OpenText • Application security
OpenText Static Application Security Testing carries the Fortify Static Code Analyzer engine, with broad language coverage across modern and legacy stacks (including COBOL, Apex, mainframe-adjacent code) and source plus binary code analysis for regulated programs that need both.
Through Merito, OpenText SAST runs as either a standalone Fortify Static Code Analyzer license or inside the Core Application Security bundle, with policy tuning, custom-rule authoring, and CI/CD integration handled as the implementation work so the engine works the way the program needs rather than the way the defaults shipped.
What it is
OpenText Static Application Security Testing carries the Fortify Static Code Analyzer engine that has been in regulated production for two decades. The engine covers Java, JavaScript, TypeScript, C#, .NET, Python, Go, C, C++, Objective-C, Swift, Kotlin, Salesforce Apex, COBOL, ABAP, PL/SQL, and more, with both source-code and binary-code analysis. The binary-code analysis matters for regulated programs that need to scan vendor-supplied components without source.
Where Fortify SAST has historically differentiated is on regulated and legacy stacks. Programs running mainframe-adjacent COBOL alongside modern Java microservices, or Salesforce Apex alongside .NET enterprise applications, get one engine across the line. Single-language SAST tools force enterprises to bolt together specialist scanners; Fortify covers the modern and the legacy in one product. The 2024-2025 rebrand from Fortify SAST to OpenText Static Application Security Testing is cosmetic at the engine level.
Hybrid deployment is the operational shape. Programs run SAST inside Core Application Security as SaaS, on-prem for regulated workloads where SaaS is not permitted, or as bring-your-own-cloud (BYOC) for hybrid programs. The engine and findings model are consistent across deployment shapes, so AppSec programs that run hybrid (some applications in SaaS, others on-prem) get one operational pattern. Customers running on-prem-only Fortify Static Code Analyzer and considering modernization should look at the SaaS unification through Core Application Security as the operational target.
What disrupts SAST adoption is policy drift. Programs that take vendor-default policies and never tune them generate huge false-positive volumes, lose developer trust by month two, and eventually become a checkbox scan that nobody reads. Merito's engagement starts with policy tuning to the customer's actual risk tolerance, suppression discipline that is auditable rather than a graveyard of ignored findings, and PR-time integration so developers see results in the workflow they already use. Without that, even the best engine generates noise.
Ideal use cases
What it is best at
20+ years of regulated production deployment. Established case law in financial services, government, defense, and healthcare. Programs that need a defensible SAST engine pick the lineage with the most operational history.
Analyzes both source code and compiled binaries. Programs scanning vendor-supplied components without source still get coverage. Few competing SAST tools handle binary analysis at this depth.
Java, .NET, JavaScript, Python, Go, Apex, COBOL, ABAP, PL/SQL, and more in one engine. Programs running enterprise codebases across modern and legacy do not stitch together specialist tools.
Same engine across deployment shapes. Programs running hybrid (SaaS for some applications, on-prem for regulated workloads) get one operational pattern.
AI-augmented triage and fix suggestions grounded in the customer's findings, available across SAST and the rest of the AppSec line.
Core capabilities
Static analysis core covering modern and legacy code in one engine.
Modern language coverage
Java, JavaScript, TypeScript, C#, .NET, Python, Go, Kotlin, Swift, C, C++, Objective-C, and more.
Legacy and enterprise stack coverage
Salesforce Apex, COBOL, ABAP, PL/SQL, RPG, and other enterprise stacks. Mainframe-adjacent code covered alongside modern microservices.
Source and binary analysis
Analyzes both source code and compiled binaries. Vendor-supplied components without source still get coverage.
Custom rule authoring
Programs encode internal coding standards as custom rules so policy enforcement runs inside the scanner.
What separates a working SAST program from a noisy one.
Policy tuning per application
Severity and rule sets tunable per repository or business unit so internal-tooling code does not get audited like a customer-facing payment service.
Auditable suppression workflow
Suppression with expiry, reviewer assignment, and rationale capture. Suppressions stop being permanent ignore lists.
Findings-routing operating model
Triage assignment, ticketing integration, and PR-time visibility designed for continuous AppSec rather than batch scanning.
SAST inside the customer's release pipeline and operational fabric.
Hybrid deployment
SaaS, on-prem, and BYOC editions sharing the same engine and findings model.
PR-time scanning
Runs against the diff in the pull request and posts findings as PR comments. Developers see issues in the review they were already doing.
Build-gate policy
Configurable thresholds (severity, count, age) that pass or fail builds. Block-on-introduce policy stops new vulnerabilities while triage works the legacy backlog.
Compliance reporting
Audit-ready evidence for SOC 2, FedRAMP, HIPAA, PCI DSS, and ISO 27001 attestations.
Where it fits in the stack
Deployment and implementation
Licensing and packaging
Standalone Static Application Security Testing
Standalone SAST license deployable as SaaS, on-prem, or BYOC.
Best for: Programs that need SAST without the rest of the Core Application Security bundle.
Inside Core Application Security
SAST as part of the SaaS-unified SAST + DAST + Core SCA bundle.
Best for: Programs running unified AppSec across SAST, DAST, and SCA.
Government Cloud (FedRAMP)
FedRAMP-authorized SAST for federal customers.
Best for: Federal programs requiring FedRAMP-authorized AppSec.
Merito services
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
Tenant or environment setup, deployment-shape decision, policy tuning, custom-rule authoring, CI/CD integration.
Explore service02Fortify Static Code Analyzer to OpenText Static Application Security Testing migrations, on-prem to SaaS modernization.
Explore service03AppSec program scoping for SAST adoption alongside Checkmarx, Veracode, and Snyk Code.
Explore service04PR-time SAST gates and build-gate policy in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket.
Explore service05Developer-facing SAST adoption and AppSec champion programs.
Explore service06Named engineer, priority SLAs, and release-time coverage for SAST.
Explore service07Long-term run support including policy tuning, custom-rule maintenance, and triage operating-model evolution.
Explore service08Role-based training for AppSec architects, security engineers, and developers using SAST output.
Explore service09Merito-placed AppSec engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Static Application Security Testing licensing
OpenText SAST pricing arrives with policy tuning, custom-rule authoring, suppression discipline, and PR-time CI/CD integration that turn 30+ years of Fortify engine depth into a working AppSec program rather than a vendor-default scanner.
Merito point of view
Merito has rolled out OpenText Static Application Security Testing (formerly Fortify SAST) on programs where the engine works fine, language coverage is solid, and the backlog still grows uncontrollably. The cause is policy drift. Vendor defaults generate noise, suppressions accumulate as a permanent ignore list, and findings flow to a queue nobody owns. Those are policy and operating-model problems; no SAST replacement fixes them.
Merito recommends OpenText SAST specifically when the program needs broad language coverage including legacy and enterprise stacks (COBOL, Apex, ABAP), when source plus binary analysis matters for vendor-supplied components, and when regulated compliance posture (FedRAMP, HIPAA, PCI DSS) is a buying criterion. For programs already running mature Checkmarx One pipelines, replacing them with OpenText SAST is a 12-month project that often does not deliver enough delta to justify the disruption. Merito runs that decision honestly.
The hybrid deployment model is real. Programs running SaaS for some applications and on-prem for regulated workloads share the engine and findings model. Most modernization engagements move toward the SaaS path through Core Application Security; on-prem remains the right answer for programs with regulatory constraints that rule out SaaS scanning.
What buyers usually underestimate
Related from Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Consultation request
Share your codebase profile, current SAST tool if any, and AppSec program shape. A Merito OpenText specialist follows up within one business day.
Mature engine
20+ years of regulated production deployment. Source plus binary analysis. Broad coverage across modern and legacy stacks.
Policy first
Vendor defaults generate noise. Merito's first thirty days are policy tuning, custom-rule authoring, and suppression-workflow design.
Next step
A Merito OpenText SAST engagement starts with policy tuning, custom-rule authoring, and PR-time integration. Day-one defaults are how programs lose developer trust by month two.