Fortify · Capability

Fortify on Demand API — Scans

Fortify on Demand API — Scans. 6 operations. Lead operation: Fortify List application scans. Self-contained Naftiko capability covering one Fortify business surface.

Run with Naftiko FortifyScans

What You Can Do

GET
Listapplicationscans — Fortify List application scans
/v1/api/v3/applications/{applicationid}/scans
GET
Listreleaseassessmenttypes — Fortify List assessment types
/v1/api/v3/releases/{releaseid}/assessment-types
GET
Getreleaseimportscansessionid — Fortify Get import scan session ID
/v1/api/v3/releases/{releaseid}/import-scan-session-id
GET
Listreleasescans — Fortify List release scans
/v1/api/v3/releases/{releaseid}/scans
GET
Getreleasescan — Fortify Get release scan
/v1/api/v3/releases/{releaseid}/scans/{scanid}
GET
Getreleasescanpollingsummary — Fortify Get scan polling summary
/v1/api/v3/releases/{releaseid}/scans/{scanid}/polling-summary

MCP Tools

fortify-list-application-scans

Fortify List application scans

read-only idempotent
fortify-list-assessment-types

Fortify List assessment types

read-only idempotent
fortify-get-import-scan-session

Fortify Get import scan session ID

read-only idempotent
fortify-list-release-scans

Fortify List release scans

read-only idempotent
fortify-get-release-scan

Fortify Get release scan

read-only idempotent
fortify-get-scan-polling-summary

Fortify Get scan polling summary

read-only idempotent

Capability Spec

on-demand-scans.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Fortify on Demand API — Scans
  description: 'Fortify on Demand API — Scans. 6 operations. Lead operation: Fortify List application scans. Self-contained
    Naftiko capability covering one Fortify business surface.'
  tags:
  - Fortify
  - Scans
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    FORTIFY_API_KEY: FORTIFY_API_KEY
capability:
  consumes:
  - type: http
    namespace: on-demand-scans
    baseUri: https://api.ams.fortify.com
    description: Fortify on Demand API — Scans business capability. Self-contained, no shared references.
    resources:
    - name: api-v3-applications-applicationId-scans
      path: /api/v3/applications/{applicationId}/scans
      operations:
      - name: listapplicationscans
        method: GET
        description: Fortify List application scans
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-v3-releases-releaseId-assessment-types
      path: /api/v3/releases/{releaseId}/assessment-types
      operations:
      - name: listreleaseassessmenttypes
        method: GET
        description: Fortify List assessment types
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: scanType
          in: query
          type: string
          description: Type of scan to retrieve assessment types for
          required: true
    - name: api-v3-releases-releaseId-import-scan-session-id
      path: /api/v3/releases/{releaseId}/import-scan-session-id
      operations:
      - name: getreleaseimportscansessionid
        method: GET
        description: Fortify Get import scan session ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-v3-releases-releaseId-scans
      path: /api/v3/releases/{releaseId}/scans
      operations:
      - name: listreleasescans
        method: GET
        description: Fortify List release scans
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-v3-releases-releaseId-scans-scanId
      path: /api/v3/releases/{releaseId}/scans/{scanId}
      operations:
      - name: getreleasescan
        method: GET
        description: Fortify Get release scan
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: scanId
          in: path
          type: integer
          description: Unique identifier of the scan
          required: true
    - name: api-v3-releases-releaseId-scans-scanId-polling-summary
      path: /api/v3/releases/{releaseId}/scans/{scanId}/polling-summary
      operations:
      - name: getreleasescanpollingsummary
        method: GET
        description: Fortify Get scan polling summary
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: scanId
          in: path
          type: integer
          description: Unique identifier of the scan
          required: true
    authentication:
      type: bearer
      token: '{{env.FORTIFY_API_KEY}}'
  exposes:
  - type: rest
    namespace: on-demand-scans-rest
    port: 8080
    description: REST adapter for Fortify on Demand API — Scans. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/api/v3/applications/{applicationid}/scans
      name: api-v3-applications-applicationid-scans
      description: REST surface for api-v3-applications-applicationId-scans.
      operations:
      - method: GET
        name: listapplicationscans
        description: Fortify List application scans
        call: on-demand-scans.listapplicationscans
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v3/releases/{releaseid}/assessment-types
      name: api-v3-releases-releaseid-assessment-types
      description: REST surface for api-v3-releases-releaseId-assessment-types.
      operations:
      - method: GET
        name: listreleaseassessmenttypes
        description: Fortify List assessment types
        call: on-demand-scans.listreleaseassessmenttypes
        with:
          scanType: rest.scanType
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v3/releases/{releaseid}/import-scan-session-id
      name: api-v3-releases-releaseid-import-scan-session-id
      description: REST surface for api-v3-releases-releaseId-import-scan-session-id.
      operations:
      - method: GET
        name: getreleaseimportscansessionid
        description: Fortify Get import scan session ID
        call: on-demand-scans.getreleaseimportscansessionid
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v3/releases/{releaseid}/scans
      name: api-v3-releases-releaseid-scans
      description: REST surface for api-v3-releases-releaseId-scans.
      operations:
      - method: GET
        name: listreleasescans
        description: Fortify List release scans
        call: on-demand-scans.listreleasescans
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v3/releases/{releaseid}/scans/{scanid}
      name: api-v3-releases-releaseid-scans-scanid
      description: REST surface for api-v3-releases-releaseId-scans-scanId.
      operations:
      - method: GET
        name: getreleasescan
        description: Fortify Get release scan
        call: on-demand-scans.getreleasescan
        with:
          scanId: rest.scanId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v3/releases/{releaseid}/scans/{scanid}/polling-summary
      name: api-v3-releases-releaseid-scans-scanid-polling-summary
      description: REST surface for api-v3-releases-releaseId-scans-scanId-polling-summary.
      operations:
      - method: GET
        name: getreleasescanpollingsummary
        description: Fortify Get scan polling summary
        call: on-demand-scans.getreleasescanpollingsummary
        with:
          scanId: rest.scanId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: on-demand-scans-mcp
    port: 9090
    transport: http
    description: MCP adapter for Fortify on Demand API — Scans. One tool per consumed operation, routed inline through this
      capability's consumes block.
    tools:
    - name: fortify-list-application-scans
      description: Fortify List application scans
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: on-demand-scans.listapplicationscans
      outputParameters:
      - type: object
        mapping: $.
    - name: fortify-list-assessment-types
      description: Fortify List assessment types
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: on-demand-scans.listreleaseassessmenttypes
      with:
        scanType: tools.scanType
      outputParameters:
      - type: object
        mapping: $.
    - name: fortify-get-import-scan-session
      description: Fortify Get import scan session ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: on-demand-scans.getreleaseimportscansessionid
      outputParameters:
      - type: object
        mapping: $.
    - name: fortify-list-release-scans
      description: Fortify List release scans
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: on-demand-scans.listreleasescans
      outputParameters:
      - type: object
        mapping: $.
    - name: fortify-get-release-scan
      description: Fortify Get release scan
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: on-demand-scans.getreleasescan
      with:
        scanId: tools.scanId
      outputParameters:
      - type: object
        mapping: $.
    - name: fortify-get-scan-polling-summary
      description: Fortify Get scan polling summary
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: on-demand-scans.getreleasescanpollingsummary
      with:
        scanId: tools.scanId
      outputParameters:
      - type: object
        mapping: $.