CodeScan SCA Results

Updated 15 hours ago by Copado Solutions

Whenever you run a static code analysis, Copado generates a SCA Result record. To locate the latest SCA Results from a User Story or an Org Credential, navigate to the Static Code Analysis Results related list.

Let's take a look at the different sections and fields you can find in a Static Code Analysis result record.

  • Details: This field contains the link to review the CodeScan violations in the CodeScan site.
  • Score: This field shows the aggregate of all rule violations score. The scoring of a rule violation is calculated by subtracting the priority number of the violated rule from 6. Violated rules with a high priority number will throw a high static code analysis result, which means that the higher the result the more probable it is to reach the maximum static code analysis score:

  • Bug (Reliability domain).
  • Vulnerability (Security domain).
  • Code Smell (Maintainability domain):

  • Blocker: Priority 1. Bug with a high probability to impact the behavior of the application in production.
  • Critical: Priority 2. Either a bug with a low probability to impact the behavior of the application in production or an issue which represents a security flaw.
  • Major: Priority 3. Quality flaw which can highly impact the developer productivity.
  • Minor: Priority 4. Quality flaw which can slightly impact the developer productivity.
  • Info: Priority 5. Neither a bug nor a quality flaw, just a finding:


Closed issues will have one of these two resolutions:

  • Fixed: When a subsequent SCA Analysis run shows that the issue has been corrected or the file is no longer available.
  • Removed: When the related rule is no longer available.

Resolved issues will have one of these two resolutions:

  • False Positive
  • Won't Fix

  • Open: Set by SonarQube on new issues
  • Confirmed: Set manually to indicate that the issue is valid
  • Resolved: Set manually to indicate that the next analysis should Close the issue
  • Reopened: Set automatically by SonarQube when a Resolved issue hasn't actually been corrected
  • Closed: Set automatically by SonarQube for automatically created issues:

How did we do?