Article by: Hashira Belén Vargas Candia
Systems Engineering Student – Application Security Focus
Introduction to SAST Tools
Static Application Security Testing (SAST) tools analyze source code to identify security vulnerabilities before the application is deployed. While tools like SonarQube, Snyk, and Semgrep are popular, this article explores Micro Focus Fortify Static Code Analyzer (SCA) – an enterprise-grade SAST solution for comprehensive security analysis.
Why Fortify SCA?
Fortify SCA offers:
Multi-language support (Java, .NET, C++, Python, JavaScript, etc.)
Deep code analysis with data flow and control flow tracking
Comprehensive vulnerability database (OWASP Top 10, CWE, etc.)
Integration capabilities with CI/CD pipelines
Detailed remediation guidance
Setting Up Fortify SCA for a Node.js Application
Prerequisites
Micro Focus Fortify SCA installation
Node.js project with source code
Fortify Plugin for your IDE (optional)
Step 1: Installation & Setup
# Download Fortify SCA from official Micro Focus portal
# Install with default settings
# Verify installation
fortify version
Step 2: Configure Scan Settings
Create a fortify-sca.properties file:
# Scan configuration for Node.js application
com.fortify.sca.Phase0HigherOrder.Languages=javascript
com.fortify.sca.EnableHTML5Scan=true
com.fortify.sca.NPM.EnableDependencyScanning=true
com.fortify.sca.Yarn.EnableDependencyScanning=true
Step 3: Running the Scan
# Navigate to your Node.js project directory
cd /path/to/your/nodejs-app
# Run sourceanalyzer to translate source code
sourceanalyzer -b myNodeAppBuild -clean
sourceanalyzer -b myNodeAppBuild -source 1.8 **/*.js **/*.ts **/*.jsx **/*.tsx
# Scan for vulnerabilities
fortifyclient start scan -b myNodeAppBuild
Real-World Example: Vulnerable Node.js Code
Before SAST Analysis
// app.js - Vulnerable code examples
// 1. SQL Injection vulnerability
app.get('/users', (req, res) => {
const userId = req.query.id;
// UNSAFE: Direct string concatenation
db.query(`SELECT * FROM users WHERE id = ${userId}`, (err, result) => {
res.json(result);
});
});
// 2. XSS vulnerability
app.post('/comment', (req, res) => {
const comment = req.body.comment;
// UNSAFE: Direct DOM injection
res.send(`<div>${comment}</div>`);
});
// 3. Hardcoded credentials
const dbPassword = 'Admin@123'; // Security issue
After Fortify SCA Analysis & Fixes
// app.js - Secure code after remediation
// 1. Fixed SQL Injection using parameterized queries
app.get('/users', (req, res) => {
const userId = req.query.id;
// SAFE: Parameterized query
db.query('SELECT * FROM users WHERE id = ?', [userId], (err, result) => {
res.json(result);
});
});
// 2. Fixed XSS using output encoding
const escapeHtml = require('escape-html');
app.post('/comment', (req, res) => {
const comment = req.body.comment;
// SAFE: HTML escaping
res.send(`<div>${escapeHtml(comment)}</div>`);
});
// 3. Removed hardcoded credentials
const dbPassword = process.env.DB_PASSWORD; // From environment variables
Understanding Fortify Scan Results
Sample Output Format
{
"issues": [
{
"id": "CWE-89",
"severity": "High",
"category": "SQL Injection",
"file": "/src/routes/users.js",
"line": 45,
"description": "User input flows into SQL query without validation",
"recommendation": "Use parameterized queries or stored procedures"
},
{
"id": "CWE-79",
"severity": "Medium",
"category": "Cross-Site Scripting (XSS)",
"file": "/src/views/comments.ejs",
"line": 23,
"description": "User input directly reflected in HTML output",
"recommendation": "Implement proper output encoding"
}
],
"summary": {
"total_issues": 15,
"high_severity": 3,
"medium_severity": 8,
"low_severity": 4
}
}
Severity Classification
Critical/High: Immediate attention required (SQLi, RCE, etc.)
Medium: Address in next development cycle (XSS, CSRF, etc.)
Low: Consider fixing (information disclosure, etc.)
Integrating Fortify SCA into CI/CD Pipeline
GitHub Actions Integration
# .github/workflows/fortify-scan.yml
name: Fortify SAST Scan
on: [push, pull_request]
jobs:
fortify-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install dependencies
run: npm ci
- name: Download Fortify SCA
run: |
wget https://download.fortify.com/sca/fortify-sca-latest.zip
unzip fortify-sca-latest.zip
- name: Run Fortify Scan
run: |
./fortify-sca/bin/sourceanalyzer -b ${{ github.run_id }} -clean
./fortify-sca/bin/sourceanalyzer -b ${{ github.run_id }} **/*.js
./fortify-sca/bin/fortifyclient start scan -b ${{ github.run_id }}
- name: Upload Results
uses: actions/upload-artifact@v3
with:
name: fortify-results
path: fortify-reports/
GitLab CI/CD Integration
# .gitlab-ci.yml
stages:
- test
- security
fortify_sast:
stage: security
image: node:18
before_script:
- apt-get update && apt-get install -y wget unzip
- wget https://download.fortify.com/sca/fortify-sca-latest.zip
- unzip fortify-sca-latest.zip
script:
- npm ci
- ./fortify-sca/bin/sourceanalyzer -b $CI_PIPELINE_ID -clean
- ./fortify-sca/bin/sourceanalyzer -b $CI_PIPELINE_ID **/*.js
- ./fortify-sca/bin/fortifyclient start scan -b $CI_PIPELINE_ID
artifacts:
paths:
- fortify-reports/
when: always
Best Practices for SAST Implementation
- Regular Scanning Schedule
- Pre-commit hooks: Scan before each commit
Nightly builds: Comprehensive scans during off-hours
Release gates: Mandatory scans before production deployment
- Tuning & Customization
# Custom rule pack configuration
com.fortify.sca.CustomRules.Path=/path/to/custom/rules.xml
com.fortify.sca.SuppressionFilter.Path=/path/to/false-positives.xml
com.fortify.sca.Severity.Threshold=Medium
- Developer Education
- Remediation workshops: How to fix identified issues
- Secure coding training: Preventing vulnerabilities at source
- Knowledge sharing: Internal security champions program
Comparison with Other SAST Tools
| Feature | Fortify SCA | Checkmarx | CodeQL |
|---|---|---|---|
| Language Support | 25+ languages | 25+ languages | 10+ languages |
| Analysis Depth | Deep flow analysis | Flow analysis | Semantic analysis |
| Integration | Extensive CI/CD plugins | Good integration | GitHub native |
| Learning Curve | Moderate to steep | Moderate | Moderate |
| Reporting | Enterprise-grade | Comprehensive | GitHub-focused |
Common Challenges & Solutions
| Challenge | Solution |
|---|---|
| False Positives | Create suppression filters for known false positives |
| Long Scan Times | Implement incremental scanning |
| Complex Setup | Use containerized deployment |
| High Resource Usage | Optimize scan configurations and schedule off-hours |
| Developer Resistance | Provide training and integrate smoothly into workflow |
Challenge 1: False Positives
Solution: Create suppression filters for known false positives
<!-- false-positives.xml -->
<SuppressionFilters>
<Suppress>
<RuleID>CWE-78</RuleID>
<File>.*legacy-code\.js</File>
</Suppress>
</SuppressionFilters>
Challenge 2: Long Scan Times
Solution: Implement incremental scanning
## Only scan changed files
sourceanalyzer -b myApp -incremental
Challenge 3: Complex Setup
Solution: Use containerized deployment
# Dockerfile for Fortify SCA
FROM node:18
RUN wget https://download.fortify.com/sca/fortify-sca-latest.zip
RUN unzip fortify-sca-latest.zip
COPY . /app
WORKDIR /app
CMD ["./run-fortify-scan.sh"]
Conclusion
Fortify Static Code Analyzer provides robust security scanning for applications across multiple programming languages. While it requires initial setup and configuration, its comprehensive vulnerability detection and detailed remediation guidance make it valuable for enterprise security programs.
Key takeaways:
SAST tools like Fortify catch vulnerabilities early in development
Integration with CI/CD pipelines enables automated security testing
Regular scans and developer education significantly improve application security
Proper tuning reduces false positives and increases tool effectiveness
Additional Resources
OWASP SAST Tools List
Fortify SCA Documentation
NIST Application Security Guidelines
Secure Coding Practices Checklist
Top comments (0)