Fortify on Demand (FoD) Skill
Fortify on Demand (FoD) integration via Model Context Protocol (MCP).
When to Use This Skill
- List applications and releases
- Run security scans (SAST, SCA, DAST, MAST)
- List security issues/vulnerabilities with filtering by severity, category, etc.
- Count issues grouped by severity, category, etc.
- Manage scan configurations and monitor scan progress
- Generate and download security reports
Available MCP Tools
Only key MCP tools for FoD are listed here.
| Tool | Description | When to Use |
|---|---|---|
fcli_fod_session_list | List authentication sessions | Check authentication status |
fcli_fod_app_list | List applications | Discover available applications |
fcli_fod_app_get | Get details of a specific application | Retrieve detailed information about an application |
fcli_fod_release_list | List releases | Discover available releases |
fcli_fod_release_get | Get details of a specific release | Retrieve detailed information about a release |
fcli_fod_release_list_assessment_types | List available scan types for release | Discover which scan types are available |
fcli_fod_issue_list | List issues/vulnerabilities | Retrieve security findings |
fcli_fod_issue_update | Update vulnerability status | Change analysis tags, add comments, suppress issues |
fcli_fod_action_package | Package source code for scanning | Prepare source code for SAST/SCA scans |
fcli_fod_sast_scan_setup | Configure SAST scan settings | Set up static analysis scan parameters |
fcli_fod_sast_scan_start | Start SAST scan | Upload package and initiate static scan |
fcli_fod_sast_scan_get_config | Get SAST scan configuration | Retrieve current SAST scan settings (uses release name) |
fcli_fod_sast_scan_get | Get SAST scan details by scan ID | Check specific scan status (requires scan ID from start response or scan list) |
fcli_fod_sast_scan_wait_for | Wait for SAST scan completion | Monitor scan until finished |
fcli_fod_oss_scan_start | Start SCA/OSS scan | Upload package and initiate open source scan |
fcli_fod_oss_scan_get | Get SCA scan details by scan ID | Check specific SCA scan status (requires scan ID from start response or scan list) |
fcli_fod_oss_scan_list_components | List detected open source components | View OSS components found in scan |
fcli_fod_dast_scan_setup_website | Configure website DAST scan | Set up dynamic analysis for web apps |
fcli_fod_dast_scan_setup_api | Configure API DAST scan | Set up dynamic analysis for APIs |
fcli_fod_dast_scan_get_config | Get DAST scan configuration | Retrieve current DAST scan settings (uses release name) |
fcli_fod_dast_scan_start | Start DAST scan | Initiate dynamic security scan |
fcli_fod_report_create | Create security report | Generate reports from scan results |
fcli_fod_report_download | Download report file | Retrieve generated report |
fcli_fod_report_wait_for | Wait for report generation | Monitor report creation until complete |
Parameter Formats
Common formats and examples for key parameters:
| Parameter | Format | Example |
|---|---|---|
--fod-session | Session name (REQUIRED for all tools) | "default" |
--release | "<App>:<Release>" - case-sensitive, colon-separated (for *_list, *_scan_setup, *_scan_start, *_scan_get_config tools) | "MyApp:MyRelease" |
--qualifiedReleaseNameOrId | "<App>:<Release>" - case-sensitive, colon-separated (for release_get, app_get tools) | "MyApp:MyRelease" |
releaseQualifiedScanOrId | Scan ID or qualified scan ID (for *_scan_get tools) - Always use scan ID returned from *_scan_start or from *_scan_list | "12345" or "MyApp:MyRelease:12345" |
--filters-param | "<FilterName>:<Value>" - server-side filtering | "severityString:Critical" |
--include | Control which issue statuses to include. By default, only visible issues returned. Comma-separated values: visible, fixed, suppressed | "visible,fixed" or "suppressed" |
--embed | Comma-separated values to include additional data. Valid values: allData, summary, details, recommendations, history, requestResponse, headers, parameters, traces | "details,recommendations,history" |
file | Path to packaged zip or report output | "package.zip", "report.pdf" |
Authentication
All operations require authentication. Always verify session before any operation:
fcli_fod_session_list refresh-cache=true
- If
Expired=No→ proceed - If expired → ask user to run locally:
fcli fod session login --url <URL> --client-id <id> --client-secret <secret> - When running any FoD tool, if authentication error occurs, prompt user to re-authenticate locally.
Note: Reference workflows assume authentication has been verified.
Domain-Specific Guidance
Scan Workflows: Always Check Settings First
Before starting any scan, follow this sequence:
- Check existing scan configuration using
*_scan_get_configcommand - If not configured → Always ask user for required settings (language, build tool, framework, etc.)
- Never infer settings from workspace - build tools, language versions, and frameworks must be user-confirmed
- Package source code (SAST/SCA only) using
fcli_fod_action_package - Upload and start scan using appropriate
*_scan_startcommand - Monitor progress using
*_scan_wait_foror periodic*_scan_getcalls
Packaging Requirements
- SAST scans: Package source code with
fcli_fod_action_package - SCA/OSS scans: Package source code with
fcli_fod_action_package(same as SAST) - DAST scans: No packaging needed - scans live running application
- MAST scans: Upload mobile app binary (APK/IPA file)
- Note: To enable Open Source Analysis in a SAST scan, use
--ossflag infcli_fod_sast_scan_setup
Filtering: Prefer --filters-param for Server-Side
- Prefer
--filters-paramfor server-side filtering (fastest, smallest payloads) - Optionally use
queryas a client-side post-filter when you need a simple match on returned fields - Common filters:
severityString:Critical,severityString:High,category:SQL Injection
Pagination
- If
pagination.hasMore= true → usepagination-offsetfor next page - Continue until
pagination.hasMore= false orpagination.totalRecordsreached
Error Recovery
| Error | Recovery |
|---|---|
| "Session expired" | Refer to flow in Authentication section |
| "Release not found" | Run release_list to discover correct names (see Finding Releases) |
| "Scan not configured" | Ask user for scan settings and run *_scan_setup |
| "Package required" | Run fcli_fod_action_package to package source code |
Decision Tree: Choosing the Right Approach
| User Intent | Action |
|---|---|
| "run SAST scan" / "static analysis" | Check config → ask settings → package → sast_scan_start (see SAST Workflow) |
| "run SCA scan" / "open source scan" | Package → oss_scan_start (see SCA Workflow) |
| "run DAST scan" / "dynamic scan" | Check config → ask settings → dast_scan_start (see DAST Workflow) |
| "list/show vulnerabilities" | issue_list with --filters-param + --embed details,recommendations |
| "how many / count / summary" | issue_list and aggregate results client-side |
| "find release / which release" | release_list → release_get (see Finding Releases) |
| "show recommendations / how to fix" | issue_list with --embed recommendations,history → prioritize Aviator (see Remediation) |
Best Practices
DO:
- ✅ Always verify authentication before operations
- ✅ Check scan configuration before starting SAST scans
- ✅ Always ask user for SAST scan settings (language, build tool, framework)
- ✅ Use
--ossflag insast_scan_setupto enable Open Source Analysis in SAST scans - ✅ Use
--filters-paramfor server-side filtering - ✅ Use
--embedto include details, recommendations, and history - ✅ Prioritize Fortify Aviator code fix suggestions in remediation
- ✅ Use MCP tools over FCLI CLI directly
- ✅ Monitor long-running scans with
*_scan_wait_for
DO NOT:
- ❌ Guess release names - always discover with
release_listif uncertain - ❌ Infer SAST scan settings from workspace - always ask user
- ❌ Skip SAST scan configuration validation
- ❌ Prompt user for credentials - ask user to run
fcli fod session loginlocally - ❌ Start scans without confirming settings with user
- ❌ Package source code for DAST scans (not needed)
References
Example Workflows
| Workflow | Use When User Says... |
|---|---|
| Run SAST Scan | "run SAST scan", "static analysis", "scan source code", "check for code vulnerabilities" |
| Run SCA Scan | "run SCA scan", "open source scan", "check dependencies", "OSS vulnerabilities", "software composition analysis" |
| Run DAST Scan | "run DAST scan", "dynamic scan", "test running application", "web application security test" |
| List and Filter Vulnerabilities | "list vulnerabilities", "show security issues", "filter issues by severity", "critical vulnerabilities" |
| Find Release | "find release", "which release", "list releases", "search for application" |
| Vulnerability Summary | "count vulnerabilities", "show summary", "breakdown by severity", "how many issues" |
| Remediation Workflow | "show recommendations", "how to fix", "remediation advice", "Aviator suggestions", "code fixes" |