From fortify
Automatically integrates Fortify application security (SAST, SCA, DAST) into CI/CD pipelines like GitHub Actions, GitLab, Azure DevOps, and Jenkins by detecting the platform and build tooling, then generating the appropriate configuration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fortify:fortify-cicd-integrationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Before asking the user anything or generating output, inspect the repository to determine context automatically.
Before asking the user anything or generating output, inspect the repository to determine context automatically.
Look for these platform-specific files (check root and common subdirectories):
| Path / file | Platform |
|---|---|
.github/workflows/*.yml | GitHub Actions |
.gitlab-ci.yml | GitLab CI |
azure-pipelines.yml | Azure DevOps |
Jenkinsfile | Jenkins |
bitbucket-pipelines.yml | Bitbucket Pipelines → generic fcli ci |
.travis.yml | Travis CI → generic fcli ci |
.circleci/config.yml | CircleCI → generic fcli ci |
teamcity-settings.kts or .teamcity/ | TeamCity → generic fcli ci |
.buildkite/pipeline.yml | Buildkite → generic fcli ci |
bamboo-specs/ | Bamboo → generic fcli ci |
If multiple are present, note all of them and generate for whichever the user's request implies (or ask if ambiguous).
If no known platform file is found, use the generic fcli ci action approach — see references/generic-ci-ssc.md for the SSC case or references/generic-ci-fod.md for the FoD case.
Check in this priority order:
requirements.txt, pom.xml, build.gradle, package.json, *.csproj, go.mod, etc. to identify the language and build tooling required. Ensure the generated Fortify workflow includes any setup steps needed to successfully build the project with that toolchain. Refer to the platform-specific guidance file for the correct setup action/step syntax.Search for any existing Fortify-related files (fortify.yml, fod.yaml, files containing fortify/github-action, fcli, FOD_, SSC_) to understand whether Fortify is already partially configured and what credentials/variables are already referenced.
If you are still not sure whether the user wants to integra with FoD or SSC, check if there is an active fcli session for either platform.
fcli fod session ls --query "expired=='No'"
fcli ssc session ls --query "expired=='No'"
After investigation, ask the user only for information that cannot be inferred from the repository or user prompt:
| Region | URL |
|---|---|
| US (default) | https://ams.fortify.com |
| EMEA | https://emea.fortify.com |
| EU | https://eu.fortify.com |
| APAC | https://apac.fortify.com |
| SGP | https://sgp.fortify.com |
DO_CHECK_POLICY) and PR/MR comments (DO_PR_COMMENT) are disabled by default. Ask the user if they want to review and customize these optional features.Before writing any workflow file, present a concise pre-generation summary and wait for the user to confirm:
CI/CD platform: [e.g., GitHub Actions]
Fortify deployment: [FoD / SSC]
Build toolchain: [e.g., Maven 3.9 / Node.js 20 / .NET 8]
Existing Fortify config: [none / partially configured — describe]
Output file: [e.g., .github/workflows/fortify.yml]
Scan types: [SAST / SAST + SCA]
Optional features: Aviator [on/off] · Policy check [on/off] · PR comments [on/off]
Auth method: [FoD PAT / FoD API key / SSC token]
Then ask: "Does this look right? Shall I generate the workflow?"
Do NOT generate or write the workflow file until the user confirms. If any item above is still unknown after Step 1 and Step 2, resolve it before presenting this summary.
@v3) for a balance of stability and automatic patch updates.Load the appropriate reference file for the detected platform and Fortify deployment before generating any workflow content. These reference files contain the exact environment variables, configuration options, and best practices for that specific integration.
| Platform | Fortify Deployment | Reference |
|---|---|---|
| GitHub Actions | FoD | references/github-fod.md |
| GitHub Actions | SSC | references/github-ssc.md |
| GitLab CI | FoD | references/gitlab-fod.md |
| GitLab CI | SSC | references/gitlab-ssc.md |
| Azure DevOps | FoD or SSC | references/azure-devops.md |
| Jenkins | FoD or SSC | references/jenkins.md |
For any other platform (Bitbucket Pipelines, Travis CI, CircleCI, TeamCity, Buildkite, Bamboo, etc.) should load:
references/generic-ci-fod.mdreferences/generic-ci-ssc.mdAfter delivering the workflow file, confirm with the user:
FOD_TENANT, FOD_USER, FOD_PAT for FoD PAT auth; FOD_CLIENT_ID, FOD_CLIENT_SECRET for FoD API key auth; or SSC_TOKEN, SC_SAST_TOKEN for SSC)FOD_URL / SSC_URL configured as a repository/pipeline variable (not secret)npx claudepluginhub fortify/skills --plugin fortify-skillsIntegrates DevSecOps security into CI/CD pipelines: SAST (Semgrep, CodeQL), DAST/SCA, secret scanning, container scans (Trivy, Snyk), and security gates for shift-left controls.
Runs SAST, DAST, SCA, and secrets scanning on every commit to catch vulnerabilities before production. Automates security gates for CI/CD pipelines.
Integrates SAST (Semgrep), DAST (OWASP ZAP), SCA/container scanning (Trivy), and secrets detection (Gitleaks) into CI/CD pipelines using GitHub Actions, GitLab CI, or Jenkins. For DevSecOps setup and shift-left security.