Reviewing Scan Results

Results and Reports

The Results page provides a single point of reference for the results of all completed scans. From this page you can download reports, bookmark reports, and schedule a consultation call with Veracode Support.



Click Results in the left navigation menu to go to the Results page. The page is divided into three sections:
  • Results Reports
  • Policy Evaluation
  • Summarized Results

Results Reports

From the Results page, you can download reports, bookmark reports, share results, and request a scan results consultation call with Veracode Support. In addition, you can view the Veracode and PCI Compliance reports.

Click Veracode Report or PCI Compliance Report to open these reports. The Veracode Report contains the same information as the Detailed Report that you can download from the Results page. The Veracode Report summarizes the security flaws identified during this scan, how the application fared against the associated policy controls, and outlines the Veracode recommendations. The PCI Compliance Report provides guidance on how to fix the discovered flaws to achieve PCI compliance and how the application performed against the PCI policy.

From the Results page you can use the buttons to:
Download Reports
Click this button to drop down the menu of reports you can download.
Bookmark this Report
You can bookmark this results page, enabling you to come back to it later.
Share this Report
If you have a vendor-enterprise relationship with other organizations, you can share scan results using this button.
Schedule a Consultation.
If you would like to receive assistance in interpreting your scan results, click this button to schedule a consultation call with Veracode.

Policy Evaluation

The Policy Evaluation section of the Results page provides an overview of how the application fared against its associated policy.



The policy evaluation indicates if the application was assessed against rules, required scans, and a remediation grace period. The Veracode Level the application achieves is based on the security score it receives after the scans.

Click the scan names in the static, dynamic, and manual columns to go to the overview pages to see more details of the scan results.

Summarized Results

The Summarized Results section of the Results page provides an excellent overview of all the flaws by severity and status, as well as a summary of the top risks and how your metrics data is trending.

At a glance, you can see the number and types of flaws the application currently contains.

Open Flaw Severities shows open flaws characterized by potential impact to confidentiality, integrity, and availability of the application as defined in the CVSS.
Severity Description
Very High The offending line or lines of code is a very serious weakness and is an easy target for an attacker. The code should be modified immediately to avoid potential attacks.
High The offending line or lines of code have significant weakness, and the code should be modified immediately to avoid potential attacks.
Medium A weakness of average severity. These flaws should be fixed in high assurance software. You should consider fixing this weakness after you fix the very high and high flaws for medium assurance software.
Low This is a low priority weakness that will have a small impact on the security of the software. You should consider fixing these flaws for high assurance software. Medium- and low-assurance software can ignore these flaws.
Very Low Minor problems that some high assurance software may want to be aware of. These flaws can be safely ignored in medium- and low-assurance software.
Informational Issues that have no impact on the security quality of the application but which may be of interest to the reviewer.

Remediation Status data shows the number of flaws found in an application, characterized by remediation status.

Status Scan Type Description
New Policy The number of flaws that were not found in any previous policy scan.
Sandbox The number of flaws that were not found in any previous scan.
Open Policy The number of flaws found in a previous policy scan.
Sandbox The number of flaws found in a previous scan, not necessarily within this sandbox.
Reopened Policy or Sandbox The number of flaws found in a previous scan within the sandbox or policy scan, not found in a subsequent scan within the sandbox or policy scan, but found again in the current scan.
Fixed Policy or Sandbox The number of flaws found in a previous scan within the policy or sandbox scan, but not found again in the current scan.
Mitigated Policy or Sandbox The number of flaws which were approved as mitigated by OS environment, mitigated by network environment, and mitigated by design.
Potential False Positive Policy or Sandbox The number of flaws which were approved as a potential false positive.

Trend Data shows the history of the scans and their scores over time. You can hover over data points on the chart to view the name, date, and score of each scan.