Mitigate flaws
Mitigate flaws from Veracode Static Analysis scans of your application to temporarily address, or ignore, flaws in your code that you won't resolve, such as flaws that do not pose a security risk or violate your policy. To remediate (fix) flaws that you must resolve, see the guidelines for developing a remediation plan. If you're using Veracode Pipeline Scan, we recommend using Veracode Fix to automatically fix flaws using suggested code patches generated from AI.
Use the Triage Flaws page in the Veracode Platform to review and mitigate security flaws with your teams. The Triage Flaws page displays flaws found by Static Analysis Upload and Scan and Veracode DAST scans of your application. For information about the flaws these scans detect, see CWEs detected as flaws. Typically, findings from Dynamic Analysis are called vulnerabilities, but they appear on the Triage Flaws page as flaws.
To review and mitigate vulnerabilities from Software Composition Analysis (SCA) scans of your application, see Mitigate vulnerabilities.
Mitigations do not provide long-term fixes for application security flaws. For example, changes to your environment or new attack techniques can make many mitigating factors, such as network and operating system mitigations, ineffective. We recommend using mitigations as part of a long-term plan to remediate findings in your applications.
How can I mitigate flaws?
You can mitigate flaws using the following Veracode products:
Using the Veracode Platform
Use the Triage Flaws page.
Access the Triage Flaws page from the Results page for a scanned application.
The Triage Flaws page doesn't support flaws from Veracode Pipeline Scan or vulnerabilities from Veracode SCA.
Using your IDE
To mitigate flaws in your IDE, select from the following topics. Veracode Scan for Visual Studio and Veracode Scan for Eclipse don't support mitigating flaws.
If you're using the Static-only IDE integrations, see the topics on mitigating flaws.
Using the APIs
Mitigate flaws using the REST or XML APIs.
REST APIs
XML APIs
View mitigated flaws in reports
After approving one or more mitigated flaws, the reports for the application update to show information about the mitigations as follows:
- Veracode recalculates the policy status, Veracode Level, and Veracode legacy rating, removing the approved mitigated flaws from consideration.
- Lists of flaws in the application by category show the effective number of flaws after the approved mitigated flaws are removed from the application.
- Approved mitigated flaws are removed from the detailed listing of flaws in reports.
- In the on-screen report, the Mitigated Flaws and Proposed Mitigations tabs in the Detailed Veracode Report show the mitigated flaws, grouped by severity, which is color-coded.
- The red and green badges on the left indicate if you must fix a flaw to meet policy or if the proposed mitigation is accepted.
- In the PDF report, a Mitigated Flaws appendix lists all the approved and proposed flaws.