Using Policies with Pipeline Scans

Pipeline Scan

You can use a Veracode security policy to evaluate the scan results from a Pipeline Scan.

You can configure a Pipeline Scan to evaluate the scan results against one of the standard or recommended security policies. To use a custom policy, you must include the --request_policy parameter in your pipeline or at the command line to retrieve the policy definition from Veracode.

Because a Pipeline Scan performs a static scan and is not aware of the full history of findings, it supports only these policy rule types:

  • Findings with CWE ID
  • Findings in CWE Category
  • Findings by Severity

When using a Veracode policy, a Pipeline Scan does not consider grace periods, required scan frequency, or evaluation time frames.