Implementation

Fortify SCA executes it vulnerability test by looking at the JAVA pom.xml file which contains all the dependencies. As the scanning is performed at the code level, the best practice is that it is performed as early as possible. This is achieved by running the scan after the code checkout, as to stop further processing of the build in case vulnerabilities are detected.