How to clean up SCA files after scanning?

We did a Fortify on-premises trial and recently purchased it. We are running SSC, SCC, and SCA 20.1 all on Windows 2019 server (1 server for each). We are primarily scanning .NET projects and individual PL/SQL files.

We are using Azure DevOps to launch builds on build servers. We have the Azure DevOps Fortify plugin. The scan central tools are installed on the build servers so that the Azure DevOps plugin can run them. On the build servers it is just the software so it can be run; SCA is not configured as a service that can be run from SCC on the build servers.

For the .NET projects, we run the translate step with the .sln file on the build servers and then have it sent to SCC for further scanning. 

Jobs are sent to scan central via the Azure DevOps plugin, which queues them and runs them on the SCA server.  The .NET projects do the translation step with the .sln files on the build server.

What I've found is that the translate and scan processes leave large files behind that quickly fill up all your disk space. 

Build Servers

On the build servers, the files accumulate here:

C:\Users\<agent account>\AppData\Local\Fortify\sca20.1\build

I found that if I run clean after the Scan Central upload (via the Azure DevOps plugin) that most of the time these intermediate files get cleaned up, but sometimes files aren't cleaned up. (I haven't analyzed them, but it's possible the script failed and it skipped the clean step.)

SCA Server

On the SCA server (an agent controlled by scan central), I'm accumulating many files here:


The Question

Is there an "official" way I should be cleaning up these disk-consuming files? Or do I just need to create a scheduled job that deletes everything more than x days old?

I realize that there can be situations where you don't want to delete the files. I think they are the following:

  1. Troubleshooting
  2. Performing incremental scans

In our setup, I'm not really interested in #2 and if I need #1 I could disable a scheduled job.

Thanks for any guidance.



  • In most of my scripts, I would add a 'clean' step before the 'translation' step and another 'clean' step after the 'scan' step.  

  • Yes, I have a clean step that generally cleans up the translation. The problem is that I'm handing the scan off to the Scan Central Controller (SCC), which then directs a different server (with more resources) to run the scan. Since SCC is directing things, I'm no longer in control. It seems when you're running SCA as a service directed by SCC that Fortify's architecture needs some kind of maintenance mechanism that will clean up old files. 

    For example, with Azure DevOps, you can schedule a maintenance job that directs the agents to delete builds more than a certain number of days old. It would be great if Fortify had that type of option for a SCC.