If you are trying to run analysis on your own application code, then Fortify is perhaps not the right tool to attempt for that, as it is not configured to understand Pega APIs and as you mention, it would require quite a bit of trickery to coerce Fortify to scan the dynamically generated rule code.
The Rule Security Analyzer, which ships with Pega7, has a few scans that work on your custom written code. This finds some of the same vulnerabilities that Fortify looks for, including cross-site scripting, SQL injection, and XML Entity Expansion vulnerabilities.
Well, I've learned what I can -- and convinced our internal security team that Fortify is not applicable;
However, that leaves me with the question: what can I do -- or what has Pega themselves done -- to scan for security vulnerabilities?
That is, does Pega provide any documentation, or any "certification" that certain security practices are always followed, that a Pega server (I'm thinking primarily 7.1.x or 7.2) is secure to a certain level of confidence?
No 'certification' exists. Have you seen our security white paper? It is available through your account rep. It covers many topics related to security and includes a description of the many ways we test and assess our software for security vulnerabilities throughout the development lifecycle.
I'm just going link in this discussion to close the loop. It is possible to scan the Pega generated code using Fortify. The way we implemented it was to use an isolated environment to run a specific app, walk the app through its flows, then capture the generated code from the PRGenJava folder.
The results of this type of scan gave us the ability to see the security posture of the dynamic code which is actually used, vs the rule analyzer which i believe looks at the custom user developed code.