Fortify Software Security Center (SSC) Skill

Fortify Software Security Center (SSC) integration via Model Context Protocol (MCP).

When to Use This Skill

List application and application version
List security issues/vulnerabilities with filtering by severity, category, etc.
Count issues grouped by severity, category, etc.

Available MCP Tools

Only key MCP tools for SSC are listed here.

Tool	Description	When to Use
`fcli_ssc_session_list`	List authentication sessions	Check authentication status
`fcli_ssc_app_list`	List applications	Discover available applications
`fcli_ssc_app_get`	Get details of a specific application	Retrieve detailed information about an application
`fcli_ssc_appversion_list`	List application versions	Discover available application versions
`fcli_ssc_appversion_get`	Get details of a specific application version	Retrieve detailed information about an application version
`fcli_ssc_issue_list`	List issues	Retrieve a list of security issues/vulnerabilities
`fcli_ssc_issue_list_filters`	Discover available filtering options for issues	Look for most appropriate filter to use
`fcli_ssc_issue_list_groups`	Discover available grouping options for issues	Look for most appropriate group to use
`fcli_ssc_issue_count`	Group and count issues	Count issues grouped by severity, category, etc. Always include `--by` parameter
`fcli_ssc_mcp_job`	Wait for background jobs to complete	When `pagination.jobToken` is present in responses

Parameter Formats

Common formats and examples for key parameters:

Parameter	Format	Example
`appVersionNameOrId` or `--appversion`	`"<App>:<Version>"` - case-sensitive, colon-separated	`"MyApp:MyRelease"`
`--filter`	`"<FilterType>:<Value>"` - preferred server-side filtering; discover via `issue_list_filters` first	`"Folder:Critical"`
`--filterset`	Filter set title or ID - predefined SSC filter combinations (e.g., "Security Auditor View", "Quick View"); distinct from `--filter`	`"Security Auditor View"`
`--embed`	Comma-separated values to include additional data (see reference files for specific options)	`"details,auditHistory"`
`--by`	Group name from `issue_list_groups` - always include when using `issue_count`	`"Folder"`, `"Category"`

Authentication

All operations require authentication. Always verify session before any operation:

fcli_ssc_session_list with refresh-cache=true

If Expired = No → proceed
If expired → ask user to run locally: fcli ssc session login --url "<URL>" -u "<user>" -p '<pass>'
When running any SSC tool, if authentication error occurs, prompt user to re-authenticate locally.

Note: Reference workflows assume authentication has been verified.

Filtering: Prefer --filter; query Optional

Prefer --filter for server-side filtering (fastest, smallest payloads)
Optionally use query as a client-side post-filter when you need a simple match on returned fields
Always discover available filters with issue_list_filters before applying them

Pagination

If pagination.hasMore = true → use pagination-offset for next page
If pagination.jobToken present → background loading; wait with fcli_ssc_mcp_job (see Background Job Handling)
Once pagination.totalRecords appears → all records collected

Error Recovery

Error	Recovery
"Session expired"	Refer to flow in `Authentication` section
"Application version not found"	Run `app_list` to discover correct names
"Unknown filter"	Run `issue_list_filters` to discover valid filters

Decision Tree: Choosing the Right Approach

User Intent	Action
"list/show vulnerabilities"	`issue_list` with `--filter` + `--embed details`
"how many / count / summary"	`issue_count` with `--by`
"find app / which version"	`app_list` → `appversion_list`

Best Practices

DO:

✅ Use --filter for filtering
✅ Prioritize server-side filtering over client-side
✅ Prioritize use MCP tool over FCLI CLI directly

Do NOT:

❌ Guess application/version names - ask the user
❌ Prompt user for credentials - ask user to run fcli ssc session login locally
❌ Assume filter names exist - always run issue_list_filters first
❌ Make multiple API calls for details - use --embed parameter instead

References

Example Workflows

Workflow	Use When User Says...
List and find Applications Versions	"list applications", "show application versions", "what applications are available"
List, Filter and Query Issues	"list vulnerabilities", "show security issues", "filter issues by severity", "include suppressed issues"
Summarise and Count Issues	"count issues", "show summary", "breakdown by severity"
Provide Recommendations	"show recommendations", "provide remediation advice", "how to fix"
Background Job Handling	When `pagination.jobToken` appears in responses, background data loading

fortify-ssc

Safety Notice

Copy this and send it to your AI assistant to learn

Fortify Software Security Center (SSC) Skill

When to Use This Skill

Available MCP Tools

Parameter Formats

Authentication

Filtering: Prefer --filter; query Optional

Pagination

Error Recovery

Decision Tree: Choosing the Right Approach

Best Practices

References

Example Workflows

External Resources

Source Transparency

Related Skills

fortify-fod

fortify-scsast

fortify-scdast

Open Code Review