Ignore findings
Ignoring findings is a method of mitigating findings you won't resolve. We recommend resolving findings, including findings that might not be exploited by attackers. These findings might be exploited in the future.
You might want to ignore findings for the following reasons:
- There is no manual fix or suggested code patch from Veracode Fix.
- The finding isn't relevant to the application, is a potential false positive, or your team is willing to accept the risk of not resolving it. For example, a finding might be technically present in the code, but the application's overall security architecture or deployment policies effectively mitigate the risk.
To learn more about mitigating findings, see the following sections:
Mitigations do not provide long-term fixes for application security findings. For example, changes to your environment or new attack techniques can make many mitigating factors, such as network and operating system mitigations, ineffective. We recommend using mitigations as part of a long-term plan to remediate findings in your applications.
Using the Veracode Platform
To ignore flaws from Static Analysis or Dynamic Analysis scans in the Veracode Platform, use the mitigation actions, such as mitigating a finding as a potential false positive or accepting the risk of not resolving them, using the Triage Flaws page or the APIs.
For SCA scans, you can ignore SCA issues found by SCA Agent-based Scan, or mitigate vulnerabilities found by SCA Agent-based Scan or SCA Upload and Scan.
Using your IDE
To ignore flaws in your IDE, select from the following topics. Veracode Scan for Visual Studio doesn't support ignoring findings.
If you're using the Static-only IDE integrations, see the topics on mitigating findings.
Using the APIs
Ignore findings using the REST and XML APIs.