Fortify Code Security for Visual Studio Code

Fortify Code Security helps developers find and fix security issues where they code by bringing the full power of OpenText Fortify Application Security Testing directly into their VS Code development environment and the agentic coding workflow.

Perform SAST and SCA with Fortify on Demand, submit remote scans via Fortify ScanCentral SAST, or run local SAST scans with Fortify SAST (Static Code Analyzer) — all powered by the Fortify CLI (fcli). Developers can view, audit and collaborate on vulnerabilities directly in the editor, including direct navigation to affected line of code and access to Fortify Remediation Aviator for contextual explanations, guidance and suggested code fixes. The extension also bundles Fortify Agent Skills, which teach AI coding assistants (GitHub Copilot, Claude Code, Gemini CLI, and more) how to run scans, query findings, and autonomously remediate vulnerabilities on your behalf — with an optional local fcli MCP server for deeper, programmatic AI agent integration.

With Fortify Code Security, you can produce secure code at scale, keeping your focus on building features — not chasing vulnerabilities.

Features

Application Security Testing

Static Application Security Testing (SAST)

Scan your source code for security vulnerabilities using Fortify's industry-leading SAST engine — whichever deployment model fits your environment:

Fortify on Demand — Submit SAST scan requests to OpenText's cloud-based security testing platform. Ideal for teams that want a fully managed scanning service with no on-premise infrastructure.
Fortify ScanCentral SAST — For on-premise or private cloud customers, submit scan packages to your organization's ScanCentral SAST infrastructure for enterprise-scale, centralized analysis.
Local scans with Fortify Static Code Analyzer — Run translation and analysis directly on your local machine, keeping code entirely within your environment or handling complex translation scenarios.

Software Composition Analysis (SCA)

Identify vulnerabilities in your open source dependencies with Fortify SCA via Fortify on Demand. Run SCA as a standalone scan to get a full picture of your open source risk, or combine it with a SAST scan to cover both first-party and third-party vulnerabilities in a single workflow.

Dynamic Application Security Testing (DAST)

Trigger a DAST scan of your running application against a pre-configured scan target using Fortify on Demand or ScanCentral DAST — directly from the extension via the fcli integration or through your AI coding assistant.

Results Review & Vulnerability Triage

Connect to Fortify on Demand (FoD) or Fortify Application Security Center (SSC) to review scan results and perform vulnerability auditing — all without leaving VS Code.

Browse and filter vulnerabilities by severity, category, status, and more
View detailed finding information including data flow traces and analysis notes
Audit findings by setting analysis tags (e.g., Exploitable, Not an Issue, Reliability Issue)
Add comments and suppression notes to findings
Navigate directly from a finding to the vulnerable line of code in your editor
Synchronize audit decisions back to SSC or FoD in real time

AI-Powered Remediation with Fortify Aviator for Vulnerability Remediation

Accelerate vulnerability remediation with Fortify Aviator for Vulnerability Remediation (Fortify Aviator), OpenText's AI-powered security guidance engine.

Receive detailed, context-aware remediation advice for each identified vulnerability
Understand the root cause and attack vectors associated with a finding
Get step-by-step fix recommendations tailored to your specific code and language
Apply AI-suggested code fixes automatically directly within the editor
Reduce mean time to remediation (MTTR) with intelligent, actionable guidance

AI Agent Integration

Fortify Code Security extends AppSec capabilities to the AI-native developer workflow, letting AI coding assistants interact with Fortify directly on your behalf — running scans, querying results, auditing findings, and generating fixes — without you having to leave the conversation.

Fortify Skills for AI Coding Assistants

The extension bundles the OpenText Fortify Skills — a set of domain-specific AI agent skills that teach your AI coding assistant how to use Fortify effectively via command line. Once installed, these skills activate automatically when you ask security-related questions or issue Fortify-related commands in your AI assistant of choice.

The following skills are included:

Skill	What it enables
`fortify-fod`	Manage Fortify on Demand applications, releases, and scans; triage issues; run OSS analysis; generate portfolio reports
`fortify-ssc`	Manage SSC application versions, artifacts, and scan jobs; perform issue triage and audit workflows
`fortify-remediate`	Fix vulnerabilities detected by Fortify SAST, DAST, and SCA; leverage Fortify Aviator AI remediation guidance
`fortify-cicd-integration`	Add Fortify scanning to CI/CD pipelines across GitHub Actions, GitLab CI, Azure DevOps, and Jenkins
`fcli-common`	Install and configure fcli; manage sessions; use SpEL queries; build custom fcli actions

Supported AI assistants: GitHub Copilot, Claude Code, OpenAI Codex, Gemini CLI, Cursor, and any assistant that supports the Agent Skills standard.

Example prompts that activate the skills:

"Show me all critical issues in the payment-service release" → fortify-fod
"Fix the SQL Injection findings in UserService.java" → fortify-remediate
"Upload my FPR and check policy compliance against SSC" → fortify-ssc
"Add Fortify scanning to my GitHub Actions workflow" → fortify-cicd-integration
"Create a custom fcli action to export FoD critical issues as CSV" → fortify-fod + fcli-common

fcli MCP Server

For assistants that support the Model Context Protocol, the extension can also start and manage the fcli MCP server, which exposes Fortify capabilities as a structured set of typed MCP tools. Note that the Fortify Agent Skills described above use fcli directly as a CLI tool — they do not require or use MCP. The MCP server is a complementary option for assistants or workflows that prefer a programmatic tool interface over CLI-based skills.

Exposes fcli product modules (SSC, FoD, ScanCentral SAST) as typed MCP tools accessible to any MCP-compatible AI agent
Connects to AI coding assistants in VS Code (GitHub Copilot Agent Mode, Claude, Cursor, etc.) via the MCP stdio transport
The extension handles MCP server lifecycle — start, stop, and session management

Requirements

Fortify CLI (fcli) v3.18+ — The extension uses fcli as its underlying engine to interact with Fortify products. fcli must be installed and accessible on your system PATH. See fcli Installation for setup instructions. The extension can automatically install the latest version of fcli on machines with internet access.
Active Fortify subscription or license — Required to use scanning, results review, and remediation features. This may include Fortify on Demand, Fortify SSC, ScanCentral SAST/DAST, Fortify Static Code Analyzer, and/or Fortify Aviator for Vulnerability Remediation, depending on the features you intend to use.
AI assistant (optional) — Required to use AI agent integration features. Compatible with GitHub Copilot (Agent Mode), Claude Code, OpenAI Codex, Gemini CLI, Cursor, and any assistant that supports the Agent Skills standard or the Model Context Protocol.

Feedback & Support

Fortify on Demand documentation: Fortify on Demand
Fortify SSC & ScanCentral SAST documentation: Fortify Software Security Center
fcli documentation: Fortify CLI (fcli) v3
Fortify Skills (AI agent integration): github.com/fortify/skills
OpenText Support: Contact your OpenText Customer Manager or visit the Fortify Support Portal