Configure the Fortify Vulnerability Integration

릴리스 버전: Australia

업데이트 날짜 2026년 03월 12일

소요 시간: 9분

Before you run the integration on your instance, the installation and configuration steps must be completed so the Fortify product properly integrates with the Application Vulnerability Response feature of Vulnerability Response. This application is available as a separate subscription.

시작하기 전에

Roles required: App-Sec Manager

Complete the following setup checklist prior to installation. These setup tasks are required for a smooth installation and configuration.

주:

This process applies only to applications that are downloaded to production instances. If you're downloading applications to non-production or development instances, it's not necessary to get entitlements. Proceed to Activate a ServiceNow Store application.


Setup tasks	Description
Verify that the Vulnerability Response application is installed and activated.	To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased. If the application is not installed and activated see, Install Vulnerability Response.
Verify that the Vulnerability Response Integration with Fortify application is installed and activated.	To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased. If the application is not installed and activated see, Install the ServiceNow Vulnerability Response Integration with Fortify.
Verify that you have the required ServiceNow roles for your instance.	The following roles are required for installation, configuration, and verification of expected results: If not already assigned, the System Administrator [admin] installs the app and assigns users to the App-Sec Manager group. The App-Sec Manager oversees configuration and verifies expected results.
For the Fortify Vulnerability Integration, have your API id and API key ready.	Contact Fortify to obtain the API id and API key.

프로시저

Log in to the instance you want to install the Fortify application vulnerability integrations on.
Navigate to the ServiceNow Store.
In the ServiceNow Store, search for the Vulnerability Response integration with Fortify application.
Click the application tile.
Detailed information about the application you are installing is displayed.
주:
Consider reading the Other Requirements and Dependencies sections, as applicable.
Click Request App and enter your Now Support login credentials.
Click Get.
Enter the Instance Name and Reason for the Instance, and click Validate Instance.
Click Request.
You will receive an email with detailed installation instructions.
Navigate to System Applications > Applications.
Locate the application, select it, and click Install.
Your application is automatically installed on your instance.
Once the installation completes, navigate to Fortify Vulnerability Integration > FoD Configuration.

On the form, fill in the fields.

표 1. Fortify on Demand configuration form
Field	Description
API root URL	User's Fortify instance URL.
API key	Unique identifier sent to the Fortify API.
API secret	Client secret provided by Fortify.
Include DAST	Option to include vulnerabilities from DAST scans. DAST scans identify vulnerabilities in the behavior of your overall application.
Include SAST	Option to include vulnerabilities from SAST scans. SAST scans identify vulnerabilities in the code.
Triaging exceptions and false positives in ServiceNow (starting with v20.0 of Vulnerability Response)	Select options to manage Exception management and False positive for AVIs with ServiceNow workflows automatically upon import. These options are activated by default. For an example use case, see Managing state mapping for deferrals and false positives in Application Vulnerability Response. Manage exceptions in ServiceNow Leave this option activated if you want to triage imported AVIs marked for the Deferred state. AVIs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open. You Request an exception from the AVI record. Manage false positives in ServiceNow Leave this option activated if you want to triage imported AVIs with Source states marked as False Positive or Potential False Positive. AVIs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open. You request a False positive from the AVI record. Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner. These AVIs are mapped to the Target states and Target reason states as they are imported but are not triaged by the exception and false positive workflows. The Request exception and False Positive actions are not visible on AVIs.
Triaging in ServiceNow (prior to v20.0 of Vulnerability Response)	Manage your application vulnerability triaging in ServiceNow instance: Select the check box to triage the AVIs within ServiceNow. If this option is selected, AVIs are imported in Open state. You can then request an exception or mark the AVI as a false positive. To retain the source state, that is, the state imported from the scanner, ensure that the check box is not selected. 주: The Mark as False Positive and Request Exception options are available only for AVIs being triaged within ServiceNow.

Select Save and Test Credentials.

다음에 수행할 작업

If your environment requires domain-separated imports, see Create domain-separated imports for an integration.

On initial installation, see Configure Application Vulnerability Response for further instructions.

After initial installation, for modifications refer to Fortify Vulnerability Integration modification and activities.