The tool returns an exit code, which can be used to fail a build.
By default, if one or more security issues are found, an exit code of 1 is returned. Otherwise it returns an exit code of 0.
The tool can be configured to allow more than one security issue to be present in the source code. This can be configured using the --threshold option, which by default is 1.
False positives can be ignored using the --ignore-file option. This option requires the path to a JSON file, which contains a list of all ignored vulnerabilities. Ignored vulnerabilities are identified by their code and fully qualified name. This information is available in the output of a scan.
The example below shows the format:
{
"ignoredVulnerabilities": [
{
"vulnerabilityCode": "EcbCipherMode",
"fullyQualifiedName": "BankingApp.TestFiles.EcbCipherMode",
"note": "The reason why this vulnerability should be ignored."
},
{
"vulnerabilityCode": "AllowBackup",
"fullyQualifiedName": "AndroidManifest",
"note": "The reason why this vulnerability should be ignored."
}
]
}