Build secure software fast. Find security issues early and fix at the speed of DevOps.




Debian Stretch

Supported Languages

C C++ Java JavaScript PHP Python Ruby TypeScript

Official Documentation

YAML Configuration


  • input:

    Patterns to include in execution and reports.

  • ignore:

    Patterns to exclude from execution and reports.

  • auto-fix:


  • config-file:


  • machine:

    • cpu:

      Amount of CPU. The default machine has 0.75 CPU with 2880 MiB RAM.

  • options:

    Below is the list of options that are supported:

     -encoding <encoding-name>   Specifies the source file encoding.
                                 Default value is the platform default.
     -exclude <file-specifier>   Excludes any files matched by <file-specifier>
                                 from the set of files to translate
    Java-specific Build Options
    These options should be used in conjunction with file specification options.
     -classpath <classpath>      Uses the specified classpath value for Java
     -cp <classpath>             builds.
     -extdirs                    Accepts a colon or semicolon separated list
                                 of directories.  Any jar files found in
                                 these directories are included on the
                                 classpath. Equivalent to the -extdirs option
                                 to javac.
     -sourcepath                 Specifies the location of source files which will
                                 not be included in the scan but will be used for
                                 name resolution. Equivalent to the -sourcepath
                                 option to javac.
                                 The sourcepath is like classpath, except it uses
                                 source files rather than class files for
     -source <value>             Indicates which version of the Java language the
     -jdk <value>                Java code adheres to.  Valid values are 1.5,
                                 1.6, 1.7, 1.8, 1.9, 5, 6, 7, 8, and 9.  Default
                                 is "1.8".
     -java-build-dir <dir>       Used to specify one or more directories to which
                                 Java sources are being compiled. May also be
                                 specified at scan time.
    Scan Options
     -bin <binary>               All source files compiled and linked into the
                                 specified binary are scanned.  Multiple binaries
                                 may be specified.
     -disable-default-rule-type  See the Fortify SCA User's Guide.
     -no-default-issue-rules     See the Fortify SCA User's Guide.
     -no-default-sink-rules      See the Fortify SCA User's Guide.
     -no-default-source-rules    See the Fortify SCA User's Guide.
     -no-default-rules           Indicates that Fortify SCA should not use its
                                 default rules.  Must be used in conjunction with
     -rules <specifier>          Specifies custom rules file or directory.  If a
                                 directory is specified, all files ending in ".bin"
                                 or ".xml" are included.
                                 This option may be used multple times.
     -quick                      Runs a quick scan. Quick scans complete faster at
                                 the cost of reduced accuracy.
    Additional Options
     --build-cmds                Sequence of build commands to analyze.
                                 Please read the section below for the notes about
                                 specifying build commands.
     --work-dir                  Working directory of the above build commands.
                                 (default: repository root)

--build-cmds Option

It is required to build using sourceanalyzer with -b build_id option to be able to analyze/scan the build. Please contact Rocro team if you have trouble specifying the build commands.

Example build commands for building gzip v1.8 (git://

            - ./bootstrap
            - env CC="sourceanalyzer -b build_id $@ gcc" CXX="sourceanalyzer -b build_id $@ g++" ./configure
            - make

YAML Examples

  • With default options:

        fortify: default
  • With custom machine:

            cpu: 1.5 # 1.5 CPU, 5760 MiB RAM

results matching ""

    No results matching ""