naftiko: 1.0.0-alpha2 info: label: Fortify on Demand API — Open Source Scans description: 'Fortify on Demand API — Open Source Scans. 2 operations. Lead operation: Fortify Download open source SBOM. Self-contained Naftiko capability covering one Fortify business surface.' tags: - Fortify - Open Source Scans created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: FORTIFY_API_KEY: FORTIFY_API_KEY capability: consumes: - type: http namespace: on-demand-open-source-scans baseUri: https://api.ams.fortify.com description: Fortify on Demand API — Open Source Scans business capability. Self-contained, no shared references. resources: - name: api-v3-open-source-scans-scanId-sbom path: /api/v3/open-source-scans/{scanId}/sbom operations: - name: downloadopensourcesbom method: GET description: Fortify Download open source SBOM outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanId in: path type: integer description: Unique identifier of the open source scan required: true - name: format in: query type: string description: SBOM output format - name: api-v3-releases-releaseId-open-source-scans-start-scan path: /api/v3/releases/{releaseId}/open-source-scans/start-scan operations: - name: startopensourcescan method: POST description: Fortify Start open source scan outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: fragNo in: query type: integer description: Fragment number for chunked upload - name: offset in: query type: integer description: Byte offset for chunked upload authentication: type: bearer token: '{{env.FORTIFY_API_KEY}}' exposes: - type: rest namespace: on-demand-open-source-scans-rest port: 8080 description: REST adapter for Fortify on Demand API — Open Source Scans. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/api/v3/open-source-scans/{scanid}/sbom name: api-v3-open-source-scans-scanid-sbom description: REST surface for api-v3-open-source-scans-scanId-sbom. operations: - method: GET name: downloadopensourcesbom description: Fortify Download open source SBOM call: on-demand-open-source-scans.downloadopensourcesbom with: scanId: rest.scanId format: rest.format outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/open-source-scans/start-scan name: api-v3-releases-releaseid-open-source-scans-start-scan description: REST surface for api-v3-releases-releaseId-open-source-scans-start-scan. operations: - method: POST name: startopensourcescan description: Fortify Start open source scan call: on-demand-open-source-scans.startopensourcescan with: fragNo: rest.fragNo offset: rest.offset outputParameters: - type: object mapping: $. - type: mcp namespace: on-demand-open-source-scans-mcp port: 9090 transport: http description: MCP adapter for Fortify on Demand API — Open Source Scans. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: fortify-download-open-source-sbom description: Fortify Download open source SBOM hints: readOnly: true destructive: false idempotent: true call: on-demand-open-source-scans.downloadopensourcesbom with: scanId: tools.scanId format: tools.format outputParameters: - type: object mapping: $. - name: fortify-start-open-source-scan description: Fortify Start open source scan hints: readOnly: false destructive: false idempotent: false call: on-demand-open-source-scans.startopensourcescan with: fragNo: tools.fragNo offset: tools.offset outputParameters: - type: object mapping: $.