Member-only story
How to integrate HP Fortify code scan with Bamboo CI/CD server?
Do you want to protect your code from Vulnerabilities? Or generate the report for your compliance team in your office before they provide sign off for the pre-production or production release?
A code scan plays a vital role in detecting the memory leakages, vulnerabilities, and/or other possibilities of a cyber attack by scanning our code in detail. It also plays as a compliance standard in large MNC’s before rolling out any production release of a software product.
There are many tools in the market both open source & proprietary that will do our job. Some of the popular tools are HP Fortify Static Code Analyzer, SonarQube, etc.
In this, article, I will show you how you can automate this whole process of scanning the code, and uploading the report to the Fortify Static Code Analyzer portal so that your compliance team can log in to see the report.
Here, I’m going to take an example of the Atlassian Bamboo (CI/CD) integration server for automating the code scan process during the build process. However, steps or commands used in it with respect to code scan remain the same for other integration servers such as Jenkins build pipelines.
Assumptions: I will assume that you have already installed the HP Fortify code scan tool from their site ( https://www.microfocus.com/en-us/products/static-code-analysis-sast/overview) on your server or your dedicated (VM) Virtual Machine so that I can show you specific steps required for integration, report generation, etc. If not, just download & install their tool, and create a project once you login to the tool.
The entire process of running a scan can be divided into 3 parts:-
- Update or download the rule packs
- Running the scan to generate the FPR (Fortify Project Scanned Report)
- Uploading it to Fortify Portal (the portal which we just saw above)
Let’s start the Integration now :)
Step 1: Integrating with Bamboo Server
Login to your Bamboo server and open a new or an existing build plan then click on configure the build plan to navigate to the configuration page and then create a new ‘Stage’ and a new plan in that stage. I will name the stage as ‘Fortify SSC’ and plan as ‘Scan code and Upload FPR’ like below:-
