Using the Fortify Static Code Analysis Process template

This article is in a draft stage.

This article provides steps to getting TFS to fortify-scan your code.


1. Open Visual Studio 2010.

2. Expose the Team Explorer tab from the View menu, or by pressing Ctrl+W, M:

Team Explorer.png

3. Connect to a team project by clicking on the Connect to Team Project button:

Team Project.png

4. Find your TFS Team Project and click Connect.

Note: Unless you are a TFS Project Collection Administrator, you will only see your own projects in the following dialog box:

TFS Team ProjectDialogBox.png

5. Expand Builds:

Expand Builds.png

6. Create a new build solution:

a) If you have Team Foundations Server Power Tools you can clone an existing build definition.
  • You can copy an existing build definition, by right-clicking it and choosing Clone Build Definition.
  • This produces a copy of your existing build definition called Copy of {ExistingBuildDefinitionName}.
b) If you do not have the Power Tools, you can right-click the Builds node and choose New Build Definition:

Builds Node.png

7. In the General tab, give your build definition a name.

  • A suggested convention would be to give it the same name as the existing build definition you copied, and append -Fortify to it.

8. In the Trigger tab, set the check-in trigger to manual.

9. In the Build Defaults tab, make sure you have This build copies output files to a drop folder check box selected, and a valid path entered to somewhere under your drop folder hierarchy.

  • A good convention here would be to use a "Fortify" directory under your TFS Team Project's directory.

10. In the Workspace tab, ensure you have paths to the Source Control Folder and Build Agent Folder for each solution to be built (scanned) as part of this build definition:

Source Control.png

Build Agent.png

11. In the resulting dialog box, expand the TFS Team Project containing the project you want to build:

TFS Team Project.png

12. Navigate to the folder that contains the source code (usually a folder named "src") and click OK:

Source CodeFolder.png

13. Immediately after clicking OK, press the Tab key so that the Build Agent Folder will be correctly populated:

Correct Population.png

14. This is what it should look like after you add working folders to the TFS project's /lib (if present) and /src directories:

TFSProject Directories.png

15. In the build definition's Process tab, set the Build Process template to FortifyStaticCodeAnalysisProcessTemplate.xaml.

  • This template is one of the choices in the Build process file (Windows Workflow XAML) drop-down control.

16. For each solution that is part of your build definition, you need to have:

a) A Fortify 360 project that matches exactly (case sensitive) the name of your solution file(s), minus the ".sln" extension.
  • Fortify 360 calls this a "project," not to be confused with a Visual Studio project. Ask David Kosorok or Chad Butler to create a Fortify 360 project for each solution you will have scanned.
b) Solution(s) listed in the Projects to Build field under Items to build in the Build Definition's Process tab:

Projects ToBuild.png

17. If you need to add a solution, click the ellipsis button at the right of your existing Projects to Build field:

Add Solution.png

18. Then click Add and type in the path to your solution file:

Solution File.png

19. Click OK and then delete any values in the Automated Tests field under the Basic section in the Process tab:

Automated Tests.png

20. Expand the Advanced section and the Agent Settings, and set the Name Filter to icstfscontroller1FortifyAgent. If you just click on the Name Filter, a drop-down control will be exposed in the value field, and you should select it from there:

Agent Settings.png

21. Set the Tag Comparison Operator to MatchAtLeast.

22. Save your new build definition.

23. Queue your build and wait. The Fortify Static Code Analysis can take a long time.

24. If successful, you will see a Success build status with a name similar to "{YourBuildDefinitionName}_{yyyymmdd}_{BuildID)."

25. You will also get an FPR file uploaded to the Fortify 360 server, which you can verify by talking to the Code Security Team (David Kosorok or Chad Butler). You can reach them at

This page was last modified on 6 December 2012, at 16:44.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.