Use policies with Pipeline Scans

You can use a Veracode security policy to evaluate the scan results from a Pipeline Scan.

You can configure a Pipeline Scan to evaluate the scan results against one of the standard or recommended security policies. To use a custom policy, you must include the --request_policy parameter in your pipeline or at the command line to retrieve the policy definition from Veracode.

Because a Pipeline Scan performs a static scan and is not aware of the full history of findings, it supports only these policy rule types:

Findings with CWE ID
Findings in CWE Category
Findings by Severity

When using a Veracode policy, a Pipeline Scan does not consider grace periods, required scan frequency, or evaluation time frames.

Did you find this helpful?