Development Release - dev/v3.x branch

See Assets section below for latest build artifacts

Development Release - feat/v3.x/jrpc branch

See Assets section below for latest build artifacts

v3.17.0

3.17.0 (2026-04-10)

Features

• fcli aviator entitlement list-dast: New command for querying DAST entitlements (credit-based model) (8521a9f)
• fcli aviator entitlement list-sast: New command for querying SAST entitlements (8521a9f)
• fcli aviator entitlement list: Deprecated; use fcli aviator entitlement list-sast instead (8521a9f)
• fcli aviator ssc apply-remediations: Add --latest, --all, --since, --av options for easier selection of Aviator-processed artifacts (8521a9f)
• fcli aviator ssc audit : Add --folder-priority-order option to prioritize folder for issues selection if open issues exceed aviator app quota (8521a9f)
• fcli aviator ssc audit: Add --skip-if-exceeding-quota option to skip audits if open issues exceed aviator app quota (8521a9f)
• fcli aviator ssc audit: Add --test-exceeding-quota option for dry-run mode to report potential skips without auditing if open issues exceed aviator app quota (8521a9f)
• fcli fod aviator apply-remediations: New command for applying Aviator remediations from Fortify on Demand (8521a9f)
• fcli sc-dast scan delete: Add --force option to request forced deletion (0fb8a4d)
• SSC bulkaudit action: Add --aviator-app-mapping option to control SSC app/version to Aviator application mapping (8521a9f)

Bug Fixes

• fcli aviator ssc audit: Reduce memory consumption while parsing FPR files (8521a9f)
• fcli fod access-control: Throw exception if invalid role is specified on create-user or update-user commands (c0fb907)
• fcli fod: Fix loading of attribute definitions on FoD 26.2+ (5af0833)
• fcli fod: Use default attribute values from FoD 26.2+ if available for --auto-required-attrs (#969) (fd0fefd)
• fcli ssc * list: Improve server-side query generation to support matches operator (eb1170d)
• fcli util mcp-server start: Expose fcli ssc issue update command (10ce4bc)
• fcli util mcp-server start: Improve server-side query generation/handling (eb1170d)
• Fix duplicate HTTP request headers (427e929)
• Implement exponential back-off retry strategy on HTTP 502/503 errors for GET requests to SSC, SC-DAST, SC-DAST, and FoD (45a47ca)

v3.17

Semantic version release for v3.17.0

v3

Semantic version release for v3.17.0

latest

Semantic version release for v3.17.0

Development Release - feat/v3.x/aviator/26.2 branch

See Assets section below for latest build artifacts

v3.16.0

3.16.0 (2026-03-24)

Features

• fcli fod dast-scan start: Add --vpn option to select Fortify Connect network name (0d66c01)
• fcli fod oss-scan download-latest: Add --format option to support selecting CycloneDX or SPDX SBOM formats (dee92ef)
• fcli fod oss-scan download: Add --format option to support selecting CycloneDX or SPDX SBOM formats (dee92ef)
• fcli fod sast-scan import-sarf: new command to support importing SAST scan results in SARIF format (dee92ef)
• fcli ssc access-control update-local-user: New command for updating a local SSC user (0809f3a)
• fcli ssc issue update: New command for updating/auditing SSC issues (f33d814)
• fcli tool sourceanalyzer: New commands to register pre-installed sourceanalyzer installation, and running sourceanalyzer and rule pack update commands (e5d9e98)

Bug Fixes

• fcli action run ci: Use ephemeral encryption key for sensitive (session) files (fixes #949) (5b7c085)
• fcli fod dast-scan start: Fix DAST scan not starting first time when using fcli (fixes #917) (0d66c01)
• fcli fod microservice create: Disallow microservice creation on non-microservice application (fixes #873) (0d66c01)
• fcli tool sc-client install: Fix --with-jre option being ignored (8db476c)
• fcli action framework: Clear progress before writing checks output (be3c1ae)
• fcli action framework: Return exit code 100 for FAIL status on check instructions (fixes #950) (8467063)
• Fix ANSI color output on Windows (7111525)
• Fix multithreading issues (fixes #925) (4cfd2dd)

v3.16

Semantic version release for v3.16.0

v3.15.0

3.15.0 (2026-02-22)

Features

• bitbucket-*-report actions: Add --publish option to publish reports directly to BitBucket (only available when running in BitBucket pipeline) (edbe841)
• fcli fod issue update: Add --attributes option to allow for updating custom attributes (371947b)
• fcli license ncd-report create: Make projects configuration setting optional, iterating over all projects in organization by default (edbe841)
• fcli sc-sast sensor list: Add --appversion option for listing sensors for the pool to which the given application version is mapped (edbe841)
• fcli sc-sast sensor list: Add --latest-only option to only return the latest sensor version (edbe841)
• fcli sc-sast sensor list: Add --pool option for listing sensors for a specific pool (edbe841)
• fcli sc-sast sensor list: Add compatibleClientVersion to output (edbe841)
• fcli tool env *: Add --output-as option for ado, github, gitlab commands (3de393c)
• fcli tool env init: Produce output through fcli output framework to support standard fcli output (format) options and allow other fcli commands or external tools to programmatically process the output (edbe841)
• fcli tool env init: Support fcli:self and fcli:bootstrapped tool specifiers to register current (bootstrapped) fcli path (mostly meant for testing purposes) (edbe841)
• github-*-report actions: Add --publish option to publish reports directly to GitHub (only available when running in GitHub Actions workflow) (edbe841)
• gitlab-*-report actions: Add --publish option to publish reports directly to GitLab (only available when running in GitLab pipeline) (edbe841)
• Documentation: Add comprehensive fcli-based CI integration documentation for GitHub, GitLab, and Azure DevOps (b936989)
• Documentation: Add simplified installation & upgrade instructions based on @fortify/setup NPM component (b936989)
• fcli action framework: out.write instruction now automatically creates non-existing parent directories (b936989)
• fcli action framework: Add docRenderer().* SpEL functions (internal use only) (b936989)
• fcli action framework: Add on.fail & on.success handling to all step instructions (cb653b5)
• fcli action framework: Add CI-specific SpEL functions to allow fcli actions to auto-detect current CI system, upload security reports, add PR/MR comments, ... (edbe841)
• fcli actions framework: Allow cause to be specified on throw and log.* instructions (7d6c4e9)
• fcli actions framework: Replace nested steps instructions with do instructions for consistency (cc922da)
• FoD ci action: Add COPY_FROM_RELEASE convenience environment variable (f7356fe)
• FoD ci action: Add DO_AVIATOR_AUDIT convenience environment variable (f7356fe)
• FoD ci action: Add DO_SCA_SCAN convenience environment variable (f7356fe)
• FoD ci action: Add OVERRIDE_SAST_SETTINGS environment variable to override existing scan settings (f7356fe)
• FoD ci action: Add SAST_ASSESSMENT_TYPE convenience environment variable (f7356fe)
• FoD package action: Auto-detect whether -oss option needs to be passed based on SAST scan settings (6fd2957)
• FoD setup-release action: Add --override-sast-settings CLI option (f7356fe)
• FoD/SSC github-sast-report action: Publish Fortify issues either through SARIF file or as check run annotations depending on availability of GitHub Advanced Security Code Scanning features (afcad35)
• SSC package action: Auto-detect compatible ScanCentral Client version for packaging (if no explicit version configured by user) (edbe841)

Bug Fixes

• ci action: Skip PR comment if enabled but current run is not for a PR (b61c483)
• fcli * action run: Fix option parsing to better handle boolean flags (ba8d804)
• fcli tool * register: Fix registration of unknown tool versions from user-provided path (edbe841)
• fcli tool env init: Fix registration of unknown tool versions from user-provided path (edbe841)
• fcli tool sc-client install: Improve JRE detection (a9f3146)
• fcli tool sc-client install: Install Alpine-compatible JRE if on Alpine (f632a4d)
• fcli action framework: #join SpEL function: Improve support for multiple newline/tab characters in separator (b936989)
• fcli action framework: Fix output of log.info and log.warn instructions (edbe841)
• FoD/SSC *-report actions: Report issue file paths relative to workspace directory instead of SOURCE_DIR (afcad35)