Fortinet white logo
Fortinet white logo

Support Matrix

Support Matrix

Supported Scanners

Scanner

Description

SAST

Scans the source code of an application during development to minimize zero-day vulnerabilities. The application languages supported for SAST are Shell, Java, Ruby on Rails, Python, Golang, PHP, JavaScript, C and C++.

SCA

Scans for vulnerabilities in the open-source libraries/components used by the application. The programming languages supported by the SCA scanner are Java, Javascript, Ruby, Python, Golang, and PHP.

Secret

Scans to detect certificates and other secrets committed into Git.

IaC

Scans your IaC configuration files for Terraform, Ansible, AWS Cloud Formation, and Kubernetes, to identify potential vulnerabilities.

Container

Scans container components to identify potential vulnerabilities.

DAST

Scans a deployed application at runtime to detect vulnerabilities. The DAST scanner supports scanning of assets/targets hosted on both the internal network of an organization and the external/public network.

The DAST scanner allows you to configure a full or a quick scan using the FortiPenTest, for more information see FortiPenTest Scanner.

  • Quick Scan : A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing/scraping of the static pages of your asset. These pages are scraped by searching and extracting URLs from HTML tags and attributes.

  • Full scan: A full scan provides vulnerability assessment based on complete testing/scraping of the static and dynamic pages of your asset. The Crawler also performs browsing simulation such as clicking of buttons, links, and images to test the interaction between the dynamic pages and the browser. This mode of vulnerability assessment takes longer than a quick scan.

Note:

  • The FortiPenTest uses a proxy server running in the DAST docker container for asset/application access.

  • Ensure that the asset/application is reachable from the docker through which you are performing the scan.

Supported CI/CD Pipeline Tools

Support for the following CI/CD tools is available. For more information, see Running the Security Scan

  • AWS CodePipeline
  • Azure DevOps
  • Bamboo
  • CircleCI
  • Drone CI
  • GCP Cloud Build
  • GitHub Actions
  • GitLab
  • Jenkins
  • Travis CI

Support Matrix

Support Matrix

Supported Scanners

Scanner

Description

SAST

Scans the source code of an application during development to minimize zero-day vulnerabilities. The application languages supported for SAST are Shell, Java, Ruby on Rails, Python, Golang, PHP, JavaScript, C and C++.

SCA

Scans for vulnerabilities in the open-source libraries/components used by the application. The programming languages supported by the SCA scanner are Java, Javascript, Ruby, Python, Golang, and PHP.

Secret

Scans to detect certificates and other secrets committed into Git.

IaC

Scans your IaC configuration files for Terraform, Ansible, AWS Cloud Formation, and Kubernetes, to identify potential vulnerabilities.

Container

Scans container components to identify potential vulnerabilities.

DAST

Scans a deployed application at runtime to detect vulnerabilities. The DAST scanner supports scanning of assets/targets hosted on both the internal network of an organization and the external/public network.

The DAST scanner allows you to configure a full or a quick scan using the FortiPenTest, for more information see FortiPenTest Scanner.

  • Quick Scan : A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing/scraping of the static pages of your asset. These pages are scraped by searching and extracting URLs from HTML tags and attributes.

  • Full scan: A full scan provides vulnerability assessment based on complete testing/scraping of the static and dynamic pages of your asset. The Crawler also performs browsing simulation such as clicking of buttons, links, and images to test the interaction between the dynamic pages and the browser. This mode of vulnerability assessment takes longer than a quick scan.

Note:

  • The FortiPenTest uses a proxy server running in the DAST docker container for asset/application access.

  • Ensure that the asset/application is reachable from the docker through which you are performing the scan.

Supported CI/CD Pipeline Tools

Support for the following CI/CD tools is available. For more information, see Running the Security Scan

  • AWS CodePipeline
  • Azure DevOps
  • Bamboo
  • CircleCI
  • Drone CI
  • GCP Cloud Build
  • GitHub Actions
  • GitLab
  • Jenkins
  • Travis CI