Fortify Vulnerability Integration

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Fortify Vulnerability Integration

    The Fortify Vulnerability Integration connects Fortify product scanner data with ServiceNow’s Vulnerability Response application, enriching vulnerability information in your ServiceNow instance. This integration helps you assess the impact and priority of code vulnerabilities by importing and synchronizing data from Fortify into the ServiceNow AI Platform® and the Application Vulnerability Response feature.

    Show full answer Show less

    Data synchronization occurs automatically via scheduled jobs that run daily and are chained to execute in sequence, ensuring your vulnerability data stays current without manual intervention. You can also manually trigger these scheduled jobs if needed. The integration runs under a configured run-as user (default: VR.System), which should not be changed to maintain stability.

    Key Features

    • Fortify on Demand Application List Integration: Retrieves application scanner data including vulnerabilities and metadata, enriching third-party application data. This runs daily by default and is active out of the box.
    • Fortify on Demand Scan Summary Integration: Imports scan records from Fortify and runs automatically after the Application List Integration when enabled. This integration is inactive by default.
    • Fortify on Demand Application Vulnerable Item Integration: Imports detailed scan results, creates Application Vulnerable Items (AVITs), and enriches vulnerability data. AVITs are not created for scanner records marked as Closed, but existing AVITs are updated. This integration runs after the Scan Summary Integration when activated and is inactive by default. From version 2.3 onward, it provides detailed processing time metrics and integration run reports.

    Practical Use and Benefits

    This integration streamlines and automates the vulnerability remediation lifecycle by maintaining synchronization between ServiceNow and Fortify vulnerability systems. It enables you to:

    • Maintain up-to-date, enriched vulnerability data for informed prioritization and remediation.
    • Leverage automated, scheduled data imports to reduce manual workload and errors.
    • Track integration run statuses and view detailed reports to monitor data import health and performance.

    Overall, the integration facilitates a comprehensive and efficient vulnerability management process by combining Fortify’s scanning capabilities with ServiceNow’s vulnerability response workflows.

    The Fortify Vulnerability Integration uses data imported from the Fortify product to help you determine the impact and priority of flaws in your code.

    Fortify Vulnerability Integration

    The Fortify product collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Every day, scheduled jobs invoke the integrations automatically. Once all the integrations are activated, they are chained to run in sequence. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Available versions

    Release version Release Notes
    Vulnerability Response integration with

    Fortify v2.4

    Fortify v2.3

    Fortify v2.2

    Fortify v2.1

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    Fortify Vulnerability Integration

    To view the Fortify Vulnerability Integration, navigate to Fortify Vulnerability Integration > Integrations.

    The following integrations are included in the base system. These integrations are not all active by default.

    After the initial run, every day, scheduled jobs are chained to run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Table 1. Fortify Vulnerability Integrations
    Integration Description
    Fortify on Demand Application List Integration Retrieves Fortify application scanner data (vulnerabilities, metadata) and enriches your third-party application data. This integration is set to run daily at 00:00:00. It is active by default.
    Fortify on Demand Scan Summary Integration Retrieves scan records from Fortify. This integration is chained to run following the Fortify on Demand Application List Integration when activated. It is inactive, by default.
    Fortify on Demand Application Vulnerable Item Integration Retrieves scan results from Fortify, inserts AVITs, and enriches your third-party vulnerability data. If the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated.

    Starting with v2.3, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integration.

    This integration is chained to run following the Fortify on Demand Scan Summary Integration when activated. It is inactive, by default.

    For integration run statuses see, View the Fortify Vulnerability Integration import run status.

    To view data in third-party vulnerabilities, see View vulnerability libraries.