Can Claude fix Fortify security scan findings?

Detailed Analysis

A developer using Claude Code (Opus 4.7) within VS Code reports persistent failures when attempting to use the AI coding assistant to remediate high and critical severity findings generated by Fortify Static Code Analyzer, a widely-used enterprise security scanning tool. Despite configuring the tool at maximum effort, the model repeatedly failed to correctly resolve issues flagged by Fortify, with Input Validation vulnerabilities — a broad category encompassing problems like SQL injection, cross-site scripting, and improper data sanitization — proving particularly resistant to automated remediation. The post, shared on the r/ClaudeAI subreddit, solicits community knowledge around effective prompting strategies or workflows that might improve outcomes in this specific use case.

The difficulty the user encounters is not incidental. Fortify's findings are highly context-sensitive: a flagged Input Validation issue is rarely resolved by simply adding a check at the point of detection, but instead requires understanding the full data flow from source to sink across potentially complex codebases. This demands that the AI model accurately trace taint paths, understand framework-specific sanitization requirements, and apply fixes that satisfy both functional correctness and Fortify's proprietary analysis engine — which has its own interpretation rules that can differ from general security best practices. Claude Code, even at maximum effort, may lack the deep integration with Fortify's internal ruleset necessary to produce patches that reliably suppress findings rather than merely appearing to address the surface-level code pattern.

This limitation reflects a broader challenge facing AI coding assistants operating in enterprise security contexts. General-purpose LLMs are trained on vast repositories of code and security documentation, but static analysis tools like Fortify, Checkmarx, and Veracode employ proprietary dataflow and taint-tracking engines that are not fully documented publicly, making it difficult for any model to reliably predict what changes will satisfy a scanner's criteria. The gap between "code that is functionally secure" and "code that passes a specific scanner's audit" is meaningful and often non-trivial, requiring either deep knowledge of the tool's internal heuristics or iterative trial-and-error.

In the broader context of AI-assisted software development, the case illustrates the limits of current agentic coding tools when confronted with domain-specific enterprise tooling. While models like Claude have demonstrated strong general coding competence, the integration of AI coding agents into mature DevSecOps pipelines — where compliance with specific scanning tools is a hard gate on deployment — remains an unsolved problem. The community response the poster seeks, focusing on prompt engineering and skill-based workarounds, is symptomatic of a tooling gap: without native integration between AI agents and static analysis platforms' APIs or rule definitions, practitioners are left to develop informal, artisanal remediation workflows rather than relying on reproducible, systematic automation.