Can I use Fortify to scan scala-code or the generated java (jar) files ? I know that I can do the jar option technically but are there any known challenges with respect to the generated java code?
Fortify SCA now officially includes support for Scala (since December 2017).
Adding this support was a collaborative project between Lightbend and Micro Focus.
I did most of the engineering work on the Lightbend side, writing a compiler plugin that translates Scala code to an intermediate form that Fortify understands. Micro Focus added Scala-specific security rules and made any necessary adjustments to the Fortify back end. (They also made sure that existing Java rules also worked for equivalent Scala code, when appropriate.)
See:
Note that Fortify SCA is commercial software and so is the new Scala plugin. To use them, you must have a Fortify SCA license (or use Fortify on Demand). As of 2022, it is no longer necessary to also have a separate license from Lightbend.