Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well.
We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like Fortify Project, Fortify Project Version, and another conditional for uploading the FPR file.
The gist of it is this:
Clean
sourceanalyzer -b "Build ID" -clean
Build
sourceanalyzer -b "Build ID" devenv BuildID.sln /Rebuild Debug /out "C:SSCLogsSSCBuild.log"
Scan
sourceanalyzer -b "Build ID" -scan -format fpr -f BuildID.fpr
Upload to SSC
fortifyclient.bat -url SSCServerUrl -authtoken XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX uploadFPR -file BuildID.fpr -project "MyProject" -version "MyProject v1.0.0"
If you'd like a full rundown and/or some screen captures, I'd be happy to provide something for you.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…