Fortify with Continuous Integration/Deployment?
I would like to know what other companies are doing about using Fortify with Continuous Automation. That is, are you implementing a gate where if there are any Criticals are found then the build is stopped?
As Fortify findings are POTENTIAL vulnerabilities, I've been concerned about implementing a hard gate to stop a build. I'm currently considering only putting the hard gate on for Criticials that have been audited.
To filter out code correctness/stability issues we apply the high/critical filters along with OWASP filters (either web or mobile) such as
[OWASP Top 10 2017]:A [fortify priority order]:!low [fortify priority order]:!medium
[OWASP Mobile 2014]:M [fortify priority order]:!low [fortify priority order]:!medium
(Unfortunately, SSC 18.10 dashboard can't seem to be controlled in a similar way via URL parameters. Up until 17.20 the issueFilters parameters could apply numeric values that persisted across analyses but not across upgrades).