Integrate Fortify on Demand into CI/CD

What is Fortify on Demand?

Fortify on Demand is the online service provided by the Uleska partner Micro Focus which incorporates their static (Static Code Analyzer) and dynamic (WebInspect) analysis security tools. This is a commercial service provided by MicroFocus.

To use Uleska with Fortify on Demand, you will need to have your own Fortify on Demand licenses. Contact Micro Focus for a discussion on their services and licenses, or you can contact Uleska (as a Micro Focus partner) for advice and help to obtain the right licenses for your company.

Security Stage SAST, DAST (Static Code Analysis, Dynamic Analysis)
Type Commercial
Languages Most languages are covered (see )



1 You'll need a Git address or URL to scan
2 You'll need a license for FortifyOnDemand


How do I set it up Fortify on demand?

You can use the Uleska Platform to extract results from Fortify on Demand. To configure, the first act is to setup a 'Connection' for the Fortify on Demand server and configuration you have been allocated by Micro Focus.

  • To set up a Connection, click on the 'Configuration' tab on the left hand side of the UI. If you do not have a 'Configuration' side, you may not have the role permissions to set this connection up, therefore speak to your administrator.
  • In the Configuration screen, click on the 'Connections' tab, and click on 'Add Connection'
  • This will let you configure different types of connections for various tools. Choose the 'Fortify on Demand' option in the top drop down box.
  • Enter the configuration details for your instance and tenant of the Fortify on Demand service:


  • Now that you have your Fortify on Demand connection setup, click on the application you wish to add the tool for, and edit the version (stage) configuration.


  • Given that the Uleska Fortify on Demand adaptor currently extracts existing test results from the server, the Uleska system does not currently need to be setup with a Uri or Source Code Origin, instead the Uleska system connects with the Fortify on Demand system and uses the configuration Application Name (for this current application) to extract the latest results. Therefore you need to ensure your Application Name matches the name you have configured in Fortify on Demand.

  • Click 'Save'

  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'Fortify on Demand' as a tool.


  • Click Save.

Now any time you click 'Test Now' with that ToolKit, or make a request over the Uleska API or CLI with that ToolKit, the Uleska will extract the latest SAST and DAST results for the configuration application. Any results added to your vulnerabilities list.


Currently, the Fortify on Demand adaptor will extract results for your application from the online service. It does not currently invoke (start running) the testing. This feature will be coming in a future version.