How to run Fortify Static Code Analyzer for .Net Code

Fortify is a set of software security analyzers that search for violations of security specific coding rules and guidelines in a variety of languages. It finds the security issues early in the development cycle.

Below are the steps to run fortify scan for .net code.

1.Remove all temporary files created by analyzer and have clean environment ready to scan the project.

sourceanalyzer -b “BuildId” -clean

2. Rebuild the solution with debug and then it translate the code into intermediate file which will be used later

sourceanalyzer -b “BuildId” -debug -logfile “FortifyScan_Translate.log” “C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\devenv.exe” “SolutionFileName.sln” /out “devenv_out_build.log” /log “devenv_log_build.log” /Rebuild Debug

3. Analyze the project code and produce the results file (FPR) with all security findings

sourceanalyzer -b “BuildId” -scan -f “BuildId_ApplicationName.fpr”

4. It will show all the files are included in the scan

sourceanalyzer -b “BuildId” -show-files

5. Export the report to PDF format

ReportGenerator -Xmx12G -format pdf -f “BuildId_ApplicationName.pdf” -source “BuildId_ApplicationName.fpr” -template DeveloperWorkbook.xml

6. This step is optional.  It will upload the report to fortify portal if you have one.

fortifyclient -url FortifyPortalUrl -authtoken authToken uploadFPR -file “BuildId_ApplicationName.fpr” -project “ProjectName” -version “VersionNumber”


If Fortify is unable to scan the project code(step 3), you may see the below error.

[error]: Unable to load build session with ID ” “. See log file for more details.
Process exited with code 1

You may also see below log in translate.log file.  It means it is unable to scan your project code. Thread-23 FINE]
Nothing to store.


Hope this helps!



Posted in SecOps Tagged with: