AI agent skills that teach Claude, GitHub Copilot and other AI agents how to use OpenText Fortify effectively — covering SAST/DAST/SCA scanning, vulnerability triage, audit workflows, CI/CD integration, FCLI commands and more.
| Skill | Description |
|---|---|
| fortify-fod | Fortify on Demand (SaaS) — applications, releases, scans, issues, OSS analysis, portfolio reporting |
| fortify-ssc | Software Security Center (on-premise) — manage application versions, artifacts, scan jobs, issue triage |
| fortify-remediate | Fix vulnerabilities detected by Fortify — SAST, DAST, and SCA findings; Aviator AI remediation |
| fortify-security-assistant | Detect common, high impact security issues in code as it is being generated |
| fortify-create-app | Create new Fortify applications in FoD or SSC — guided onboarding with validation and defaults |
| fortify-cicd-integration | Add Fortify scanning to CI/CD pipelines — GitHub Actions, GitLab CI, Azure DevOps, Jenkins |
| fcli-common | Fortify CLI (fcli) — installation, authentication, output formats, SpEL queries, custom actions |
Agents are multi-skill orchestrators that handle end-to-end workflows.
| Agent | Description |
|---|---|
| fortify-onboarding | Onboard new applications into Fortify (FoD or SSC) — creates the app, configures settings, and optionally sets up CI/CD scanning pipelines. Handles single repos, bulk lists, or entire GitHub/GitLab/Azure DevOps organizations |
- fcli installed and on your PATH — install instructions
- An active Fortify on Demand (FoD) or Software Security Center (SSC) account
- An AI assistant that supports Agent Skills (Claude Code, GitHub Copilot, Cursor, Gemini CLI, etc.)
Add the marketplace from GitHub, then install the plugin:
claude plugin marketplace add fortify/skills
claude plugin install fortify-skills@fortifyThe plugin registers all seven skills and the onboarding agent automatically.
Recommended: install the Fortify Code Security VS Code extension. It bundles all Fortify skills, can automatically install fcli, and adds full IDE integration (scanning, vulnerability review, Aviator AI remediation, and an optional fcli MCP server):
- Open VS Code and search for Fortify Code Security in the Extensions panel, or install directly:
ext install fortifyvsts.fortify-code-security - The extension registers all skills automatically and sets up GitHub Copilot Agent Mode integration.
Alternative: manual install. Copy the skills to your Copilot skills directory:
<user>/.copilot/skills/
This gives you the skills without the IDE features (scanning UI, vulnerability browser, Aviator inline fixes, MCP server).
This repository includes a marketplace catalog at .agents/plugins/marketplace.json. When the repo is your current workspace, Codex discovers it automatically as a repo-scoped marketplace. Open the plugin directory, select OpenText Fortify, and install fortify-skills.
To make the plugin available across all workspaces, add an entry to your personal marketplace at ~/.agents/plugins/marketplace.json (create the file if it doesn't exist), replacing <path> with the absolute path to this directory:
{
"name": "fortify",
"interface": { "displayName": "OpenText Fortify" },
"plugins": [
{
"name": "fortify-skills",
"source": { "source": "local", "path": "<path>" },
"policy": { "installation": "AVAILABLE", "authentication": "ON_INSTALL" },
"category": "Security"
}
]
}Then restart Codex. The plugin registers all seven skills automatically.
Install directly from the GitHub repository:
gemini extensions install https://github.com/fortify/skillsThe extension bundles all seven skills. Gemini CLI auto-discovers them and activates whichever skill is relevant to your task.
To test locally before publishing:
gemini extensions link /path/to/publicAny assistant that supports the Agent Skills standard can load skills from this directory. Point your assistant's skill path to the skills/ subdirectory.
Once installed, the skills activate automatically when relevant. Examples of prompts that trigger each skill:
| Prompt | Skill / Agent activated |
|---|---|
| "Onboard this repo to Fortify" | fortify-onboarding (agent) |
| "Create a new application in FoD for our payments team" | fortify-create-app |
| "Show me all critical issues in the payment-service release" | fortify-fod |
| "Upload my FPR and check policy compliance" | fortify-ssc |
| "Fix the SQL Injection findings in UserService.java" | fortify-remediate |
| "Add a new endpoint that returns account details" | fortify-security-assistant |
| "Add Fortify scanning to my GitHub Actions workflows" | fortify-cicd-integration |
| "Create a custom fcli action to export FoD critical issues as CSV" | fortify-fod + fcli-common |
MIT