Fortify Static Code Analyzer


Fortify Static Code Analyzer supports 27+ major languages and their frameworks and comes with flexible deployment options.

3 min read

fortify static code analyzer

What is Fortify Static Code Analyzer?

Fortify Static Code Analyzer is the static application security testing tool in the MicroFocus application security suite.

Fortify SCA detects 815 unique categories of vulnerabilities across 27 programming languages and spans over one million individual APIs.

Fortify SCA

What languages Fortify SCA supports?

It supports application written in ABAP/BSP, ActionScript, Apex, ASP.NET, C# (.NET), C/C++, Classic, ASP (with VBScript), COBOL, ColdFusion CFML, Go, HTML, Java (including Android), JavaScript/AJAX, JSP, Kotlin, MXML (Flex), Objective C/C++, PHP,
PL/SQL, Python, Ruby, Swift, T-SQL, VB.NET, VBScript, Visual Basic, and XML.

please share your experiences with Fortify Static Code Analyzer.


Or maybe you have a question.


Either way, let me know by leaving a comment below right now.

On this page:

5 Responses

  1. I would like to use fortify in my organization for rust code. We are able to use it with sonarqube using a plugin but I would like to expand to using fortify as well. I would like to know if there is any work being done on this or if there is a workaround that we could use.

    1. Thank you for your interest Fortify! While we don’t support static analysis of Rust currently, it’s one of the top languages we’re considering for future support. We’re actively monitoring demand amongst our customers and the market in general, and we’re always happy to engage in a deeper conversation. Just reach out to our support and/or account team.

  2. Hi , I would like to scan my SSIS dtsx packages which are xml codes. Is it possible to perform it using SCA and also detect the Line of Codes(LOC). I used the audit workbench but 0 LOC shown after scan.

  3. XML files are analyzed in a very different way from things like Java, C#, etc. That’s because this is simply data, not code. Fortify doesn’t perform full dataflow and control flow analysis. It simply evaluates XPath expressions. I think this is the reason why they are missing from the LoC count.

    Whether or not it is useful to scan XML files with Fortify depends on whether or not there are relevant rules. Fortify has those for several case; originally for things like Java EE web.xml and similar config files, but more recently also for Mule configuration. Right now, there are no rules relevant to SSIS dtsx packages. There’s no value in scanning those with Fortify.

Leave a Reply

Your email address will not be published. Required fields are marked *