Frequently Asked Questions

Common questions about Codeward's philosophy, features, and configuration.

Why only diff findings by default?

Focusing on newly introduced issues means:

Developers see only what they need to fix
Existing backlog doesn't block PRs
Remediation is tracked separately

Can I scan the full codebase?

Yes. Use CODEWARD_MODE=main (default) for single-branch mode, and include existing in your changes filter.

How do I allow-list a specific CVE?

Use an inequality rule:

{
  "rules": [
    { "field": "Severity", "type": "eq", "value": "CRITICAL" },
    { "field": "VulnerabilityID", "type": "ne", "value": "CVE-2024-ACCEPTED" }
  ]
}

How do I block only direct dependencies?

Enable dependency tree and filter by relationship:

{
  "global": { "dependency_tree": true },
  "vulnerability": [{
    "operator": "AND",
    "rules": [
      { "field": "Severity", "type": "eq", "value": "CRITICAL" },
      { "field": "Relationship", "type": "eq", "value": "direct" }
    ]
  }]
}

Is the JSON schema stable?

Yes. JSON outputs are always arrays with stable structure. New fields may be added (additive changes only).

How do I post to Slack/Teams/other webhook?

Use the url: destination:

{ "format": "json", "destination": "url:https://hooks.slack.com/..." }

Process the payload with your webhook handler.

Why no SARIF export?

Codeward focuses on actionable, diff-aware output. SARIF can introduce noise. JSON outputs provide equivalent data for automation.

Why only diff findings by default?​

Can I scan the full codebase?​

How do I allow-list a specific CVE?​

How do I block only direct dependencies?​

Is the JSON schema stable?​

How do I post to Slack/Teams/other webhook?​

Why no SARIF export?​