naftiko: 1.0.0-alpha2 info: label: Fortify on Demand API — Releases description: 'Fortify on Demand API — Releases. 16 operations. Lead operation: Fortify List application releases. Self-contained Naftiko capability covering one Fortify business surface.' tags: - Fortify - Releases created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: FORTIFY_API_KEY: FORTIFY_API_KEY capability: consumes: - type: http namespace: on-demand-releases baseUri: https://api.ams.fortify.com description: Fortify on Demand API — Releases business capability. Self-contained, no shared references. resources: - name: api-v3-applications-applicationId-releases path: /api/v3/applications/{applicationId}/releases operations: - name: listapplicationreleases method: GET description: Fortify List application releases outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: modifiedStartDate in: query type: string description: Filter releases modified after this date - name: api-v3-releases path: /api/v3/releases operations: - name: listreleases method: GET description: Fortify List releases outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: modifiedStartDate in: query type: string description: Filter releases modified after this date - name: createrelease method: POST description: Fortify Create release outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-v3-releases-releaseId path: /api/v3/releases/{releaseId} operations: - name: getrelease method: GET description: Fortify Get release outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updaterelease method: PUT description: Fortify Update release outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: deleterelease method: DELETE description: Fortify Delete release outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-assessment-types path: /api/v3/releases/{releaseId}/assessment-types operations: - name: listreleaseassessmenttypes method: GET description: Fortify List assessment types outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanType in: query type: string description: Type of scan to retrieve assessment types for required: true - name: api-v3-releases-releaseId-audit-action path: /api/v3/releases/{releaseId}/audit-action operations: - name: setreleaseauditaction method: POST description: Fortify Set audit action outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-v3-releases-releaseId-audit-options path: /api/v3/releases/{releaseId}/audit-options operations: - name: getreleaseauditoptions method: GET description: Fortify Get audit options outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-category-rollups path: /api/v3/releases/{releaseId}/category-rollups operations: - name: listreleasecategoryrollups method: GET description: Fortify List vulnerability category rollups outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: showFixed in: query type: boolean description: Include fixed vulnerabilities - name: vulnerabilitiesSeverityType in: query type: string description: Filter by severity type - name: api-v3-releases-releaseId-fpr path: /api/v3/releases/{releaseId}/fpr operations: - name: downloadreleasefpr method: GET description: Fortify Download release FPR outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanType in: query type: string description: Type of scan to download FPR for - name: api-v3-releases-releaseId-import-scan-session-id path: /api/v3/releases/{releaseId}/import-scan-session-id operations: - name: getreleaseimportscansessionid method: GET description: Fortify Get import scan session ID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-scans path: /api/v3/releases/{releaseId}/scans operations: - name: listreleasescans method: GET description: Fortify List release scans outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-scans-scanId path: /api/v3/releases/{releaseId}/scans/{scanId} operations: - name: getreleasescan method: GET description: Fortify Get release scan outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanId in: path type: integer description: Unique identifier of the scan required: true - name: api-v3-releases-releaseId-scans-scanId-polling-summary path: /api/v3/releases/{releaseId}/scans/{scanId}/polling-summary operations: - name: getreleasescanpollingsummary method: GET description: Fortify Get scan polling summary outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanId in: path type: integer description: Unique identifier of the scan required: true - name: api-v3-releases-releaseId-static-scan-options path: /api/v3/releases/{releaseId}/static-scan-options operations: - name: getreleasestaticscanoptions method: GET description: Fortify Get static scan options outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: technologyStack in: query type: string description: Technology stack identifier - name: languageLevel in: query type: string description: Language level identifier - name: assessmentTypeId in: query type: integer description: Assessment type identifier - name: entitlementFrequencyType in: query type: string description: Entitlement frequency type authentication: type: bearer token: '{{env.FORTIFY_API_KEY}}' exposes: - type: rest namespace: on-demand-releases-rest port: 8080 description: REST adapter for Fortify on Demand API — Releases. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/api/v3/applications/{applicationid}/releases name: api-v3-applications-applicationid-releases description: REST surface for api-v3-applications-applicationId-releases. operations: - method: GET name: listapplicationreleases description: Fortify List application releases call: on-demand-releases.listapplicationreleases with: modifiedStartDate: rest.modifiedStartDate outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases name: api-v3-releases description: REST surface for api-v3-releases. operations: - method: GET name: listreleases description: Fortify List releases call: on-demand-releases.listreleases with: modifiedStartDate: rest.modifiedStartDate outputParameters: - type: object mapping: $. - method: POST name: createrelease description: Fortify Create release call: on-demand-releases.createrelease with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid} name: api-v3-releases-releaseid description: REST surface for api-v3-releases-releaseId. operations: - method: GET name: getrelease description: Fortify Get release call: on-demand-releases.getrelease outputParameters: - type: object mapping: $. - method: PUT name: updaterelease description: Fortify Update release call: on-demand-releases.updaterelease with: body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deleterelease description: Fortify Delete release call: on-demand-releases.deleterelease outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/assessment-types name: api-v3-releases-releaseid-assessment-types description: REST surface for api-v3-releases-releaseId-assessment-types. operations: - method: GET name: listreleaseassessmenttypes description: Fortify List assessment types call: on-demand-releases.listreleaseassessmenttypes with: scanType: rest.scanType outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/audit-action name: api-v3-releases-releaseid-audit-action description: REST surface for api-v3-releases-releaseId-audit-action. operations: - method: POST name: setreleaseauditaction description: Fortify Set audit action call: on-demand-releases.setreleaseauditaction with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/audit-options name: api-v3-releases-releaseid-audit-options description: REST surface for api-v3-releases-releaseId-audit-options. operations: - method: GET name: getreleaseauditoptions description: Fortify Get audit options call: on-demand-releases.getreleaseauditoptions outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/category-rollups name: api-v3-releases-releaseid-category-rollups description: REST surface for api-v3-releases-releaseId-category-rollups. operations: - method: GET name: listreleasecategoryrollups description: Fortify List vulnerability category rollups call: on-demand-releases.listreleasecategoryrollups with: showFixed: rest.showFixed vulnerabilitiesSeverityType: rest.vulnerabilitiesSeverityType outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/fpr name: api-v3-releases-releaseid-fpr description: REST surface for api-v3-releases-releaseId-fpr. operations: - method: GET name: downloadreleasefpr description: Fortify Download release FPR call: on-demand-releases.downloadreleasefpr with: scanType: rest.scanType outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/import-scan-session-id name: api-v3-releases-releaseid-import-scan-session-id description: REST surface for api-v3-releases-releaseId-import-scan-session-id. operations: - method: GET name: getreleaseimportscansessionid description: Fortify Get import scan session ID call: on-demand-releases.getreleaseimportscansessionid outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/scans name: api-v3-releases-releaseid-scans description: REST surface for api-v3-releases-releaseId-scans. operations: - method: GET name: listreleasescans description: Fortify List release scans call: on-demand-releases.listreleasescans outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/scans/{scanid} name: api-v3-releases-releaseid-scans-scanid description: REST surface for api-v3-releases-releaseId-scans-scanId. operations: - method: GET name: getreleasescan description: Fortify Get release scan call: on-demand-releases.getreleasescan with: scanId: rest.scanId outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/scans/{scanid}/polling-summary name: api-v3-releases-releaseid-scans-scanid-polling-summary description: REST surface for api-v3-releases-releaseId-scans-scanId-polling-summary. operations: - method: GET name: getreleasescanpollingsummary description: Fortify Get scan polling summary call: on-demand-releases.getreleasescanpollingsummary with: scanId: rest.scanId outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/static-scan-options name: api-v3-releases-releaseid-static-scan-options description: REST surface for api-v3-releases-releaseId-static-scan-options. operations: - method: GET name: getreleasestaticscanoptions description: Fortify Get static scan options call: on-demand-releases.getreleasestaticscanoptions with: technologyStack: rest.technologyStack languageLevel: rest.languageLevel assessmentTypeId: rest.assessmentTypeId entitlementFrequencyType: rest.entitlementFrequencyType outputParameters: - type: object mapping: $. - type: mcp namespace: on-demand-releases-mcp port: 9090 transport: http description: MCP adapter for Fortify on Demand API — Releases. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: fortify-list-application-releases description: Fortify List application releases hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.listapplicationreleases with: modifiedStartDate: tools.modifiedStartDate outputParameters: - type: object mapping: $. - name: fortify-list-releases description: Fortify List releases hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.listreleases with: modifiedStartDate: tools.modifiedStartDate outputParameters: - type: object mapping: $. - name: fortify-create-release description: Fortify Create release hints: readOnly: false destructive: false idempotent: false call: on-demand-releases.createrelease with: body: tools.body outputParameters: - type: object mapping: $. - name: fortify-get-release description: Fortify Get release hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.getrelease outputParameters: - type: object mapping: $. - name: fortify-update-release description: Fortify Update release hints: readOnly: false destructive: false idempotent: true call: on-demand-releases.updaterelease with: body: tools.body outputParameters: - type: object mapping: $. - name: fortify-delete-release description: Fortify Delete release hints: readOnly: false destructive: true idempotent: true call: on-demand-releases.deleterelease outputParameters: - type: object mapping: $. - name: fortify-list-assessment-types description: Fortify List assessment types hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.listreleaseassessmenttypes with: scanType: tools.scanType outputParameters: - type: object mapping: $. - name: fortify-set-audit-action description: Fortify Set audit action hints: readOnly: false destructive: false idempotent: false call: on-demand-releases.setreleaseauditaction with: body: tools.body outputParameters: - type: object mapping: $. - name: fortify-get-audit-options description: Fortify Get audit options hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.getreleaseauditoptions outputParameters: - type: object mapping: $. - name: fortify-list-vulnerability-category-rollups description: Fortify List vulnerability category rollups hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.listreleasecategoryrollups with: showFixed: tools.showFixed vulnerabilitiesSeverityType: tools.vulnerabilitiesSeverityType outputParameters: - type: object mapping: $. - name: fortify-download-release-fpr description: Fortify Download release FPR hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.downloadreleasefpr with: scanType: tools.scanType outputParameters: - type: object mapping: $. - name: fortify-get-import-scan-session description: Fortify Get import scan session ID hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.getreleaseimportscansessionid outputParameters: - type: object mapping: $. - name: fortify-list-release-scans description: Fortify List release scans hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.listreleasescans outputParameters: - type: object mapping: $. - name: fortify-get-release-scan description: Fortify Get release scan hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.getreleasescan with: scanId: tools.scanId outputParameters: - type: object mapping: $. - name: fortify-get-scan-polling-summary description: Fortify Get scan polling summary hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.getreleasescanpollingsummary with: scanId: tools.scanId outputParameters: - type: object mapping: $. - name: fortify-get-static-scan-options description: Fortify Get static scan options hints: readOnly: true destructive: false idempotent: true call: on-demand-releases.getreleasestaticscanoptions with: technologyStack: tools.technologyStack languageLevel: tools.languageLevel assessmentTypeId: tools.assessmentTypeId entitlementFrequencyType: tools.entitlementFrequencyType outputParameters: - type: object mapping: $.