Fortify Vulnerability Integration

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Fortify Vulnerability Integration

The Fortify Vulnerability Integration enables ServiceNow customers to import and utilize scanner data from the Fortify product within the ServiceNow Application Vulnerability Response feature. This integration enriches vulnerability data in your instance, helping you assess the impact and priority of code flaws effectively. It ensures your vulnerability management lifecycle remains synchronized by automating data imports through scheduled jobs.

Show full answer Show less

Key Features

Data Import and Enrichment: Retrieves Fortify application scanner data, scan summaries, and scan results to enrich your third-party vulnerability data.
Automated Scheduled Jobs: Scheduled jobs run daily and are chained to execute integrations sequentially, simplifying the vulnerability remediation process.
Configurable Integrations: Includes three main integrations—Application List, Scan Summary, and Application Vulnerable Item—each with specific roles in importing and updating vulnerability data.
Run-As User: Uses a preconfigured run-as user (default: VR.System) for all integration records to maintain secure and consistent operation. This value should not be changed.
Integration Monitoring: From version 2.3 onward, you can view detailed metrics on integration run times and statuses, aiding in operational transparency.

Practical Use and Configuration

The Fortify on Demand Application List Integration runs daily by default at midnight to import vulnerability and metadata information.
The Scan Summary and Application Vulnerable Item integrations are inactive by default but can be activated and chained to run sequentially after the Application List integration.
Closed scanner records do not generate new Application Vulnerable Item Tickets (AVITs), but existing ones are updated to reflect current statuses.
Choose the appropriate integration version based on your upgrade plans, especially if you intend to use Unified Security Exposure Management (USEM); versions starting with 30.x support USEM compatibility.

Key Outcomes

Maintains up-to-date vulnerability data in ServiceNow by synchronizing with Fortify scanner outputs automatically.
Improves the accuracy and completeness of vulnerability assessments by enriching third-party vulnerability data with Fortify findings.
Enables efficient vulnerability remediation workflows through automated and sequenced integration executions.
Provides visibility into integration performance and success status to support operational management.

The Fortify Vulnerability Integration uses data imported from the Fortify product to help you determine the impact and priority of flaws in your code.

Fortify Vulnerability Integration

The Fortify product collects scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Every day, scheduled jobs invoke the integrations automatically. Once all the integrations are activated, they are chained to run in sequence. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

Available versions


Release version	Release Notes
If you intend to upgrade to a version that is compatible with Unified Security Exposure Management (USEM), please select a version starting with 30.x when installing or upgrading.	Application Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes
If you do not intend to upgrade to a version that is compatible with Unified Security Exposure Management (USEM), please select a version below 30.x when installing or upgrading.

Fortify Vulnerability Integration

To view the Fortify Vulnerability Integration, navigate to Fortify Vulnerability Integration > Integrations.

The following integrations are included in the base system. These integrations are not all active by default.

After the initial run, every day, scheduled jobs are chained to run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

Table 1. Fortify Vulnerability Integrations
Integration	Description
Fortify on Demand Application List Integration	Retrieves Fortify application scanner data (vulnerabilities, metadata) and enriches your third-party application data. This integration is set to run daily at 00:00:00. It is active by default.
Fortify on Demand Scan Summary Integration	Retrieves scan records from Fortify. This integration is chained to run following the Fortify on Demand Application List Integration when activated. It is inactive, by default.
Fortify on Demand Application Vulnerable Item Integration	Retrieves scan results from Fortify, inserts AVITs, and enriches your third-party vulnerability data. If the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated. Starting with v2.3, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integration. This integration is chained to run following the Fortify on Demand Scan Summary Integration when activated. It is inactive, by default.

For integration run statuses see, View the Fortify Vulnerability Integration import run status.

To view data in third-party vulnerabilities, see View vulnerability libraries.