Static scanning is one component of Veracode. That feature we use heavily to scan all the custom code we write weekly. We use another component called software composition analysis to scan all of our open-source packages. These are the two primary use cases that we have for Veracode.

It flags any security flaws or bad practices. Veracode has its own database for many vulnerabilities identified on the SCA side. They use a tool called SourceClear, which validates vulnerabilities in any of these packages. The scanner itself is pretty good at identifying some of the flaws in either the code or the open-source packages.

Our organization is more secure than without Veracode. It has improved our security posture because we're running it. It's hard to gauge what that would be without it because we haven't had any security issues since I joined the company.

Veracode is very good at ensuring compliance with industry standards. It has helped us fix flaws. We know what's there, and there's generally a decent explanation for fixing each flaw. It's a quicker time to market. It's easy to figure out the problem and solve it so that we don't have exposed vulnerabilities in the market.

It has helped developers save time. We generally resolve all our flaws within seven to 20 business days after they are identified. Veracode is crucial to our shift-left strategy. We have automated scans, so we scan all our code every weekend. Today is one of those days, so it's usually the time when we come in, see there's a new problem, and immediately start working on it.

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables.

They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet.

The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer.

We have used Veracode for about five years.

Veracode's stability is 50-50. They deploy new versions of their engine. Recently, the new version identified flaws in the code that were six months to a year old.

Veracode seems to scale pretty well. We scan 60 to 70 applications every weekend without any problems.

I rate Veracode's support engineers eight and their frontline support four. Their engineers are typically good and helpful. If I open a tech support ticket, I usually get a Veracode engineer. Those guys are good. I would rate their other support people poorly.

Veracode is straightforward to deploy. It's a general automated dev ops strategy. It's a responsibility shared among 20 to 30 people.

Veracode is a decent value, depending on what you're trying to achieve. It's pretty good for security flaws.

I rate Veracode six out of 10. I would recommend Veracode to others. The scanner is best in class, but the rest, not so much.

Veracode helps to prevent vulnerable code from going into production. They are providing remediation support. They provide a specific solution. If a code has any vulnerability, they provide the snippet of that code. They also provide recommendations. Their support team is very active. If you have any concerns related to the vulnerabilities, they schedule a call and resolve your issues. That is very good.

With Veracode, there are fewer false positives as compared to other tools. It provides genuine vulnerabilities. It is also user-friendly. They are not only sticking to SAST testing. They also have pen testing.

The visibility that Veracode provides is good. They provide a proper dashboard for everything. We have visibility into the application status at every phase of development - Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test. I am satisfied with it. We have not integrated it with our DevOps pipeline, but it has all the features for easy integration.

Veracode helps us to fix flaws. They provide very good recommendations. It is very easy for a developer to fix the flaws. They provide a specific solution.

Veracode has helped our developers save time. It has been very useful.

In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis.

I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that.

I have more than 12 years of experience working with Veracode.

It is stable. There are no unplanned downtimes. If they are going to have downtime because of maintenance or any other reason, they communicate that to you a week before. They not only inform you by email. They also alert you through their portal.

Their support is good. I would rate them a ten out of ten.

I work with almost all the tools available in the market. Its competitors are AppScan and Fortify. Synopsys is also there, and Checkmark is also there.

Veracode is the best tool as of now. That is because of the quality of the product and technical support. Veracode supports all the testing options.

Veracode is a leading tool in the market for code security. It is all about the source code review from a security perspective. It identifies the vulnerabilities in the source code. Apart from this, they also provide services for run-time code. If you have your application in production, it can also find vulnerabilities in that. They also support software composition. If your application is using a third-party library, they can identify the vulnerabilities in that.

It is straightforward. It is easy to deploy because it is a cloud-based service. It does not take long.

They are a mature company. They have already worked a lot on all the things. They keep on coming up with new features. Their R&D team is very good.

The ROI is in terms of time savings and security. If an attack happens because of a vulnerability, it costs a company and impacts its reputation. No one should be compromising on security.

As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it.

I am working at a consultancy, and I did a PoC with five or six top tools in the market. I found Veracode to be the best in every aspect.

I am currently looking for some AI-powered tools. I am exploring the AI capabilities of various tools.

Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.

We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.

We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.

We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.

Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.

Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.

Veracode provides visibility into application status at every phase of development.

Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.

We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.

Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.

One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing.

When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.

A negative issue I found is that it has a subscription-based model.

If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.

I have been using Veracode for 2 years.

It is quite stable.

We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.

We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.

I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.

Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.

I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.

It does not require any maintenance. Everything is done automatically by the vendor.

Everything was done in-house.

It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving.

We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.

To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs.

We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.

We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.

The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.

Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process.

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three.

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes.

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs.

Our security team of three uses the solution.

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle.

We did not use a different solution. Previously, we relied on manual testing.

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes.

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case.

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten.

We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here."

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get.

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe.

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly.

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable.

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes.

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance.

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that."

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything.

I rate Veracode 10 out of 10. Veracode is constantly changing and improving.

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines.

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning.

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable.

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning.

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues.

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues.

We tried AppScan and Snyk. From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system.

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment.

I have not calculated the return on investment, but I think it's at least 200 percent.

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered.

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production.

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines.