fortify-fod
"use this skill whenever the user wants to list and filter application security findings, run SAST/SCA/DAST scans, discover applications and releases, and manage security scanning using Fortify on Demand (FoD). Triggers include: any mention of 'FoD', 'Fortify on Demand', 'list vulnerabilities', 'run SAST scan', 'run SCA scan', 'run DAST scan', 'list applications', 'list releases', 'package source code', 'security scan', and similar requests indicating interaction with FoD for application security scanning and vulnerability management."
Resources
1Install
npx skillscat add crance/agent-skills-fortify/fortify-fod Install via the SkillsCat registry.
SKILL.md
Fortify on Demand (FoD) Skill
Fortify on Demand (FoD) integration via Model Context Protocol (MCP).
When to Use This Skill
- List applications and releases
- Run security scans (SAST, SCA, DAST, MAST)
- List security issues/vulnerabilities with filtering by severity, category, etc.
- Count issues grouped by severity, category, etc.
- Manage scan configurations and monitor scan progress
- Generate and download security reports
Available MCP Tools
Only key MCP tools for FoD are listed here.
| Tool | Description | When to Use |
|---|---|---|
fcli_fod_session_list |
List authentication sessions | Check authentication status |
fcli_fod_app_list |
List applications | Discover available applications |
fcli_fod_app_get |
Get details of a specific application | Retrieve detailed information about an application |
fcli_fod_release_list |
List releases | Discover available releases |
fcli_fod_release_get |
Get details of a specific release | Retrieve detailed information about a release |
fcli_fod_release_list_assessment_types |
List available scan types for release | Discover which scan types are available |
fcli_fod_issue_list |
List issues/vulnerabilities | Retrieve security findings |
fcli_fod_issue_update |
Update vulnerability status | Change analysis tags, add comments, suppress issues |
fcli_fod_action_package |
Package source code for scanning | Prepare source code for SAST/SCA scans |
fcli_fod_sast_scan_setup |
Configure SAST scan settings | Set up static analysis scan parameters |
fcli_fod_sast_scan_start |
Start SAST scan | Upload package and initiate static scan |
fcli_fod_sast_scan_get_config |
Get SAST scan configuration | Retrieve current SAST scan settings (uses release name) |
fcli_fod_sast_scan_get |
Get SAST scan details by scan ID | Check specific scan status (requires scan ID from start response or scan list) |
fcli_fod_sast_scan_wait_for |
Wait for SAST scan completion | Monitor scan until finished |
fcli_fod_oss_scan_start |
Start SCA/OSS scan | Upload package and initiate open source scan |
fcli_fod_oss_scan_get |
Get SCA scan details by scan ID | Check specific SCA scan status (requires scan ID from start response or scan list) |
fcli_fod_oss_scan_list_components |
List detected open source components | View OSS components found in scan |
fcli_fod_dast_scan_setup_website |
Configure website DAST scan | Set up dynamic analysis for web apps |
fcli_fod_dast_scan_setup_api |
Configure API DAST scan | Set up dynamic analysis for APIs |
fcli_fod_dast_scan_get_config |
Get DAST scan configuration | Retrieve current DAST scan settings (uses release name) |
fcli_fod_dast_scan_start |
Start DAST scan | Initiate dynamic security scan |
fcli_fod_report_create |
Create security report | Generate reports from scan results |
fcli_fod_report_download |
Download report file | Retrieve generated report |
fcli_fod_report_wait_for |
Wait for report generation | Monitor report creation until complete |
Parameter Formats
Common formats and examples for key parameters:
| Parameter | Format | Example |
|---|---|---|
--fod-session |
Session name (REQUIRED for all tools) | "default" |
--release |
"<App>:<Release>" - case-sensitive, colon-separated (for *_list, *_scan_setup, *_scan_start, *_scan_get_config tools) |
"MyApp:MyRelease" |
--qualifiedReleaseNameOrId |
"<App>:<Release>" - case-sensitive, colon-separated (for release_get, app_get tools) |
"MyApp:MyRelease" |
releaseQualifiedScanOrId |
Scan ID or qualified scan ID (for *_scan_get tools) - Always use scan ID returned from *_scan_start or from *_scan_list |
"12345" or "MyApp:MyRelease:12345" |
--filters-param |
"<FilterName>:<Value>" - server-side filtering |
"severityString:Critical" |
--include |
Control which issue statuses to include. By default, only visible issues returned. Comma-separated values: visible, fixed, suppressed |
"visible,fixed" or "suppressed" |
--embed |
Comma-separated values to include additional data. Valid values: allData, summary, details, recommendations, history, requestResponse, headers, parameters, traces |
"details,recommendations,history" |
file |
Path to packaged zip or report output | "package.zip", "report.pdf" |
Authentication
All operations require authentication. Always verify session before any operation:
fcli_fod_session_list refresh-cache=true- If
Expired=No→ proceed - If expired → ask user to run locally:
fcli fod session login --url <URL> --client-id <id> --client-secret <secret> - When running any FoD tool, if authentication error occurs, prompt user to re-authenticate locally.
Note: Reference workflows assume authentication has been verified.
Domain-Specific Guidance
Scan Workflows: Always Check Settings First
Before starting any scan, follow this sequence:
- Check existing scan configuration using
*_scan_get_configcommand - If not configured → Always ask user for required settings (language, build tool, framework, etc.)
- Never infer settings from workspace - build tools, language versions, and frameworks must be user-confirmed
- Package source code (SAST/SCA only) using
fcli_fod_action_package - Upload and start scan using appropriate
*_scan_startcommand - Monitor progress using
*_scan_wait_foror periodic*_scan_getcalls
Packaging Requirements
- SAST scans: Package source code with
fcli_fod_action_package - SCA/OSS scans: Package source code with
fcli_fod_action_package(same as SAST) - DAST scans: No packaging needed - scans live running application
- MAST scans: Upload mobile app binary (APK/IPA file)
- Note: To enable Open Source Analysis in a SAST scan, use
--ossflag infcli_fod_sast_scan_setup
Filtering: Prefer --filters-param for Server-Side
- Prefer
--filters-paramfor server-side filtering (fastest, smallest payloads) - Optionally use
queryas a client-side post-filter when you need a simple match on returned fields - Common filters:
severityString:Critical,severityString:High,category:SQL Injection
Pagination
- If
pagination.hasMore= true → usepagination-offsetfor next page - Continue until
pagination.hasMore= false orpagination.totalRecordsreached
Error Recovery
| Error | Recovery |
|---|---|
| "Session expired" | Refer to flow in Authentication section |
| "Release not found" | Run release_list to discover correct names (see Finding Releases) |
| "Scan not configured" | Ask user for scan settings and run *_scan_setup |
| "Package required" | Run fcli_fod_action_package to package source code |
Decision Tree: Choosing the Right Approach
| User Intent | Action |
|---|---|
| "run SAST scan" / "static analysis" | Check config → ask settings → package → sast_scan_start (see SAST Workflow) |
| "run SCA scan" / "open source scan" | Package → oss_scan_start (see SCA Workflow) |
| "run DAST scan" / "dynamic scan" | Check config → ask settings → dast_scan_start (see DAST Workflow) |
| "list/show vulnerabilities" | issue_list with --filters-param + --embed details,recommendations |
| "how many / count / summary" | issue_list and aggregate results client-side |
| "find release / which release" | release_list → release_get (see Finding Releases) |
| "show recommendations / how to fix" | issue_list with --embed recommendations,history → prioritize Aviator (see Remediation) |
Best Practices
DO:
- ✅ Always verify authentication before operations
- ✅ Check scan configuration before starting SAST scans
- ✅ Always ask user for SAST scan settings (language, build tool, framework)
- ✅ Use
--ossflag insast_scan_setupto enable Open Source Analysis in SAST scans - ✅ Use
--filters-paramfor server-side filtering - ✅ Use
--embedto include details, recommendations, and history - ✅ Prioritize Fortify Aviator code fix suggestions in remediation
- ✅ Use MCP tools over FCLI CLI directly
- ✅ Monitor long-running scans with
*_scan_wait_for
DO NOT:
- ❌ Guess release names - always discover with
release_listif uncertain - ❌ Infer SAST scan settings from workspace - always ask user
- ❌ Skip SAST scan configuration validation
- ❌ Prompt user for credentials - ask user to run
fcli fod session loginlocally - ❌ Start scans without confirming settings with user
- ❌ Package source code for DAST scans (not needed)
References
Example Workflows
| Workflow | Use When User Says... |
|---|---|
| Run SAST Scan | "run SAST scan", "static analysis", "scan source code", "check for code vulnerabilities" |
| Run SCA Scan | "run SCA scan", "open source scan", "check dependencies", "OSS vulnerabilities", "software composition analysis" |
| Run DAST Scan | "run DAST scan", "dynamic scan", "test running application", "web application security test" |
| List and Filter Vulnerabilities | "list vulnerabilities", "show security issues", "filter issues by severity", "critical vulnerabilities" |
| Find Release | "find release", "which release", "list releases", "search for application" |
| Vulnerability Summary | "count vulnerabilities", "show summary", "breakdown by severity", "how many issues" |
| Remediation Workflow | "show recommendations", "how to fix", "remediation advice", "Aviator suggestions", "code fixes" |
External Resources
Categories
Install
npx skillscat add crance/agent-skills-fortify/fortify-fod Install via the SkillsCat registry.