Stats
Actions
Tags
From fortify
Perform tasks against Fortify on Demand (FoD). Answer questions about applications, releases, security issues/vulnerabilities, policy compliance or portfolio-level analysis. Create new releases (not applications). Start & monitor SAST/DAST/SCA/open source scans. Import FPR/SARIF/CycloneDX artifacts. Audit & triage issues.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fortify:fortify-fodThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
```bash
references/fcli-fod-output-samples.mdreferences/fcli-fod-output-values.mdreferences/fcli-install.mdreferences/fcli-query-output.mdreferences/fod-openapi-spec.jsonreferences/mutating-operations.mdreferences/output-formats.mdreferences/resolving-release.mdreferences/use-case-advanced.mdreferences/use-case-application-context.mdreferences/use-case-create-release.mdreferences/use-case-import-scan-results.mdreferences/use-case-issue-investigation.mdreferences/use-case-oss-component-analysis.mdreferences/use-case-portfolio-overview.mdreferences/use-case-scan-status.mdreferences/use-case-start-scan.mdfcli fod session ls --query "expired=='No'"
No active FoD session found: Instruct the user to run fcli fod session login and confirm successful login before proceeding.
fcli not found: You interact with FoD using fcli. It must already be on the PATH. If it is not installed, load references/fcli-install.md.
main, v2.1); each holds independent scan results and issues. A release can be seeded by copying state from another.Teams typically structure FoD with one app per repo and releases per branch or version (e.g., main, v25.1).
New (first seen), Existing (recurring), Reopened (was fixed), Fixed (not in latest scan, may be displayed as Fix Validated). Use --query "status=='New'" etc.
Auditor Status is the authoritative control for suppression. An unreviewed issue has status Pending Review.
Not an Issue, False PositiveRemediation Required, ExploitableinstanceId)references/fcli-fod-output-values.md for full detailsEngineering workflow state (e.g., Open, In Progress, Fixed, Deferred). Tenant-customizable. Does not affect suppression or policy.
--includeBy default fcli fod issue list returns visible (non-suppressed) issues only. This is what users expect unless they ask otherwise.
--include=visible,suppressed — add suppressed issues--include=visible,fixed — add fixed issues--include=visible,suppressed,fixed — all issuesseverity is an integer: 4=Critical, 3=High, 2=Medium, 1=Low. severityString is the human-readable equivalent.
FoD does not have a dedicated issue count command. For severity totals, use precomputed release-level aggregate fields (critical, high, medium, low, issueCount) from fcli fod release get — this is fast and doesn't require listing issues. For filtered counts or category breakdowns, use fcli fod issue list with -o json and count the results. See the Issue Investigation use case for patterns.
FoD tracks open source component data from SCA scans (Debricked, Sonatype, or imported CycloneDX SBOMs). Release-level fields (openSourceCritical, openSourceHigh, etc.) provide aggregate vulnerability counts. For component-level detail — CVE impact triage, license risk, SBOM export — use the OSS Component Analysis use case.
FoD's Aviator feature provides AI-assisted issue review and remediation guidance. Issues with aviatorRemediationGuidanceAvailable==true have AI-generated fix recommendations. See references/fcli-fod-output-values.md for Aviator field definitions.
Always use instanceId (UUID) as the canonical key for correlating the same issue across scans or releases. Do NOT use id (numeric) for deduplication. Note: SSC calls the equivalent field issueInstanceId.
--rel: The Only Release Identifier for Issue and Scan Commandsfcli fod issue list, fcli fod issue get, fcli fod issue update, and all scan commands use --rel as the sole release identifier. There is no separate --app or --release flag on these commands — do not invent one.
--rel accepts a bare numeric release ID or a name string:
--rel=1450004--rel="MyApp:main" or --rel="MyApp:svc:main"When the user supplies a numeric release ID, use it directly as --rel=<id> and skip all name-resolution steps. A numeric release ID is globally unique in FoD — no app context is required alongside it.
Load these only when needed for the specific task at hand:
| File | When to load |
|---|---|
references/resolving-release.md | Whenever you need to resolve an app or release name to a --rel identifier and it isn't already explicit |
references/fcli-fod-output-values.md | Full field/enum reference for apps, releases, scans, issues; status/severity tables; Aviator semantics; available fcli modules |
references/fcli-fod-output-samples.md | Concrete JSON output examples for every object type (app, release, scan, issue) |
references/fcli-query-output.md | Detailed SpEL query syntax, null-safety patterns, output formats, --store variable chaining, server-side filtering, date utility functions |
references/output-formats.md | Extended format options (json-properties, --fetch=1) and JSON processing scripting patterns |
references/fcli-install.md | Full fcli installation and upgrade procedures |
references/mutating-operations.md | Full safety rules for delete, create/update, access control, and REST mutations |
references/fod-openapi-spec.json | Only when constructing fcli fod rest API calls — large file (~18K lines); load targeted sections only |
Read the corresponding file before proceeding with any use case. Do not generate commands from memory — these files contain required command patterns, rate-limit warnings, and safety steps specific to each workflow. If a request spans multiple use cases, load all relevant files before proceeding.
| Use Case | When to use | File |
|---|---|---|
| Portfolio Overview | Broad view across many apps or releases — listing, counting, grouping by criticality or SDLC status, identifying failing policy at scale | references/use-case-portfolio-overview.md |
| Application Context | Detail about a specific app or release; resolving app/release names and --rel identifiers; comparing releases within the same app or between two named apps/releases | references/use-case-application-context.md |
| Creating a Release | Creating a new release within an existing FoD app for a branch, version, or environment | references/use-case-create-release.md |
| Scan Status | Whether scans have run, their results, in-progress or failed scans, last scan dates | references/use-case-scan-status.md |
| Start Scan | Submit a new SAST, SCA (open source), SAST+SCA, or DAST scan for a release; configure scan settings; package code; wait for results | references/use-case-start-scan.md |
| Issue Investigation | Vulnerability counts and category breakdowns for a specific app or release; filtering to specific issues; reading recommendations; triaging and bulk-updating audit status | references/use-case-issue-investigation.md |
| OSS Component Analysis | Open source component inventory and risk — finding all apps/releases using a specific component (CVE impact triage), investigating license types, reviewing OSS usage portfolio-wide or per application | references/use-case-oss-component-analysis.md |
| Import Scan Results | Importing security scan data from on-premises Fortify SAST/DAST (FPR files), third-party SAST/secret/IaC tools (SARIF), or third-party SCA/Container tools (CycloneDX SBOM); consolidating results into FoD as an ASPM single pane of glass | references/use-case-import-scan-results.md |
| Advanced / REST API | Operations not covered by named fcli commands; direct FoD REST API calls; general fallback | references/use-case-advanced.md |
All FoD API access must go through fcli — including when fcli seems slow or limited. Never read fcli's session or state files (~/.fortify/fcli/state, $FCLI_STATE_DIR), extract tokens or credentials from disk, or call FoD APIs directly with curl, wget, requests, Invoke-WebRequest, or any other HTTP client. The supported escape hatch for endpoints not covered by a named command is fcli fod rest call. If fcli is genuinely unworkable for the task, tell the user — do not work around it.
These rules are mandatory. Before executing any
create,update,delete, or REST mutation command, load and followreferences/mutating-operations.md. Read-only commands (list,get,ls) are always safe without confirmation.
Prefer -o json for programmatic work. Parse JSON and summarize rather than relying on table output, which omits fields and truncates values.
For extended format options and JSON processing patterns, see references/output-formats.md. For --query SpEL syntax and --store chaining, see references/fcli-query-output.md.
For available fcli fod modules and sub-commands, run fcli fod -h or see references/fcli-fod-output-values.md.
Guides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.
npx claudepluginhub fortify/skills --plugin fortify-skills