Fortify Guard

Fortify Guard is a developer-first security scanner for frontend applications that detects Fortify-style vulnerabilities in changed code before you commit or push.

It helps teams catch common security issues early, reduce Fortify scan noise, manage baselines, and fix problems directly inside VS Code.

---

✨ Key Features

• 🔍 Scan only changed code (git diff based — fast and focused)

• 🛡️ Detect common Fortify categories:

  • Cross-Site Scripting (DOM)
  • Cross-Site Request Forgery (CSRF)
  • Insecure Randomness
  • Open Redirect
  • Header Manipulation
  • Password Management issues
  • System Information Leak
  • Hardcoded Domain
  • Resource Injection
  • Setting Manipulation

• 📌 Baseline support

  • Ignore accepted / legacy issues
  • Remove issues from baseline later

• 🧠 AI-powered explanations (optional)

  • Explains why the issue is dangerous
  • Gives short, precise recommended fixes
  • Detects likely false positives

• 📄 Exportable reports

  • JSON format
  • HTML format (human readable)

---

🚀 Getting Started

1️⃣ Install the Extension

From VS Code:

1. Open Extensions (Ctrl + Shift + X)
2. Search for Fortify Guard
3. Click Install

Or install internally from a VSIX file:

Extensions → Install from VSIX

---

2️⃣ Run a Scan

1. Open a Git repository with some modified or new files
2. Open Command Palette (Ctrl + Shift + P)
3. Run:

Fortify Guard: Scan Changed Code

The extension will:

• Scan only modified and new files
• Group issues by file
• Show severity and confidence

Click any issue to:

• Jump to the exact line in the file
• See why it is dangerous
• See the recommended fix
• Add or remove it from baseline

---

🧠 AI Explanations (Optional)

Fortify Guard can use OpenAI to explain vulnerabilities and suggest fixes.

This feature is:

• Manual (only when you click)
• Opt-in
• Safe for internal usage

Code is sent to OpenAI only when you click:

🧠 Explain with AI

No background uploads or automatic sharing occurs.

---

🔑 Configure OpenAI API Key

To enable AI explanations, you must configure your OpenAI API key.

---

Option 1 — Through VS Code Settings UI (Recommended)

1. Open VS Code Settings
2. Search for:

Fortify Guard OpenAI Key

3. Paste your OpenAI API key
4. Restart VS Code

---

Option 2 — Manually in settings.json

Open:

File → Preferences → Settings → Open Settings (JSON)

Add:

{
  "fortifyGuard.openaiApiKey": "YOUR_OPENAI_API_KEY"
}

Restart VS Code.

---

If No API Key Is Configured

• Scanning works normally
• Baseline works normally
• Export works normally
• AI button will show an error message

---

📌 Baseline Support

Baseline allows you to ignore known or accepted issues so they do not appear in future scans.

Baseline is stored per project in:

fortify.baseline.json

This file is created automatically in your workspace root.

---

Add an Issue to Baseline

1. Click on an issue in the scan result
2. Click:

🚫 Add to Baseline

That issue will be ignored in future scans.

---

Remove an Issue from Baseline

1. Click a baselined issue
2. Click:

❌ Remove from Baseline

The issue will appear again in future scans.

---

📤 Export Reports

Click Export Report in the Fortify Guard panel.

Two files will be generated in your workspace root:

• fortify-guard-report.json
• fortify-guard-report.html

Reports include:

• Summary (High / Medium / Low counts)
• Files with issues
• Line numbers
• Category, severity, explanation, and fix

These reports can be:

• Attached to JIRA tickets
• Shared with AppSec teams
• Used for audit or compliance

---

🛠️ Supported Technologies

Fortify Guard works best with:

• Angular
• React
• Vanilla JavaScript / TypeScript

Supported file types:

• .ts
• .js
• .tsx
• .jsx
• .html
• Dockerfile

---

⚠️ Limitations

• This is a rule-based scanner, not a full Fortify replacement
• Only scans changed and new code
• Does not scan backend languages
• AI explanations depend on OpenAI availability and API limits

---

🔒 Privacy & Security

• All scanning runs locally on your machine
• No background uploads occur
• Code is sent to OpenAI only when you click “Explain with AI”
• API keys are stored securely in VS Code settings
• No telemetry, analytics, or tracking

---

🏢 Intended Usage

Fortify Guard is designed for:

• Enterprise frontend teams
• Pre-commit security workflows
• Reducing Fortify false positives
• Developer-first AppSec tooling

This tool is ideal for:

• Catching issues early
• Reducing CI Fortify failures
• Educating developers with inline security guidance

---

🐞 Troubleshooting

Scan shows no results

• Make sure the folder is a Git repository
• Make sure you have modified or new files
• Run git status to confirm changes exist

---

AI button shows error

• Check that fortifyGuard.openaiApiKey is set
• Restart VS Code after setting the key
• Verify the API key is valid

---

Baseline not working

• Check that fortify.baseline.json exists in workspace root
• Make sure file paths match correctly

---

🐞 Support & Feedback

This is an internal enterprise security tool.

Contact your security or tooling team for:

• Bug reports
• Feature requests
• Rule additions
• AI tuning

---

📄 License

Internal enterprise usage only.