About Pipeline Scan baseline files

The Pipeline Scan enables you to set a baseline of known security findings, which it stores in a JSON file called the baseline file. To identify new findings, the Pipeline Scan compares the discovered findings with those listed in the baseline file. You can create a baseline file only with the Pipeline Scan, not through the Veracode Platform. For examples of creating a baseline file with the static scan command, see the CLI reference.

During scanning, the Pipeline Scan ignores the findings in a baseline file and only uses the file to identify new findings. For a CI/CD workflow, you can decide whether any new findings outside your baseline are important enough to "break the build". Then, your team can determine a mitigation strategy for addressing these findings before moving the code to the next phase in your development pipeline.

By default, after each scan, the Pipeline Scan saves the scan results to a results.json file. Because results.json is a standard JSON file, which you can safely rename, containing all the findings information from your scan results, you can set this file as the baseline for the scanned application.

For example, you can run the Pipeline Scan at the command line with the --baseline_file parameter and the name of your JSON file. The Pipeline Scan scans against that JSON file to report on any new findings.

Did you find this helpful?