Automating Fortify Audit Workbench

Question

Does Fortify Audit Workbench have any command-line options that would allow me to put it in a cron job and run it daily?

The scan takes over two hours, I would like it to run overnight and see the results in the morning.

Jason

Answer 1

Audit Workbench is the GUI front end for the underlying SCA engine (sourceanalyzer)

If you know how to scan your code though the commandline you can create a windows batch file or bash script to execute it.

The hardest part will be to come up with translation command. That is going to be language and project specific.

Your script should have a minimum of 3 steps

• Clean
• Translate
• Scan

There is a fourth optional step to upload the scan results to your SSC instance. This step is utilizing the fortifyclient command.

References:

• sourceanalyzer -h
• HPE Security Fortify Static Code Analyzer User Guide, provides an overview of the scan process and examples depending on language and/or build tool.
• HPE Security Fortify Software Security Center Installation and Configuration Guide chapter 10 talks about using the fortifyclient tool to communicate with SSC.

Without any further information, we cannot help you with the actual commands.