Failing Builds with Fortify

Looking for success stories on how companies have implemented hard gates due to Fortify SAST scan results. What specifically did you gate on? What did you exclude from your gate? Did the gate change over time? How did teams respond to the hard gate?

  • we expect the CICD without Fortify to run.

    Then, depending on the size of the code, for small MicroServices you can fortify and fail if new issues are introduced (in core categories/folders).

    For monoliths the cadence is lower.

    One BIG mistake we made (IMHO) - customizing too much - so each release takes more effort to ensure our special changes still work.

    And over time Fortify issue templates change to reduce FPs - but our just keep them - and dev's cant stand this. I agree with them.

    Simply to say - if you tune your rejection based on reasonable risk items them most sane devs will be okay that.

    If it is some "quality" release "null pointer exception" or "unreachable code" ... well they will hate any such process.

    We also have a team that can randomly check state of audits then that helps too.