naftiko: 1.0.0-alpha2 info: label: Fortify on Demand API — Scans description: 'Fortify on Demand API — Scans. 6 operations. Lead operation: Fortify List application scans. Self-contained Naftiko capability covering one Fortify business surface.' tags: - Fortify - Scans created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: FORTIFY_API_KEY: FORTIFY_API_KEY capability: consumes: - type: http namespace: on-demand-scans baseUri: https://api.ams.fortify.com description: Fortify on Demand API — Scans business capability. Self-contained, no shared references. resources: - name: api-v3-applications-applicationId-scans path: /api/v3/applications/{applicationId}/scans operations: - name: listapplicationscans method: GET description: Fortify List application scans outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-assessment-types path: /api/v3/releases/{releaseId}/assessment-types operations: - name: listreleaseassessmenttypes method: GET description: Fortify List assessment types outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanType in: query type: string description: Type of scan to retrieve assessment types for required: true - name: api-v3-releases-releaseId-import-scan-session-id path: /api/v3/releases/{releaseId}/import-scan-session-id operations: - name: getreleaseimportscansessionid method: GET description: Fortify Get import scan session ID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-scans path: /api/v3/releases/{releaseId}/scans operations: - name: listreleasescans method: GET description: Fortify List release scans outputRawFormat: json outputParameters: - name: result type: object value: $. - name: api-v3-releases-releaseId-scans-scanId path: /api/v3/releases/{releaseId}/scans/{scanId} operations: - name: getreleasescan method: GET description: Fortify Get release scan outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanId in: path type: integer description: Unique identifier of the scan required: true - name: api-v3-releases-releaseId-scans-scanId-polling-summary path: /api/v3/releases/{releaseId}/scans/{scanId}/polling-summary operations: - name: getreleasescanpollingsummary method: GET description: Fortify Get scan polling summary outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scanId in: path type: integer description: Unique identifier of the scan required: true authentication: type: bearer token: '{{env.FORTIFY_API_KEY}}' exposes: - type: rest namespace: on-demand-scans-rest port: 8080 description: REST adapter for Fortify on Demand API — Scans. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/api/v3/applications/{applicationid}/scans name: api-v3-applications-applicationid-scans description: REST surface for api-v3-applications-applicationId-scans. operations: - method: GET name: listapplicationscans description: Fortify List application scans call: on-demand-scans.listapplicationscans outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/assessment-types name: api-v3-releases-releaseid-assessment-types description: REST surface for api-v3-releases-releaseId-assessment-types. operations: - method: GET name: listreleaseassessmenttypes description: Fortify List assessment types call: on-demand-scans.listreleaseassessmenttypes with: scanType: rest.scanType outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/import-scan-session-id name: api-v3-releases-releaseid-import-scan-session-id description: REST surface for api-v3-releases-releaseId-import-scan-session-id. operations: - method: GET name: getreleaseimportscansessionid description: Fortify Get import scan session ID call: on-demand-scans.getreleaseimportscansessionid outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/scans name: api-v3-releases-releaseid-scans description: REST surface for api-v3-releases-releaseId-scans. operations: - method: GET name: listreleasescans description: Fortify List release scans call: on-demand-scans.listreleasescans outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/scans/{scanid} name: api-v3-releases-releaseid-scans-scanid description: REST surface for api-v3-releases-releaseId-scans-scanId. operations: - method: GET name: getreleasescan description: Fortify Get release scan call: on-demand-scans.getreleasescan with: scanId: rest.scanId outputParameters: - type: object mapping: $. - path: /v1/api/v3/releases/{releaseid}/scans/{scanid}/polling-summary name: api-v3-releases-releaseid-scans-scanid-polling-summary description: REST surface for api-v3-releases-releaseId-scans-scanId-polling-summary. operations: - method: GET name: getreleasescanpollingsummary description: Fortify Get scan polling summary call: on-demand-scans.getreleasescanpollingsummary with: scanId: rest.scanId outputParameters: - type: object mapping: $. - type: mcp namespace: on-demand-scans-mcp port: 9090 transport: http description: MCP adapter for Fortify on Demand API — Scans. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: fortify-list-application-scans description: Fortify List application scans hints: readOnly: true destructive: false idempotent: true call: on-demand-scans.listapplicationscans outputParameters: - type: object mapping: $. - name: fortify-list-assessment-types description: Fortify List assessment types hints: readOnly: true destructive: false idempotent: true call: on-demand-scans.listreleaseassessmenttypes with: scanType: tools.scanType outputParameters: - type: object mapping: $. - name: fortify-get-import-scan-session description: Fortify Get import scan session ID hints: readOnly: true destructive: false idempotent: true call: on-demand-scans.getreleaseimportscansessionid outputParameters: - type: object mapping: $. - name: fortify-list-release-scans description: Fortify List release scans hints: readOnly: true destructive: false idempotent: true call: on-demand-scans.listreleasescans outputParameters: - type: object mapping: $. - name: fortify-get-release-scan description: Fortify Get release scan hints: readOnly: true destructive: false idempotent: true call: on-demand-scans.getreleasescan with: scanId: tools.scanId outputParameters: - type: object mapping: $. - name: fortify-get-scan-polling-summary description: Fortify Get scan polling summary hints: readOnly: true destructive: false idempotent: true call: on-demand-scans.getreleasescanpollingsummary with: scanId: tools.scanId outputParameters: - type: object mapping: $.