Skip to main content

Review findings

Reviewing the findings (flaws and vulnerabilities) from completed scans of your applications involves:

The Veracode Platform uses a methodology and several analysis techniques to identify findings in your applications, and determine their severity, or level of risk. To learn about risk assessment and scoring using Veracode Risk Manager, see Using factors.

If you use Veracode products that access the Veracode Platform, such as Veracode Upload and Scan and Veracode DAST, we recommend reviewing the results in the Veracode Platform. If you perform multiple scan types on an application, such as SAST, DAST, SCA, and MPT scans, you can access all results from the Results page, and review and manage SAST and DAST findings with your teams on the Triage Flaws page.

In the Veracode Platform, the results are available in multiple reports. You can also access and use analytics data to get insight into findings for supported scan types.

If you are new to reviewing results from application security tests, or you want to review the results with your teams, we recommend scheduling a consultation with Veracode security experts. Also, before attempting to resolve findings, we recommend reviewing our guidance on developing a remediation plan.

note

Flaws from Veracode Pipeline Scan, and any integrations that use it for Static Analysis, are not available in the Veracode Platform.

Prerequisites

To access and review scan results or reports in the Veracode Platform, you must have:

  • A license for the type of scan, such as Static Analysis or SCA, for which you want to review findings.

  • A Veracode account with one or more of the following roles.

    • Administrator
    • Reviewer
    • Sandbox User
    • Security Lead
    • Executive

  • A scanned application, using either the Veracode Platform or an integration that accesses the Veracode Platform, and the scan results must be available in the Veracode Platform.

  • To access DAST scan results, the results must be linked to the application profile. See the instructions for DAST Essentials or Dynamic Analysis.

  • To access SCA scan results from SCA Agent-based Scan, the SCA project must be linked to the application profile.

Access VRM results

Veracode Risk Manager manages findings as issues. See Access and review issues in Veracode Risk Manager.

Access MPT results

After Veracode security experts perform Manual Penetration Tests (MPT) on your applications, access the results in the Veracode Platform.

Access Container Security results

After running a Veracode Container Security scan, access the results using the Veracode CLI or access the results in the Veracode Platform.

Last updated on