I'm currently integrating Fortify SAST (On-Premises) with Jenkins (On-Premises) using the official plugin. However, some aspects of Fortify's operation seem unclear to me.
In my Fortify infrastructure, I have several SAST sensors to meet scanning demands, along with ScanCentral. Some source codes have numerous files and lines of code, requiring more computational resources for scanning. The installed sensors are on robust dedicated servers to handle these scans.
However, the official plugin documentation for Jenkins mentions two scanning options: remote and local. For remote scanning, there is no "pooling" mechanism to monitor the scan progress in ScanCentral. In this scenario, files are uploaded, but the plugin lacks a native method to check the scan status or generate a pipeline status (e.g., an error if vulnerabilities are found). I understand that this is possible by performing a local scan (on the Jenkins runner), but this is not feasible as we have built an entire on-premises sensor infrastructure to support robust scans. Performing a local scan would consume runner resources, which is not an option at this time.
Am i missing something? The desired workflow in the pipeline would be: remote scanning > check for scan status > after scan completion, check for results > produce status on pipeline, failing or succeeding.
Does anyone have a clearer understanding of the correct approach for situations like this?
So far, I tried to use RemoteScan analysis, but unfortunately it just uploads the scan to Fortify and proceed with the pipeline without being able to check the scan status and report. Local scan is not an option as it will increase the workload in the jenkins runners.
Thanks a lot!