Frequently Asked Questions (FAQs)
Can I run a DAST scan on the web applications hosted on the same local host?
Yes, but you need to specify the correct hostname or IP address of the web application, which a scanner Docker container or FortiDAST can resolve. Do not use localhost or 127.0.0.1 in the URL as this does not work.
Do I require a FortiDAST license to run a DAST scan?
The FortiDAST license is included in the FortiDevSec standard license and supports up to a maximum of 5 assets/apps. Use FortiDevSec FortiDAST Add-on license to expand upon the standard license to support additional assets/apps. See Licensing.
Note: If you already own the FortiDAST standard license, it can be used to expand upon the FortiDevSec standard license to perform DAST scanning of additional assets/apps.
Do I need to install a Docker engine in the host/machine to run a SAST/DAST scan?
Yes, since the FortiDevSec SAST and DAST scanners are docker images, you are required to install a Docker engine in that host/machine with the required user access/permission, to scan (automatic/manual) through the CI/CD pipeline. See Prerequisite.
When do the vulnerabilities from FortiDevSec get populated to the configured Jira project for the FortiDevSec application?
The identified vulnerabilities in the FortiDevSec application are populated to the configured Jira project only after the scan or rescan of that application. Issues are pushed in batches after each individual scanner finishes.
Note: Only the bug tracking project template, under the (Jira) software development, is currently supported for exporting vulnerabilities from FortiDevSec to Jira.
Does any change of the vulnerability status in the FortiDevSec application get synchronized to the configured Jira Project?
No. Only the vulnerability status updated in the configured Jira Project (Cloud or On-Prem) are synchronized to the FortiDevSec application. Status updates from FortiDevSec to Jira is not currently supported.
How does the status mapping work between the FortiDevSec vulnerabilities and Jira project issues?
The status mapping is as follows.
Jira Status |
FortiDevSec Status |
---|---|
TO DO | New |
DONE | Fixed |
IN REVIEW/IN PROGRESS | Confirmed |
How to generate the API Key for Jira Cloud and PAT (Personal Access Token) for Jira On-Prem, required for Jira integration with FortiDevSec application?
Use the following links to generate the API Key and PAT for Jira Cloud and On-Prem respectively.
- Jira Cloud - https://id.atlassian.com/manage-profile/security/api-tokens
- Jira on-Prem - https://confluence.atlassian.com/enterprise/using-personal-access-tokens-1026032365.html
What happens when I revoke the API Key in Jira cloud?
FortiDevSec will not be able to add or update the vulnerabilities in Jira, so you need to generate a new API key.
Will the vulnerability status updates done in JIRA automatically be synchronized with FortiDevSec?
No, you must manually synchronize JIRA updates using the Sync option in FortiDevSec. See Viewing the Scan Result.
What happens if I delete the sample app from the dashboard as an Org owner (master user)?
Deleting the sample app from the organization owner's account will remove it for all users in the organization, including users managed by both Identity and Access Management (IAM) and an Identity Provider (IdP).