By fortify
OpenText Fortify AppSec skills. Use for SAST/DAST/SCA scanning, vulnerability triage, audit workflows, CI/CD pipeline integration, and FCLI commands. Supports Fortify on Demand (FoD) and Software Security Center (SSC).
Generic reference for the Fortify CLI (fcli). Install, upgrade, authenticate, fcli environment variables, output formats, SpEL query syntax, variable chaining and custom action framework.
Lightweight, AI-powered security review of code CHANGES (a diff, PR, or in-session edits) using the agent's own analysis — no Fortify scan engine or platform needed. Use when the user asks to "run a Fortify security review" / "Fortify change review", or when adding/modifying code touching authentication, authorization, input handling, output encoding, data access, file operations, outbound HTTP, deserialization, cryptography, transport security, XML parsing, logging, LLM/agent logic, or IaC (AWS, Azure, GCP, Terraform, Kubernetes, Helm). NOT for full SAST/DAST/SCA scans or triaging issues already found by FoD/SSC (use fortify-fod / fortify-ssc).
Integrate Fortify application security (SAST, SCA, DAST) with GitHub Actions, GitLab Pipelines, Azure DevOps, Jenkins & other CICD/DevSecOps pipelines.
Create new Fortify application(s) in Fortify on Demand (FoD) or Application Security Center (SSC).
Perform dependency upgrade impact assessment, code fixes, and migration work. Use to remediate Fortify SCA / open source / software composition analysis findings — vulnerable third-party dependencies, CVEs/GHSAs, components flagged by FoD or SSC — by upgrading to a safe version and fixing any resulting breakage. Also use when the user asks what will break after a version change, hits compile/test failures, needs code fixed for compatibility, needs help resolving dependency conflicts, or fixing breaking changes from direct or transitive dependency updates, including framework version changes that affect starters, plugins, annotations, configs, or imports. (For SAST/DAST code findings, use fortify-remediate instead.) Covers npm/yarn, Maven/Gradle, pip/poetry, Go modules, Cargo, Bundler, Composer, NuGet, C++ (CMake/Conan/vcpkg), iOS/macOS (CocoaPods/SPM/Carthage), and Scala (sbt/Mill).
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
AI agent skills that teach Claude, GitHub Copilot and other AI agents how to use OpenText Fortify effectively — covering SAST/DAST/SCA scanning, vulnerability triage, audit workflows, CI/CD integration, FCLI commands and more.
| Skill | Description |
|---|---|
| fortify-fod | Fortify on Demand (SaaS) — applications, releases, scans, issues, OSS analysis, portfolio reporting |
| fortify-ssc | Software Security Center (on-premise) — manage application versions, artifacts, scan jobs, issue triage |
| fortify-remediate | Fix SAST and DAST vulnerabilities detected by Fortify; Aviator AI remediation |
| fortify-dependency-upgrade | Remediate SCA / open source findings (vulnerable dependencies, CVEs) by upgrading versions and fixing resulting breakage |
| fortify-change-review | Detect common, high impact security issues in code as it is being generated |
| fortify-create-app | Create new Fortify applications in FoD or SSC — guided onboarding with validation and defaults |
| fortify-cicd-integration | Add Fortify scanning to CI/CD pipelines — GitHub Actions, GitLab CI, Azure DevOps, Jenkins |
| fcli-common | Fortify CLI (fcli) — installation, authentication, output formats, SpEL queries, custom actions |
Agents are multi-skill orchestrators that handle end-to-end workflows.
| Agent | Description |
|---|---|
| fortify-onboarding | Onboard new applications into Fortify (FoD or SSC) — creates the app, configures settings, and optionally sets up CI/CD scanning pipelines. Handles single repos, bulk lists, or entire GitHub/GitLab/Azure DevOps organizations |
Add the marketplace from GitHub, then install the plugin:
claude plugin marketplace add fortify/skills
claude plugin install fortify-skills@fortify
The plugin registers all nine skills and the onboarding agent automatically.
Recommended: install the Fortify Code Security VS Code extension. It bundles all Fortify skills, can automatically install fcli, and adds full IDE integration (scanning, vulnerability review, Aviator AI remediation, and an optional fcli MCP server):
ext install fortifyvsts.fortify-code-security
Alternative: manual install. Copy the skills to your Copilot skills directory:
<user>/.copilot/skills/
This gives you the skills without the IDE features (scanning UI, vulnerability browser, Aviator inline fixes, MCP server).
This repository includes a marketplace catalog at .agents/plugins/marketplace.json. When the repo is your current workspace, Codex discovers it automatically as a repo-scoped marketplace. Open the plugin directory, select OpenText Fortify, and install fortify-skills.
To make the plugin available across all workspaces, add an entry to your personal marketplace at ~/.agents/plugins/marketplace.json (create the file if it doesn't exist), replacing <path> with the absolute path to this directory:
{
"name": "fortify",
"interface": { "displayName": "OpenText Fortify" },
"plugins": [
{
"name": "fortify-skills",
"source": { "source": "local", "path": "<path>" },
"policy": { "installation": "AVAILABLE", "authentication": "ON_INSTALL" },
"category": "Security"
}
]
}
Then restart Codex. The plugin registers all nine skills automatically.
Install directly from the GitHub repository:
gemini extensions install https://github.com/fortify/skills
The extension bundles all nine skills. Gemini CLI auto-discovers them and activates whichever skill is relevant to your task.
To test locally before publishing:
gemini extensions link /path/to/public
Any assistant that supports the Agent Skills standard can load skills from this directory. Point your assistant's skill path to the skills/ subdirectory.
Once installed, the skills activate automatically when relevant. Examples of prompts that trigger each skill:
npx claudepluginhub fortify/skills --plugin fortify-skillsAikido Security for Claude Code: scan code (SAST, secrets, IaC) and list all issues from your Aikido feed powered by the Aikido MCP server.
Security scanning, dependency CVE audits, and exposure-aware risk prioritization.
Agentic-Security is a powerful Claude Code plugin that automatically performs Application Security Testing (SAST, SCA, secrets detection, and more). Think of it as the easy button for making your Claude-generated code safe and secure.
SAST analysis, dependency vulnerability scanning, OWASP Top 10 compliance, container security scanning, and automated security hardening
Comprehensive vulnerability scanning for code, dependencies, and configurations with CVE detection
Implements automated security scanning for dependencies, code, and containers using tools like Trivy, Snyk, and npm audit. Use when setting up CI/CD security gates, conducting pre-deployment audits, or meeting compliance requirements.