Run Fortify from Maven

Installing Fortify SCM Maven Plugin

sca-maven-plugin supports Maven 3.0.5, 3.5.x And 3.6.x


This document is only viable if you already have Fortify installed for running with the Scan Wizard and Audit workbench.

  1. From: C:\Program Files\Fortify\Fortify_SCA_and_Apps_20.1.0\plugins\maven or wherever you installed Fortify

  2. Copy: (poor success with the binary zip, choose the source (src) zip file)

  3. To: Your Desktop & Extract the ZIP’ed Folder (these steps are because windows environments will not allow you to extract a zip outside your User Directory.)

  4. If you have maven installed on your computer you can open a command prompt, cd to the extracted folder and run:mvn clean install. Done!

  5. Extra step: You can check your .M2 folder to verify that it has been added.

Extra step: You can now delete the zip folder and the extracted folder, it is no longer needed.

POM modifications to run Fortify Scan

  1. Add to properties (copy and paste):


This will allow the date of the report to be appended to the end of the name so the name is formatted with the date at the end and follow Spin’s Fortify naming convention: [Interface]_MMddyyy

Example: MedLog_09222021

  1. Add a new profile (copy and paste):




Running New Fortify Scanning Profile

  1. Create a new Maven run configuration with the base directory being the project you are setting up and Goals, clean integration-test, and Profile, fortify-sca, like below for each project that has the POM modified .

  2. Run the configuration

  3. When the build finishes you will have to refresh the target directory of your project and will see a new folder called Fortify. The report will be there too.

  1. Double click on the report with the file extension .fpr will open the Audit Work Bench.

Additional Information:

Fortify Documentation – System Operating Environment

sca-maven-plugin supports Maven 3.0.5 and 3.5.x.

Documentation may be old. Adam Erickson has confirmed that it will work with Maven 3.6.3

Fortify Documentation – System Requirement

Maven is designed to download plugins and it’s triggered by a project declaring a dependency that is not present in the local repository.

Therefore, Maven needs to access the Maven central repository or other mirrors.


must match the installed fortify version or it will fail to build


is the java version, change to your build version

<!– **\*.js,**\*.sql,**\*.jsp –>

If uncommented, any file you add here with a comma will be excluded from the scan


Change to the name of your project\interface

C:\Program Files\Fortify\Fortify_SCA_and_Apps_20.1.0\Core\config

This directory contains properties files that can be used to ignore file extensions in “”. You can skip external libraries in “”.

* There are many options but proceed at your own risk

After this is running well and creating the report in the target directory. You can move it to any directory you wish by adding this plugin and adding validate to the maven goals:

								<!-- here the phase you need -->

About Adam M. Erickson

Geek, Dad, Life-Student, Biker & DIY Enthusiast Application Developer Attended Ferris State University Lives in Muskegon, MI
Bookmark the permalink.

Comments are closed.