veracode · julz0815 · Jan 6, 2026 · Jan 6, 2026 · Mar 20, 2026
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,4 @@
 .DS_Store
-node_modules
+node_modules
+example/*
+delete_issues.js
diff --git a/README.md b/README.md
@@ -51,6 +51,8 @@ The tool will need some information passed to it as parameters (many are optiona
     * Default is 'directory'
 
 * Optional
+  * policy
+    * **Strongly recommended**: Policy name from the Veracode platform to use for policy evaluation. The policy name will be automatically URL encoded (e.g., %26 for &, %2F for /) when downloading and using the policy. If a policy is not specified, the policy shield on the Veracode platform will remain empty and the action will not be able to make a decision on whether the workflow step should fail based on policy violations. The policy will be downloaded as a `.rego` file and attached to all scan commands.
   * fail_build
     * Fail the build upon findings. Takes true or false
   * debug
@@ -83,6 +85,7 @@ The basic yml
             type: "directory"
             source: "./"
             format: "json"
+            policy: "My Policy Name"
             debug: false
             fail_build: true
   ``` 

diff --git a/action.yml b/action.yml
@@ -46,9 +46,12 @@ inputs:
     default: 'CLOUD'
     required: false
   generate_sbom_output:
-      description: 'Generate SBOM files as part of the scan'
-      default: 'true'
-      required: false
+    description: 'Generate SBOM files as part of the scan'
+    default: 'true'
+    required: false
+  policy:
+    description: 'Policy name from Veracode platform to use for policy evaluation. The policy name will be URL encoded automatically (e.g., %26 for &, %2F for /).'
+    required: false
 runs:
   using: 'node20'
   main: 'dist/index.js'