It’s not clear what type of filtering you want to do. If you want to analyze only part of the project, you can do that with exclusions. If you want to analyze the whole project but only with Security rules, then just create a Quality Profile containing only those rules and assign the project to it.
Assuming we’re talking about Java, C, C++, Objective-C, or C#, no.
Then it’s not analyzable but that’s not such a crisis because it’s not deployable either.
I’m looking for something similar to Hp’s Fortify or Checkmarkx so only security rules, but as far as i’ve on a few “vulnerable” projects even with all the analyzers the quality of the findings is very poor to say the least and it doesn’t find actual issues like SQLI in the code even tho it’s vulnerable
Is this still an OWASP project or has it outgrown its original purpose and became a code quality tool?