We have setup the PDM deployment pipeline to run Rule Security analyzer for the RAP which is being deployed, however we can see that its always running in the context of Application. However, as we have already investigated and assigned the risk as low/not applicable for most of the results and for some, as justified, everytime the RSA is running, its pointing the same issues in the report and manually we have to exclude those from the list. We want to understand if we can run the RSA only in the context of imported RAP, instead of entire APP.
@Ajit Kumar Create a dedicated “RAP Scan” application that includes only the ruleset versions delivered by the imported RAP (and nothing else from the main app stack). Update the PDM pipeline so the RAP is imported into this scan app first, then run the Rule Security Analyzer step using that scan app as the application context. Because the scan app contains only the RAP content, the RSA report will be limited to the imported rules and will stop repeating findings from the broader application. This removes the need to re-exclude the same legacy items on every run and keeps the results focused on what is actually being deployed.