Recently I needed to run a Fortify scan on a project with several modules. I was told to scan only Java files (*.java) but with the constraint that this files should not be the ones inside test directories (*\test\*)
After doing some research and reading the documentation I came up with the following command:
"-b" "SiryProject" "-machine-output" "-source" "1.8" "C:\MyProjects\SiryProject\**\src\main\java\**\*.java"
It is very simple, you are basically telling Fortify to scan all Java whose file path contains \src\main\java\ and are inside C:\MyProjects\SiryProject\
I know it could be a little complex to understand but once you get it, it comes in handy for future scans, I always use the Audit Workbench to run my scans, so I set this command in the Advance Static Analysis dialog, right after selecting the project folder:
After this, you just have to wait until the scan is completed. For more information you can read page 44 on the user guide provided below.