Fortify ScanCentral DAST Skill
Fortify ScanCentral DAST (SC-DAST) integration via Model Context Protocol (MCP).
When to Use This Skill
- Run dynamic application security testing (DAST) scans
- List and monitor scan status
- Pause/resume running scans
- Discover available scan settings and policies
- Manage scan sensors and sensor pools
- View scan results in SSC using SSC skill
Available MCP Tools
Only key MCP tools for SC-DAST are listed here.
| Tool | Description | When to Use |
|---|---|---|
fcli_sc_dast_scan_start | Start a new DAST scan | When user wants to run/start a DAST scan |
fcli_sc_dast_scan_list | List all scans | List scans, check scan status |
fcli_sc_dast_scan_get | Get details of a specific scan | Get scan details by ID |
fcli_sc_dast_scan_wait_for | Wait for scan condition | Monitor scan until condition met |
fcli_sc_dast_scan_pause | Pause a running scan | Temporarily stop a scan |
fcli_sc_dast_scan_resume | Resume a paused scan | Continue a paused scan |
fcli_sc_dast_scan_settings_list | List available scan settings | Discover scan configuration options |
fcli_sc_dast_scan_settings_get | Get scan settings details | Get specific settings by ID or CICD token |
fcli_sc_dast_scan_policy_list | List available scan policies | Discover scan policy options |
fcli_sc_dast_scan_policy_get | Get scan policy details | Get specific policy by name or ID |
fcli_sc_dast_sensor_list | List available sensors | View available scan sensors |
fcli_sc_dast_sensor_get | Get sensor details | View specific sensor information |
fcli_sc_dast_sensor_enable | Enable a sensor | Enable a disabled sensor |
fcli_sc_dast_mcp_job | Background job handler | Handle pagination and background tasks |
fcli_ssc_session_list | Check SSC session status | Verify authentication before operations |
Parameter Formats
| Parameter | Format | Example |
|---|---|---|
--settings | CICD token or ID | "MY_SCAN_SETTINGS" or "12345" |
--name | Scan name | "MyApp Security Scan" |
--policy | Policy name or ID | "Standard" or "67890" |
--overwrite-scan-mode | Boolean flag | true (mutually exclusive with priority-scan-mode) |
--priority-scan-mode | Boolean flag | true (mutually exclusive with overwrite-scan-mode) |
--login-macro | Login macro ID | "98765" (optional) |
--server-queries | Key-value filtering | "status=Running" or "name~MyApp" |
--until | Wait condition | "status=Complete" or "status=Failed" |
--while | Wait condition (inverse) | "status=Running" |
scanIds | Scan identifier(s) | Single or multiple scan IDs from list/get operations |
query | Client-side filtering (SpEL) | "status == 'Complete' && scanVersion > 5" |
Authentication
SC-DAST uses SSC authentication (simplest authentication model - no additional tokens required).
Session Check: Always check SSC session status before SC-DAST operations:
Tool: fcli_ssc_session_list
Parameters: { "refresh-cache": true }
If session expired or missing:
Ask the user to run this command locally in their terminal:
fcli ssc session login --url <SSC_URL> -u <username> -p <password>
Default Session:
If the user doesn't specify a session name, inform them that the default session will be used.
Domain-Specific Guidance: Scan Workflow
SC-DAST scans follow a straightforward workflow:
Phase 1: Discovery
- List available scan settings:
scan_settings_list - List available scan policies:
scan_policy_list - Get specific settings/policy details if needed
Phase 2: Start Scan
Start scan with required parameters:
--settings(CICD token or ID) - REQUIRED--name(scan name) - REQUIRED--policy(policy name or ID) - optional--overwrite-scan-modeor--priority-scan-mode(boolean flags, mutually exclusive) - optional--login-macro(login macro ID) - optional
Important: Ensure scan settings are configured to automatically publish results to SSC. This is typically configured in the scan settings by the administrator.
Phase 3: Monitor Progress
- Use
scan_wait_forwith--until: "status=Complete"or--while: "status=Running" - Use
scan_listwith--server-queries: "status=Running"to check all running scans - Unique capability: Use
scan_pauseandscan_resumeto control scan execution
Phase 4: View Results
- Once scan completes, findings automatically appear in SSC (if configured)
- View findings in SSC using SSC skill (fcli_ssc_issue_list, fcli_ssc_issue_count, etc.)
Filtering
SC-DAST supports both server-side and client-side filtering:
Server-Side Filtering (Preferred):
Use --server-queries parameter with key-value pairs:
- Single filter:
"status=Running" - Contains match:
"name~MyApp" - Multiple filters:
"status=Complete,name~Security"
Client-Side Filtering:
Use query parameter for complex filtering with SpEL (Spring Expression Language):
query: "status == 'Complete' && scanVersion > 5"
When to use each:
- Server-side (
--server-queries): Preferred for performance, especially with large datasets - Client-side (
query): Use for complex expressions not supported by server-side filtering
Pagination
SC-DAST uses job_token-based pagination (same pattern as SSC):
When pagination.totalRecords is null:
-
Call
fcli_sc_dast_mcp_job:Parameters: { "operation": "wait", "job_token": "<job_token from previous response>" } -
After job completes, retry the original list call to get results.
Example Flow:
1. Call scan_list → Response has totalRecords: null, job_token: "abc123..."
2. Call mcp_job with operation: "wait", job_token: "abc123..."
3. Retry scan_list → Response now has full results with totalRecords populated
Error Recovery
| Error | Recovery |
|---|---|
| "Session expired" | Ask user to run fcli ssc session login locally |
| "Scan settings not found" | Use scan_settings_list to discover available settings |
| "Policy not found" | Use scan_policy_list to discover available policies |
| "Scan cannot be completed" | Check scan status - may still be running or failed |
| "No sensors available" | Use sensor_list to check available sensors |
| "Import failed" | Ensure scan was completed and published first |
Pagination totalRecords: null | Use mcp_job with operation: "wait" and job_token |
Decision Tree: Choosing the Right Approach
| User Intent | Action |
|---|---|
| "Run a DAST scan" | Discovery workflow: scan_settings_list → scan_policy_list → scan_start → scan_wait_for → view results in SSC |
| "List scans" / "Show my scans" | scan_list with optional --server-queries filtering |
| "Check scan status" | scan_get with scan ID OR scan_list with --server-queries: "name~<scan-name>" |
| "Pause a scan" | scan_pause with scan ID |
| "Resume a scan" | scan_resume with scan ID |
| "View scan results" | Use SSC skill: fcli_ssc_issue_list or fcli_ssc_issue_count |
| "Find scan settings" | scan_settings_list optionally with server-queries |
| "Check sensors" | sensor_list to view available sensors |
Best Practices
DO:
- ✅ Always check SSC session status before SC-DAST operations
- ✅ Use discovery workflow (list settings/policies) before starting scans
- ✅ Use server-side filtering (
--server-queries) for performance - ✅ Ensure scan settings are configured to auto-publish to SSC
- ✅ Use
scan_wait_forwith appropriate timeouts for long-running scans (typically 30min-2hrs) - ✅ Leverage pause/resume capability for scan management
- ✅ Use CICD token for scan settings in automation scenarios
- ✅ Handle pagination with job_token pattern when totalRecords is null
- ✅ View results in SSC using SSC skill after scan completes
DO NOT:
- ❌ Start scans without verifying settings/policy existence
- ❌ Use client-side filtering for large datasets (prefer
--server-queries) - ❌ Poll scan status manually - use
scan_wait_forinstead - ❌ Forget to verify scan settings are configured to publish to SSC
- ❌ Ignore pagination when totalRecords is null
References
Example Workflows
| Workflow | Use When User Says... |
|---|---|
| Run DAST Scan | "run scan", "start DAST scan", "web scan", "scan my application", "dynamic scan" |
| List and Monitor Scans | "list scans", "monitor progress", "check status", "pause scan", "resume scan" |
| Discover Scan Settings and Policies | "scan settings", "scan policy", "configuration", "CICD token", "available settings" |