configure the default package action. If the standard fcli package action doesn’t meet your needs, for example if you want to perform a local translation using Fortify Static Code Analyzer, you can use PACKAGE_ACTION to use a custom action for packaging, optionally providing extra options to this custom action through the PACKAGE_ACTION_EXTRA_OPTS environment variable. Note that any custom action must set the global.package.output action variable, pointing to the package or MBS file to be scanned.

USE_PACKAGE
PACKAGE_EXTRA_OPTS
SC_CLIENT_VERSION
SC_CLIENT_HOME
SOURCE_DIR

These environment variables define packaging behavior. If USE_PACKAGE is specified, packaging will be skipped and the given package or MBS file (which must already exist) will be used. To pass additional options to the scancentral package command like -bt or -bf, use PACKAGE_EXTRA_OPTS.

By default:

* If SC_CLIENT_HOME is specified, the pre-installed ScanCentral Client at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* SC_CLIENT_VERSION may be specified to request a specific ScanCentral Client version to be used. Allowed values:
* An explicit version number (e.g. 25.2 or 25.2.0)
* Path to a specific ScanCentral Client installation
* latest to use the latest available ScanCentral Client version
* auto (default for SSC) to enable automatic detection based on available sensor versions
* If neither SC_CLIENT_VERSION nor SC_CLIENT_HOME are set, defaults to auto behavior (sensor-based detection).
* Current working directory will be packaged; use SOURCE_DIR to package a different directory.
* Debug logging for Scancentral Client is disabled; pass --debug on the fcli invocation to enable debug logging.

Scan Execution

Configure SAST and Debricked scan execution and waiting behavior for OpenText Application Security (Fortify Software Security Center).

Environment Variable

Description

DO_SAST_SCAN
SAST_SCAN_EXTRA_OPTS

The fcli ci action by default runs a SAST scan, optionally in combination with other scan types. The DO_SAST_SCAN environment variable can be set to false to disable the SAST scan. The SAST_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the fcli sc-sast scan start command, for example to request a scan completion email notification. Note that these environment variables only control the submission of the scan request; see the information below for details on waiting for the scan to complete.

DO_DEBRICKED_SCAN
DEBRICKED_SCAN_EXTRA_OPTS
DEBRICKED_ACCESS_TOKEN
DEBRICKED_VERSION
DEBRICKED_HOME

The fcli ci action supports running a Debricked Software Composition Analysis (SCA) scan, which is enabled automatically if DEBRICKED_ACCESS_TOKEN is provided. The DO_DEBRICKED_SCAN environment variable can be set to false to (temporarily) disable the Debricked scan. The DEBRICKED_SCAN_EXTRA_OPTS environment variable can be used to provide additional options to the debricked scan command.

By default:

* If DEBRICKED_HOME is specified, the pre-installed Debricked CLI at that location will be registered and used, skipping automatic installation. The path should point to the installation directory or binary.
* DEBRICKED_VERSION may be specified to request a specific Debricked CLI version to be used. Allowed values:
* An explicit version number (e.g. 2.6 or 2.6.7)
* Path to a specific Debricked CLI installation
* latest to use the latest available Debricked CLI version
* auto (default) to use a pre-installed version if available, otherwise installs latest
* If neither DEBRICKED_VERSION nor DEBRICKED_HOME are set, defaults to auto behavior.

DO_WAIT
DO_SAST_WAIT
SAST_WAIT_EXTRA_OPTS
DEBRICKED_WAIT_EXTRA_OPTS

By default, the fcli ci action will wait for all started scans to complete; set DO_WAIT to false to just kick off any configured scans without waiting for completion. Note that doing so will skip any post-scan tasks. The SAST_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli sc-sast scan wait-for command, and similarly, the DEBRICKED_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command.

Post-Scan Actions

Configure post-scan tasks including Aviator auditing, application version summaries, policy checks, pull request comments, and vulnerability data exports for OpenText Application Security (Fortify Software Security Center). NOTE: Availability and behavior of post-scan tasks may vary across CI/CD systems and fcli versions.

Environment Variable

Description

AVIATOR_URL
AVIATOR_TOKEN
AVIATOR_LOGIN_EXTRA_OPTS

Aviator URL and JWT token to use for Aviator operations (see below). The AVIATOR_TOKEN environment variable should hold the actual token contents; prefixes like file: or string: (like the --token option on the fcli aviator session login command) are not supported. The AVIATOR_LOGIN_EXTRA_OPTS environment variable can be used to pass additional options to the fcli aviator session login command.

DO_AVIATOR_AUDIT
AVIATOR_APP
AVIATOR_AUDIT_EXTRA_OPTS
AVIATOR_WAIT_EXTRA_OPTS

If DO_AVIATOR_AUDIT is not set to false, and Aviator URL and token have been configured, scan results will be sent to Aviator for AI-driven auditing. The Aviator application name can optionally be configured through AVIATOR_APP, which defaults to the SSC application name. The AVIATOR_AUDIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli aviator ssc audit command, for example to adjust tag mappings. The AVIATOR_WAIT_EXTRA_OPTS environment variable can be used to pass extra options to the fcli ssc artifact wait-for command, which will be run to wait for SSC to process the audited results.

DO_APPVERSION_SUMMARY
APPVERSION_SUMMARY_ACTION
APPVERSION_SUMMARY_EXTRA_OPTS

If DO_APPVERSION_SUMMARY is not set to false, an application version summary will be generated using the fcli-provided appversion-summary action or, if specified, the custom fcli action specified through APPVERSION_SUMMARY_ACTION. Extra options for the fcli action can be specified through the APPVERSION_SUMMARY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_CHECK_POLICY
CHECK_POLICY_ACTION
CHECK_POLICY_EXTRA_OPTS

If DO_CHECK_POLICY is set to true (implied if any of the other two CHECK_POLICY_* variables are set), a policy check will be run after scan completion using the fcli-provided check-policy action or, if specified, the custom fcli action specified through CHECK_POLICY_ACTION. Extra options for a custom fcli action can be passed through the CHECK_POLICY_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_PR_COMMENT
PR_COMMENT_ACTION
PR_COMMENT_EXTRA_OPTS

(PREVIEW) If DO_PR_COMMENT is set to true (implied if any of the other two PR_COMMENT_* variables are set), a Pull Request or Merge Request comment will be generated using an fcli-provided action matching the current CI system like github-pr-comment or, if specified, the custom fcli action specified through PR_COMMENT_ACTION. Extra options for the fcli action can be specified through the PR_COMMENT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_SAST_EXPORT
SAST_EXPORT_ACTION
SAST_EXPORT_EXTRA_OPTS

If DO_SAST_EXPORT is not set to false and a SAST scan was completed, the SAST vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like github-sast-report or gitlab-sast-report, or, if specified, the custom fcli action specified through SAST_EXPORT_ACTION. Extra options for the fcli action can be specified through the SAST_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

DO_DEBRICKED_EXPORT
DEBRICKED_EXPORT_ACTION
DEBRICKED_EXPORT_EXTRA_OPTS

If DO_DEBRICKED_EXPORT is not set to false and a Debricked scan was completed, the Debricked vulnerability data will be exported into a CI-specific format using an fcli-provided action matching the current CI system like gitlab-debricked-report, or, if specified, the custom fcli action specified through DEBRICKED_EXPORT_ACTION. Extra options for the fcli action can be specified through the DEBRICKED_EXPORT_EXTRA_OPTS environment variable, which may include fcli options to allow unsigned custom actions to be used.

Additional Resources