Skip to main content

About mitigating flaws

After Veracode completes a scan of your code, you can apply mitigation actions on any discovered vulnerabilities.

After a scan is complete, the next step in the workflow is to review all the discovered vulnerabilities in detail. Veracode enables you to sort the flaws and decide if you want to take any mitigation actions to temporarily address the flaw. You can mitigate flaws by making changes to the operating system features, network implementation, or application design. After you flag a flaw as mitigated, users in your organization with the Mitigation Approver role can accept or reject the mitigations. Accepting the mitigated flaws removes them from the application score calculation and from being considered in the determination of the application's policy status. The mitigating factors are included in the application report.


Mitigations do not provide long-term fixes for application security flaws. For example, changes to your environment or new attack techniques can make many mitigating factors, including network and operating system mitigations, ineffective. Veracode recommends that you use mitigations as part of a long-term plan to remediate flaws in your code.

The mitigation workflow involves:

  1. Reviewing the flaws with your team
  2. Proposing mitigating factors
  3. Accepting or rejecting mitigations
  4. Viewing mitigated flaws in the report

You can do all the steps in the mitigation workflow from the Triage Flaws view, which you can access from either the Results section of the left navigation menu or from the application overview. You can perform mitigation actions on one flaw at a time or perform a mass action on multiple flaws at one time. You can accept or reject proposed mitigations from the Mitigated Flaws page.

Veracode automatically applies mitigation actions, including comments, proposals, acceptances, and rejections, to all matched flaws within the application. Veracode also applies these mitigation actions to copies of the flaw that might exist in other sandboxes and the latest policy scan.

You can also manage the mitigation workflow with the Annotations REST API.