AgentSkillsCN

fortify-ssc

每当用户希望列出并筛选应用安全发现、发现应用与版本,或使用Fortify Software Security Center(SSC)管理应用时,均可使用此技能。触发指令包括:任何提及“SSC”“列出漏洞”“列出应用”等,以及其他类似请求,表明用户正与Fortify SSC互动,开展应用安全相关任务。OpenText Application Security是Fortify Software Security Center的新名称。

SKILL.md
--- frontmatter
name: fortify-ssc
description: "use this skill whenever the user wants to list and filter application security findings, discover applications and versions, and manage applications using Fortify Software Security Center (SSC). Triggers include: any mention of 'SSC', 'list vulnerabilities', 'list applications', and similar requests indicating interaction with Fortify SSC for application security tasks. OpenText Application Security is the new name for Fortify Software Security Center."
compatibility: Requires Fortify MCP configured for SSC, and authenticated session to SSC.
metadata:
  author: crance
  version: "0.0.1"

Fortify Software Security Center (SSC) Skill

Fortify Software Security Center (SSC) integration via Model Context Protocol (MCP).

When to Use This Skill

  • List application and application version
  • List security issues/vulnerabilities with filtering by severity, category, etc.
  • Count issues grouped by severity, category, etc.

Available MCP Tools

Only key MCP tools for SSC are listed here.

ToolDescriptionWhen to Use
fcli_ssc_session_listList authentication sessionsCheck authentication status
fcli_ssc_app_listList applicationsDiscover available applications
fcli_ssc_app_getGet details of a specific applicationRetrieve detailed information about an application
fcli_ssc_appversion_listList application versionsDiscover available application versions
fcli_ssc_appversion_getGet details of a specific application versionRetrieve detailed information about an application version
fcli_ssc_issue_listList issuesRetrieve a list of security issues/vulnerabilities
fcli_ssc_issue_list_filtersDiscover available filtering options for issuesLook for most appropriate filter to use
fcli_ssc_issue_list_groupsDiscover available grouping options for issuesLook for most appropriate group to use
fcli_ssc_issue_countGroup and count issuesCount issues grouped by severity, category, etc. Always include --by parameter
fcli_ssc_mcp_jobWait for background jobs to completeWhen pagination.jobToken is present in responses

Parameter Formats

Common formats and examples for key parameters:

ParameterFormatExample
appVersionNameOrId or --appversion"<App>:<Version>" - case-sensitive, colon-separated"MyApp:MyRelease"
--filter"<FilterType>:<Value>" - preferred server-side filtering; discover via issue_list_filters first"Folder:Critical"
--filtersetFilter set title or ID - predefined SSC filter combinations (e.g., "Security Auditor View", "Quick View"); distinct from --filter"Security Auditor View"
--embedComma-separated values to include additional data (see reference files for specific options)"details,auditHistory"
--byGroup name from issue_list_groups - always include when using issue_count"Folder", "Category"

Authentication

All operations require authentication. Always verify session before any operation:

tool
fcli_ssc_session_list with refresh-cache=true
  • If Expired = No → proceed
  • If expired → ask user to run locally: fcli ssc session login --url "<URL>" -u "<user>" -p '<pass>'
  • When running any SSC tool, if authentication error occurs, prompt user to re-authenticate locally.

Note: Reference workflows assume authentication has been verified.

Filtering: Prefer --filter; query Optional

  • Prefer --filter for server-side filtering (fastest, smallest payloads)
  • Optionally use query as a client-side post-filter when you need a simple match on returned fields
  • Always discover available filters with issue_list_filters before applying them

Pagination

  • If pagination.hasMore = true → use pagination-offset for next page
  • If pagination.jobToken present → background loading; wait with fcli_ssc_mcp_job (see Background Job Handling)
  • Once pagination.totalRecords appears → all records collected

Error Recovery

ErrorRecovery
"Session expired"Refer to flow in Authentication section
"Application version not found"Run app_list to discover correct names
"Unknown filter"Run issue_list_filters to discover valid filters

Decision Tree: Choosing the Right Approach

User IntentAction
"list/show vulnerabilities"issue_list with --filter + --embed details
"how many / count / summary"issue_count with --by
"find app / which version"app_listappversion_list

Best Practices

DO:

  • ✅ Use --filter for filtering
  • ✅ Prioritize server-side filtering over client-side
  • ✅ Prioritize use MCP tool over FCLI CLI directly

Do NOT:

  • ❌ Guess application/version names - ask the user
  • ❌ Prompt user for credentials - ask user to run fcli ssc session login locally
  • ❌ Assume filter names exist - always run issue_list_filters first
  • ❌ Make multiple API calls for details - use --embed parameter instead

References

Example Workflows

WorkflowUse When User Says...
List and find Applications Versions"list applications", "show application versions", "what applications are available"
List, Filter and Query Issues"list vulnerabilities", "show security issues", "filter issues by severity", "include suppressed issues"
Summarise and Count Issues"count issues", "show summary", "breakdown by severity"
Provide Recommendations"show recommendations", "provide remediation advice", "how to fix"
Background Job HandlingWhen pagination.jobToken appears in responses, background data loading

External Resources