If an answer to your question is correct, click on "Verify Answer" under the "More" button. The answer will now appear with a checkmark. Please be sure to always mark answers that resolve your issue as verified. Your fellow Community members will appreciate it! Learn more.
We use Azure DevOps for our CI/CD pipelines and run SCA scan using the Fortify plugin. We need to exclude some directories from the scan and cannot seem to find the correct option for this. We have tried adding something similar to "-exclude="**/staging/**" -exclude="**/tsg/**" " to the configuration, but SCA fails when doing this.
How can we exclude files from the SCA scan in ADO?
Thanks!
Hello bn_pep,
You can configure -exclude statements under "Additional Fortify SCA build options" parameter for a "Fortify Static Code Analyzer Assessment" task.
eg
If you are still having issue, please do the following and open a case with Fortify Technical Support,
1. before running the pipleline, please "Enable system diagnostics"
2. send use the pipeline log which should display the command executed by the Fortify Assessment task. If system diagnostic is enable before running the pipeline will display the following Fortify information for the "Run Fortify on" task
eg
##[debug]exec tool: sourceanalyzer.exe
##[debug]Arguments:
##[debug] -b
##[debug] Sample1
##[debug] -verbose
##[debug] -debug
##[debug] -logfile
##[debug] C:\_APPS\azureDevOps_agent\_work\3\a\sca_artifacts\Sample1.sln_build.log
##[debug] -exclude
##[debug] **\staging\**
##[debug] -exclude
##[debug] **\tsg\**
Support
Documentation
Learning Services
Partner Programs