OpenText Fortify Review 2026: 33 Languages, Still Worth It?

Fortify Static Code Analyzer is OpenText’s enterprise SAST solution. It detects 1,700+ categories of vulnerabilities across 33+ programming languages and covers over one million individual APIs.

Fortify Audit Workbench showing code view with vulnerability findings and analysis evidence panel

Fortify is one of the longest-running commercial SAST tools on the market, with a two-decade track record in government, defense, and financial services. OpenText acquired Micro Focus (the previous Fortify owner) in 2023.

I see Fortify SCA in enterprise environments where procurement decided years ago. It supports a wide language list including COBOL and ABAP, and the rule packs cover compliance frameworks like PCI-DSS and FedRAMP. Scans are slow compared to newer tools, and the output typically goes through Fortify SSC for triage rather than straight to a developer.

What is Fortify SCA?

Fortify SCA performs deep static analysis to find security vulnerabilities in source code. It covers a broad range of languages from modern (Java, Go, Kotlin, Swift) to legacy (COBOL, ABAP, Visual Basic) and extends to infrastructure as code scanning for Terraform, Docker, Kubernetes, and serverless configurations.

The tool includes Fortify Aviator, an AI-powered feature for automated code fix suggestions.

Fortify SCA sourceanalyzer scan output showing critical and high severity findings across source files

33+ Languages

Covers ABAP, C/C++, C#, COBOL, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Swift, and more. 350+ frameworks supported with 1M+ API coverage.

1,700+ Vulnerability Categories

Broad vulnerability detection covering injection, XSS, authentication, cryptography, and many more security issue types.

Fortify Aviator

AI-powered automated code fix suggestions for detected vulnerabilities, reducing remediation time for developers.

Key features

Deployment options

Fortify is available in three deployment models:

Deployment	Description
On-premises	Fortify SCA installed locally with full control
SaaS	Fortify on Demand (managed cloud service)
Hybrid	Combination of on-premises and cloud

Language support

Fortify supports a wide range of languages including ABAP/BSP, ActionScript, Apex, ASP.NET, C/C++, C#, Classic ASP, COBOL, ColdFusion, Go, HTML, Java (including Android), JavaScript, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Ruby, Swift, T-SQL, VB.NET, VBScript, Visual Basic, and XML.

Note: Beyond source code, Fortify scans infrastructure as code (Terraform, CloudFormation), Docker images, Kubernetes manifests, and serverless function configurations for security misconfigurations.

Getting started

Choose deployment: select between on-premises Fortify SCA, cloud-based Fortify on Demand, or a hybrid approach. Contact OpenText for pricing.

Configure scanning: integrate Fortify with your build system and IDE. Plugins are available for major IDEs and CI/CD platforms.

Run analysis: scan your codebase. Fortify analyzes source code and reports findings with severity ratings, CWE mapping, and remediation guidance.

Review in Fortify Audit Workbench: use the desktop client or web interface to review, triage, and track findings across your projects.

CI/CD and IDE integration

Fortify plugs into most major CI/CD platforms and IDEs. The integration model is scan-as-a-step: developers trigger analysis through the IDE plugin (Visual Studio, Eclipse, IntelliJ) or a build-system hook (Maven, Gradle, MSBuild), and findings route to Fortify Software Security Center (SSC) for triage.

Supported CI/CD surfaces include Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bamboo, CircleCI, and TeamCity. The Fortify CLI produces FPR (Fortify Project Results) output, and FortifyToSARIF converts it for code-scanning platforms that expect SARIF input. Scans are notably slower than Semgrep or Snyk Code, which is the trade-off for depth: large codebases take hours rather than seconds.

IDE plugins show findings inline with severity, CWE mapping, and remediation guidance. Fortify Aviator’s AI fixes show up in the IDE as suggested edits rather than separate PRs.

Pricing and licensing reality

OpenText does not publish Fortify pricing. Expect an enterprise sales cycle with quotes tied to developer seats, scan volume, and the specific module set (on-premises SCA, Fortify on Demand, Aviator, Software Security Center). Pricing is commonly structured per scanning seat rather than per repository, and public benchmarking against Checkmarx is mostly anecdotal.

Fortify on Demand is the SaaS offering and is the faster deployment path for organizations without the appetite to stand up an on-prem SSC instance. The Fortify Aviator add-on (AI-assisted fixes) is a separate SKU in OpenText’s current catalog.

For fact-based pricing context on this tier of enterprise SAST, community Vendr benchmarks (where available) are closer to reality than any list price.

Where Fortify fits vs alternatives

Fortify is the right tool when your portfolio has one of these characteristics:

Legacy enterprise languages. COBOL, ABAP, PL/SQL, Classic ASP, VB6. Most modern SAST (Semgrep, Snyk Code, GitHub CodeQL) doesn’t scan these. Fortify and Checkmarx are the two serious options.
Compliance-gated regulated industries. Banking, healthcare, government contracting. Fortify’s FedRAMP Moderate authorization and long paper trail of audit acceptance are the reason it’s still bought.
Air-gapped deployment is required. On-premises Fortify SCA runs in environments disconnected from SaaS, a hard filter that eliminates many modern SAST tools.

Fortify is not the right tool when:

Developer adoption is the bottleneck and you want fast PR-gate feedback. Snyk Code or Semgrep return results in seconds; Fortify scans routinely take hours.
Your stack is 100% modern cloud-native (Go, TypeScript, Python, Rust). CodeQL and Semgrep cover these better with lower TCO.
You’re a small-to-midsize engineering org without a security team to run SSC. The operational weight of Fortify’s console assumes dedicated AppSec staff.

When to use Fortify

Fortify is built for enterprises that need broad language coverage, including legacy languages like COBOL and ABAP that many modern SAST tools don’t support. Its two-decade track record and deep vulnerability category coverage make it a common choice for regulated industries.

For teams that want lighter-weight or open-source SAST, Semgrep CE or SonarQube offer faster time-to-value. Fortify’s strength is comprehensive enterprise coverage.

Fortify Audit Workbench scan summary showing issues by folder across a scanned project

For a head-to-head comparison, see the Checkmarx vs Fortify guide.

Note: Now under OpenText, which acquired Micro Focus in 2023. Includes Fortify Aviator AI for automated code fixes.

Frequently Asked Questions

What is Fortify Static Code Analyzer?

Fortify SCA is an enterprise SAST tool by OpenText that detects 1,700+ categories of vulnerabilities across 33+ programming languages and over 1 million individual APIs. It is one of the longest-running commercial SAST tools on the market, with deep coverage of legacy languages like COBOL and ABAP.

Is Fortify SCA free?

No. Fortify SCA is a commercial product available through OpenText. It is offered as on-premises, SaaS (Fortify on Demand), or hybrid deployment.

What AI features does Fortify have?

Fortify Aviator is an AI-powered feature that provides automated code fix suggestions for detected vulnerabilities, helping developers remediate issues faster.

What languages does Fortify support?

Fortify supports 33+ languages including Java, C/C++, C#, JavaScript, Python, Go, Ruby, Swift, Kotlin, PHP, COBOL, ABAP, Apex, and more. It also scans IaC (Terraform, CloudFormation), Docker, Kubernetes, and serverless configurations.