Managing Static Analysis settings
Users with the Administrator role manage organization-level Static Analysis settings. These settings control which Static Analysis engine version is used, how engine updates are applied, and whether application profiles can override the organization-level configuration.
Engine version stability requires activation by Veracode Support or your account team before the setting is available.
Engine version stability
Engine version stability controls whether Static Analysis scans use the latest available engine version or continue using the engine version most recently used by each application profile.
By default, Static Analysis uses the latest engine version for all application profiles.
Configure engine version stability
To complete this task:
- To open the Admin page, select Admin from the gear icon.
- Select Customize.
- Open the Customize Static Engine panel.
- Select one of the following options:
- Use latest engine in all application profiles
- Use last scanned engine version for each application profile
- (Optional) Select Allow each application profile to override the static engine version. For more information, see Allow application-level overrides.
- Select Save.
Engine version behavior
Use latest engine in all application profiles
When you select Use latest engine in all application profiles, all Static Analysis scans run using the most current engine version available. Application profiles automatically update to use new engine versions when they are released.
Use last scanned engine version for each application profile
When you select Use last scanned engine version for each application profile, each application profile uses the engine version from its most recent successful scan within the past 60 days.
- Application profiles with no prior scans use the current engine version.
- Application profiles with scans older than 60 days use the current engine version.
- While this setting is enabled, application profiles do not automatically update to newer engine versions.
The engine version is determined by:
- The most recent successful policy scan, or
- The most recent sandbox scan if no policy scan exists.
This setting does not allow you to manually select a specific engine version.
Allow application-level overrides
When an Administrator selects Allow each application profile to override the static engine version, application owners can control engine version usage for individual application profiles.
Configure an application-level override
For more information about editing an application profile, see Edit an application profile.
To complete this task:
- On the Edit Application page, open the Additional Settings panel.
- Under Application Settings, select Pin Static Engine Version.
- Select Submit.
Application profile behavior
- When Pin Static Engine Version is selected, the application profile uses the last engine version it used.
- When the option is cleared, the application profile uses the current engine version.
When application-level overrides are enabled, each application profile retains its previous setting. The selected option is stored at the application profile level and remains in effect until it is changed.
Revert to a previous engine version
If an application has already run a scan using the current engine version and you need to revert to the previously used engine version:
- Delete any scans that were run using the current engine version.
- Enable Use last scanned engine version for each application profile.
- Ensure that a previous successful scan exists within the 60-day window.
Important considerations
- Engine version stability applies only to Static Analysis scans.
- You cannot manually select a specific historical engine version.
- Reverting to a previous engine version is limited to versions associated with a successful scan completed within the previous 60 days.
- Older engine versions are not supported indefinitely.
- Veracode Support requires applications to be scanned with the current engine version before providing assistance.