Skip to content
Home SAST Tools Fortify Static Code Analyzer
Fortify Static Code Analyzer

Fortify Static Code Analyzer

Category: SAST
License: Commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 12, 2026
2 min read
Key Takeaways
  • Fortify SCA scans 33+ languages and 350+ frameworks, detecting 1,700+ vulnerability categories across 1 million+ APIs.
  • Gartner Magic Quadrant Leader for Application Security Testing for 11 consecutive years, now under OpenText.
  • Fortify Aviator AI provides automated code fix suggestions to accelerate remediation for identified vulnerabilities.
  • Available as on-premises, SaaS (Fortify on Demand), or hybrid deployment with IaC, Docker, and Kubernetes scanning.

Fortify Static Code Analyzer is OpenText’s enterprise SAST solution. It detects 1,700+ categories of vulnerabilities across 33+ programming languages and covers over one million individual APIs.

Fortify Language Coverage

Fortify has been a Gartner Magic Quadrant Leader for Application Security Testing for 11 consecutive years, one of the longest continuous runs in the AST market. OpenText acquired Micro Focus (the previous Fortify owner) in 2023.

What is Fortify SCA?

Fortify SCA performs deep static analysis to find security vulnerabilities in source code. It covers a broad range of languages from modern (Java, Go, Kotlin, Swift) to legacy (COBOL, ABAP, Visual Basic) and extends to infrastructure as code scanning for Terraform, Docker, Kubernetes, and serverless configurations.

The tool includes Fortify Aviator, an AI-powered feature for automated code fix suggestions.

33+ Languages
Covers ABAP, C/C++, C#, COBOL, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Swift, and more. 350+ frameworks supported with 1M+ API coverage.
1,700+ Vulnerability Categories
Broad vulnerability detection covering injection, XSS, authentication, cryptography, and many more security issue types.
Fortify Aviator
AI-powered automated code fix suggestions for detected vulnerabilities, reducing remediation time for developers.

Key features

Deployment options

Fortify is available in three deployment models:

DeploymentDescription
On-premisesFortify SCA installed locally with full control
SaaSFortify on Demand — managed cloud service
HybridCombination of on-premises and cloud

Language support

Fortify supports a wide range of languages including ABAP/BSP, ActionScript, Apex, ASP.NET, C/C++, C#, Classic ASP, COBOL, ColdFusion, Go, HTML, Java (including Android), JavaScript, JSP, Kotlin, Objective-C, PHP, PL/SQL, Python, Ruby, Swift, T-SQL, VB.NET, VBScript, Visual Basic, and XML.

IaC and container scanning
Beyond source code, Fortify scans infrastructure as code (Terraform, CloudFormation), Docker images, Kubernetes manifests, and serverless function configurations for security misconfigurations.

Getting started

1
Choose deployment — Select between on-premises Fortify SCA, cloud-based Fortify on Demand, or a hybrid approach. Contact OpenText for pricing.
2
Configure scanning — Integrate Fortify with your build system and IDE. Plugins are available for major IDEs and CI/CD platforms.
3
Run analysis — Scan your codebase. Fortify analyzes source code and reports findings with severity ratings, CWE mapping, and remediation guidance.
4
Review in Fortify Audit Workbench — Use the desktop client or web interface to review, triage, and track findings across your projects.

When to use Fortify

Fortify is built for enterprises that need broad language coverage, including legacy languages like COBOL and ABAP that many modern SAST tools don’t support. The Gartner Leader status for 11 years and deep vulnerability category coverage make it a common choice for regulated industries.

For teams that want lighter-weight or open-source SAST, tools like Semgrep or SonarQube offer faster time-to-value. Fortify’s strength is comprehensive enterprise coverage. For a head-to-head comparison, see our Checkmarx vs Fortify guide.

Best for
Enterprise teams that need broad language coverage including legacy languages, with flexible deployment (on-premises, SaaS, or hybrid).

Note: Now under OpenText, which acquired Micro Focus in 2023. Includes Fortify Aviator AI for automated code fixes.

Frequently Asked Questions

What is Fortify Static Code Analyzer?
Fortify SCA is an enterprise SAST tool by OpenText that detects 1,700+ categories of vulnerabilities across 33+ programming languages and over 1 million individual APIs. It has been a Gartner Magic Quadrant Leader for Application Security Testing for 11 consecutive years.
Is Fortify SCA free?
No. Fortify SCA is a commercial product available through OpenText. It is offered as on-premises, SaaS (Fortify on Demand), or hybrid deployment.
What AI features does Fortify have?
Fortify Aviator is an AI-powered feature that provides automated code fix suggestions for detected vulnerabilities, helping developers remediate issues faster.
What languages does Fortify support?
Fortify supports 33+ languages including Java, C/C++, C#, JavaScript, Python, Go, Ruby, Swift, Kotlin, PHP, COBOL, ABAP, Apex, and more. It also scans IaC (Terraform, CloudFormation), Docker, Kubernetes, and serverless configurations.
How we review tools Suggest an edit

Other SAST Tools

Bandit
Bandit

Open-Source Python Scanner

Codacy
Codacy

40+ Languages with AI Code Protection

detect-secrets
detect-secrets

Baseline secret management

Gitleaks
Gitleaks

Git secret scanner

Semgrep
Semgrep

Fast Open-Source with Custom Rules

SonarLint
SonarLint

Real-time IDE analysis

See all SAST tools

Complement with SCA

Pair static analysis with dependency scanning for broader coverage.

AN
Anchore

SBOM-First Container Security Platform

Anchore Grype
Anchore Grype

Fast Container Vulnerability Scanner

See all SCA tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub

Compare Fortify Static Code Analyzer

Checkmarx vs Fortify Fortify vs Veracode
Fortify Alternatives